How to Enable Windows and NTLM  Authentication on WCF Service

Posted by Dhananjay Kumar Articles | WCF with C# December 21, 2009
This article will explain various combinations of IIS and WCF Ntlm/Windows authentication settings.
Reader Level:

Objective

This document will explain various combinations of IIS and WCF Ntlm/Windows authentication settings.

What is difference between NTLM and WINDOWS authentication in WCF?

Windows authentication = authentication in NTLM + authentication in Active Directory
NTLM authentication = authentication in only NTLM

IIS configuration

For all scenario IIS is configured for Windows authentication. What I mean is Windows Authentication is enabled and all other authentication is disabled.

Navigate to below path to open ApplicationHost.Config file of IIS.

C:\Windows\System32\inetsrv\config\applicationHost.config

Binding used in WCF service

For all scenario basicHttpBinding being used for WCF service.

Scenario #1

Default setting for IIS Applicationhost.Config is

<windowsAuthentication enabled="false">
                    <providers>
                        <
add value="Negotiate" />
                        <add value="NTLM" />
                    </providers>
                </
windowsAuthentication>

If IIS APP.Config file is having default setting, then we can have any authentication for WCF service corresponding IIS configured; WCF service will run as expected without any error.

Note: SharePoint is running as expected

Browsers Behavior with default settings

  • IE 7.0 is not asking for authentication
  • Fire Fox 3.5.6 is asking user to authenticate

    image1.gif
     
  • Safari 4.0.4 is asking user to authenticate

    image2.gif
Scenario #2

If IIS Applicationhost.Config File setting has been modified as below, where forcefully Windows authentication is enabled for Kerberos then we have to modify service with Windows authentication.

<windowsAuthentication enabled="true">
                    <providers>
                        <
add value="Negotiate" />
                        <!--<add value="NTLM" />-->
                    </
providers>
                </
windowsAuthentication>

WCF configuration setting for Windows authentication should be

<basicHttpBinding>
        <
binding name="BasicHttpBinding">
          <security mode ="TransportCredentialOnly">
            <transport clientCredentialType ="Windows"/>
          </security>
        </
binding>
      </
basicHttpBinding>

Note: SharePoint is running as expected

Browsers Behavior with default settings
  • IE 7.0 is not asking for authentication
  • Fire Fox 3.5.6 is asking user to authenticate

    image3.gif
     
  • Safari 4.0.4 is asking user to authenticate
Scenario #3

If IIS Applicationhost.Config File setting has been modified as below, where forcefully Windows authentication is enabled for NTLM

<windowsAuthentication enabled="true">
                    <providers>
                        <!--
<add value="Negotiate" />-->
                    </
providers>
 </
windowsAuthentication>

And we go with Windows authentication for the service, we will get below error

<basicHttpBinding>
        <
binding name="BasicHttpBinding">
          <security mode ="TransportCredentialOnly">
            <transport clientCredentialType ="Windows"/>
          </security>
        </
binding>
      </
basicHttpBinding>

image3.5.gif

So to remove above error, WCF configuration setting for should be modified for the NTLM authentication.

<basicHttpBinding>
        <
binding name="BasicHttpBinding">
          <security mode ="TransportCredentialOnly">
            <transport clientCredentialType ="Ntlm"/>
          </security>
        </
binding>
      </
basicHttpBinding>

Note: SharePoint is running as expected

Browsers Behavior with default settings
  • IE 7.0 is not asking for authentication
  • Fire Fox 3.5.6 is asking user to authenticate 

    image4.gif
     
  • Safari 4.0.4 is asking user to authenticate

    image5.gif
Summary

Sl No IIS (Applicationhost.Config ) setting WCF (Web.config) setting
1 Default Ntlm and Windows Binding behavior
2 Windowauthentication = true and Value = Negotiate Windows authenticated Bidding behavior
3 Windowauthentication = true and Value = Ntlm Ntlm authenticated Binding behavior

So,
  1. If we have ApplicationHost.Config of IIS configured as default, we can have either of Ntlm or Windows authentications for WCF service.
  2. If we have ApplicationHost.Config of IIS configured as Ntlm, we can have only Ntlm authentication for WCF service.
  3. If we have ApplicationHost.Config of IIS configured as Windows, we can have only Windows authentication for WCF service. 

COMMENT USING