Edit

Transport Security with Basic Authentication

  • Article

The following illustration shows a Windows Communication Foundation (WCF) service and client. The server needs a valid X.509 certificate that can be used for Secure Sockets Layer (SSL), and the clients must trust the server’s certificate. Further, the Web service already has an SSL implementation that can be used. For more information about enabling basic authentication on Internet Information Services (IIS), see Basic Authentication.

Screenshot that shows transport security with basic authentication.

Characteristic Description
Security Mode Transport
Interoperability With existing Web service clients and services
Authentication (Server)

Authentication (Client)		 Yes (using HTTPS)

Yes (through User name/Password)
Integrity Yes
Confidentiality Yes
Transport HTTPS
Binding WSHttpBinding

Service

The following code and configuration are meant to run independently. Do one of the following:

  • Create a stand-alone service using the code with no configuration.

  • Create a service using the supplied configuration, but do not define any endpoints.

Code

The following code shows how to create a service endpoint that uses a Windows domain user name and password for transfer security. Note that the service requires an X.509 certificate to authenticate to the client. For more information, see Working with Certificates and How to: Configure a Port with an SSL Certificate.

// Create the binding.
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Transport;
binding.Security.Transport.ClientCredentialType =
    HttpClientCredentialType.Basic;

// Create the URI for the endpoint.
Uri httpUri = new Uri("https://localhost/Calculator");

// Create the service host and add an endpoint.
ServiceHost myServiceHost = new ServiceHost(
    typeof(ServiceModel.Calculator), httpUri);
myServiceHost.AddServiceEndpoint(
    typeof(ServiceModel.ICalculator), binding, "");

// Open the service.
myServiceHost.Open();
Console.WriteLine("Listening...");
Console.WriteLine("Press Enter to exit.");
Console.ReadLine();

// Close the service.
myServiceHost.Close();

' Create the binding.
Dim binding As New WSHttpBinding()
binding.Security.Mode = SecurityMode.Transport
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Basic

' Create the URI for the endpoint.
Dim httpUri As New Uri("https://localhost/Calculator")

' Create the service host and add an endpoint.
Dim myServiceHost As New ServiceHost(GetType(ServiceModel.Calculator), httpUri)
myServiceHost.AddServiceEndpoint(GetType(ServiceModel.ICalculator), binding, "")

' Open the service.
myServiceHost.Open()
Console.WriteLine("Listening...")
Console.WriteLine("Press Enter to exit.")
Console.ReadLine()

' Close the service.
myServiceHost.Close()

Configuration

The following configures a service to use basic authentication with transport-level security:

<?xml version="1.0" encoding="utf-8"?>  
<configuration>  
    <system.serviceModel>  
        <bindings>  
            <wsHttpBinding>  
                <binding name="UsernameWithTransport">  
                    <security mode="Transport">  
                        <transport clientCredentialType="Basic" />  
                    </security>  
                </binding>  
            </wsHttpBinding>  
        </bindings>  
        <services>  
            <service name="BasicAuthentication.Calculator">  
                <endpoint address="https://localhost/Calculator"  
                          binding="wsHttpBinding"
                          bindingConfiguration="UsernameWithTransport"  
                          name="BasicEndpoint"
                          contract="BasicAuthentication.ICalculator" />  
            </service>  
        </services>  
    </system.serviceModel>  
</configuration>

Client

Code

The following code shows the client code that includes the user name and password. Note that the user must provide a valid Windows user name and password. The code to return the user name and password is not shown here. Use a dialog box or other interface to query the user for the information.

Note

User name and password can only be set using code.

// Create the binding.
WSHttpBinding myBinding = new WSHttpBinding();
myBinding.Security.Mode = SecurityMode.Transport;
myBinding.Security.Transport.ClientCredentialType =
    HttpClientCredentialType.Basic;

// Create the endpoint address. Note that the machine name
// must match the subject or DNS field of the X.509 certificate
// used to authenticate the service.
EndpointAddress ea = new
    EndpointAddress("https://machineName/Calculator");

// Create the client. The code for the calculator
// client is not shown here. See the sample applications
// for examples of the calculator code.
CalculatorClient cc =
    new CalculatorClient(myBinding, ea);
// The client must provide a user name and password. The code
// to return the user name and password is not shown here. Use
// a database to store the user name and passwords, or use the
// ASP.NET Membership provider database.
cc.ClientCredentials.UserName.UserName = ReturnUsername();
cc.ClientCredentials.UserName.Password = ReturnPassword();
try
{
    // Begin using the client.
    cc.Open();
    Console.WriteLine(cc.Add(100, 11));
    Console.ReadLine();

    // Close the client.
    cc.Close();
}

' Create the binding.
Dim myBinding As New WSHttpBinding()
myBinding.Security.Mode = SecurityMode.Transport
myBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Basic

' Create the endpoint address. Note that the machine name
' must match the subject or DNS field of the X.509 certificate
' used to authenticate the service.
Dim ea As New EndpointAddress("https://machineName/Calculator")

' Create the client. The code for the calculator
' client is not shown here. See the sample applications
' for examples of the calculator code.
Dim cc As New CalculatorClient(myBinding, ea)

' The client must provide a user name and password. The code
' to return the user name and password is not shown here. Use
' a database to store the user name and passwords, or use the
' ASP.NET Membership provider database.
cc.ClientCredentials.UserName.UserName = ReturnUsername()
cc.ClientCredentials.UserName.Password = ReturnPassword()

' Begin using the client.
Try
    cc.Open()

    Console.WriteLine(cc.Add(100, 11))
    Console.ReadLine()

    ' Close the client.
    cc.Close()
Catch tex As TimeoutException
    Console.WriteLine(tex.Message)
    cc.Abort()
Catch cex As CommunicationException
    Console.WriteLine(cex.Message)
    cc.Abort()
Finally
    Console.WriteLine("Closed the client")
    Console.ReadLine()
End Try

Configuration

The following code shows the client configuration.

Note

You cannot use configuration to set the user name and password. The configuration shown here must be augmented using code to set the user name and password.

<?xml version="1.0" encoding="utf-8"?>  
<configuration>  
  <system.serviceModel>  
    <bindings>  
      <wsHttpBinding>  
        <binding name="WSHttpBinding_ICalculator" >  
          <security mode="Transport">  
            <transport clientCredentialType="Basic" />  
          </security>  
        </binding>  
      </wsHttpBinding>  
    </bindings>  
    <client>  
      <endpoint address="https://machineName/Calculator"
                binding="wsHttpBinding"  
                bindingConfiguration="WSHttpBinding_ICalculator"
                contract="ICalculator"  
                name="WSHttpBinding_ICalculator" />  
    </client>  
  </system.serviceModel>  
</configuration>

See also