If you’re trying to build REST-enabled services with WCF, you’ll want to use the webHTTP Binding.
This binding defaults to anonymous handling, so if you’re planning on doing any authorization you need to change the binding configuration.
This took me ages to figure out, largely because the webHttp binding is new and not well documented.
To change the binding to support NTLM or Windows authentication, add the following node to the system.servicemodel in your app.config:
Note that you can supply one of five values to the mode attribute: None, Basic, Digest Windows, NTLM, and Certificate.
Once you’ve picked the one you want, in your service definition, specify your new binding from the bindingConfiguration attribute:
And all calls to your REST service should be made with a valid windows network identity.
In your serviceCode, you can retrieve it from the System.ServiceModel namespace:
Oh, and if you’re not comfortable with editing the XML files, or you’d like to explore the dizzying array of other available options in WCF, I also discovered the Microsoft Service Configuration Editor (possibly someone had discovered it before me. ) It lives at C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin\SvcConfigEditor.exe. It gives you a simple(ish) visual way to edit WCF Configuration files.
UPDATE: JustinJSmith over at The Cybertopian Chronicle points out that it’s even easier to invoke the config editor – you just right click on your app.config, and select “Edit WCF Configuration” (duh…)
13 Comments
rdecarlo73
Thank you for your post! I would have been lost without it to reinforce my assumptions. My problem was my code, of course.
07 Jul 2008 09:07 pm
An Phu
Hello,
There is no security mode value of “TransportCredentialOnly”.
There are only four possible values;
None
Message
Transport
TransportWithMessageCredential
25 Aug 2008 04:08 pm
An Phu
I am wrong. For webHttpBinding, there is TransportCrendentialOnly mode. I didn’t realize I was looking at the security modes for WSHttpBinding.
25 Aug 2008 04:08 pm
Gordon
Hey An, don’t feel bad – It happens to the best of us
I’ve made that mistake myself more than once!
25 Aug 2008 07:08 pm
Rinsing the SOAP from WCF (or, RESTful WCF Hyperlink Acupuncture) | The Freak Parade
[...] Dan Rigsby » REST Services and Metadata Endpoints in WCF WCF, WebHttp Binding, and Authentication [...]
Nita
Hello,
I am trying to build REST-enabled services with WCF, you’ll want to use the webHTTP Binding. But i have to use the clientCredentialType=”Certificate” .
In this case the binding will be –
I created the service certificate in my dev environment and associated the service with it. (I don’t intend to use the client certificate.) I had to make the following changes –
and the base address had to be changed to –
Had to make it HTTPS from HTTP. The service starts up but the problem is i am not able to browse the URL using the browser. I was able to browse when the security was not implemented with the URI.
Please help me to solve this issue.
Thanks
04 Dec 2008 03:12 am
Darren
Thanks for the post.
I am trying to implement schema validation on my web service.
Is this possible?
I have found many articles about schema validation and wsHttpBinding, but not webHttpBinding.
Thanks,
Darren
01 Dec 2009 07:12 am
Dean
Hey Darren,
We haven't tried using schema validation with webHttpBinding. It should be possible, but you'll have to much of the work manually. The webHttpBinding is designed for returning HTML, JSON, or plain old XML (POX) services.
01 Dec 2009 11:12 am
Germán Schuager
Thank you. Very helpful. I was looking for “clientCredentialType” for way too much time.
02 Jun 2010 12:06 am
Chris
Thanks much! Helped a ton.
19 Aug 2010 02:08 pm
ka3yc
Hello, thanks for the post.
Could you please tell me whether it is possible to do jquery ajax calls to such service “with a valid windows network identity.”? And how to pass this identity?
01 Dec 2010 11:12 pm
Dean
Hey ka3yc,
It’s certainly possible to use NTLM credentials with a JQuery AJAX call. Most web browsers should handle the authentication challenge automatically with the server configuration described above. You shouldn’t need to modify your AJAX request at all.
Make sure that your Windows network is using NTLM rather than Kerberos security, however. If your network uses Kerberos, only Internet Explorer will authenticate properly.
See this question on Microsoft Connect for more information:
http://social.msdn.microsoft.com/Forums/en/wcf/thread/16a3456d-d5ce-42e3-8e56-a8f663c010e9
02 Dec 2010 10:12 am
ka3yc
Thank you.
One remark: I dont know why, but it works only with clientCredentialType=”Windows”
06 Dec 2010 01:12 am
Leave a Comment