title | description | ms.date | dev_langs | helpviewer_keywords | ms.assetid | |||
---|---|---|---|---|---|---|---|---|
How to: Secure a Service with Windows Credentials |
Learn how to enable transport security on a WCF service that resides in a Windows domain and is called by clients in the same domain. |
03/30/2017 |
|
|
d171b5ca-96ef-47ff-800c-c138023cf76e |
This topic shows how to enable transport security on a Windows Communication Foundation (WCF) service that resides in a Windows domain and is called by clients in the same domain. For more information about this scenario, see Transport Security with Windows Authentication. For a sample application, see the WSHttpBinding sample.
This topic assumes you have an existing contract interface and implementation already defined, and adds on to that. You can also modify an existing service and client.
You can secure a service with Windows credentials completely in code. Alternatively, you can omit some of the code by using a configuration file. This topic shows both ways. Be sure you only use one of the ways, not both.
The first three procedures show how to secure the service using code. The fourth and fifth procedure shows how to do it with a configuration file.
The complete code for the service and the client is in the Example section at the end of this topic.
The first procedure walks through creating and configuring a xref:System.ServiceModel.WSHttpBinding class in code. The binding uses the HTTP transport. The same binding is used on the client.
-
This procedure's code is inserted at the beginning of the
Run
method of theTest
class in the service code in the Example section. -
Create an instance of the xref:System.ServiceModel.WSHttpBinding class.
-
Set the xref:System.ServiceModel.WSHttpSecurity.Mode%2A property of the xref:System.ServiceModel.WSHttpSecurity class to xref:System.ServiceModel.SecurityMode.Message.
-
Set the xref:System.ServiceModel.MessageSecurityOverHttp.ClientCredentialType%2A property of the xref:System.ServiceModel.MessageSecurityOverHttp class to xref:System.ServiceModel.MessageCredentialType.Windows.
-
The code for this procedure is as follows:
[!code-csharpc_SecureWindowsService#1] [!code-vbc_SecureWindowsService#1]
This is the second procedure, which shows how to use the binding in a self-hosted service. For more information about hosting services see Hosting Services.
-
Insert this procedure's code after the code from the preceding procedure.
-
Create a xref:System.Type variable named
contractType
and assign it the type of the interface (ICalculator
). When using Visual Basic, use theGetType
operator; when using C#, use thetypeof
keyword. -
Create a second xref:System.Type variable named
serviceType
and assign it the type of the implemented contract (Calculator
). -
Create an instance of the xref:System.Uri class named
baseAddress
with the base address of the service. The base address must have a scheme that matches the transport. In this case, the transport scheme is HTTP, and the address includes the special Uniform Resource Identifier (URI) "localhost" and a port number (8036) as well as a base endpoint address ("serviceModelSamples/):http://localhost:8036/serviceModelSamples/
. -
Create an instance of the xref:System.ServiceModel.ServiceHost class with the
serviceType
andbaseAddress
variables. -
Add an endpoint to the service using the
contractType
, binding, and an endpoint name (secureCalculator). A client must concatenate the base address and the endpoint name when initiating a call to the service. -
Call the xref:System.ServiceModel.Channels.CommunicationObject.Open%2A method to start the service. The code for this procedure is shown here:
[!code-csharpc_SecureWindowsService#2] [!code-vbc_SecureWindowsService#2]
This procedure shows how to generate a proxy that communicates with the service. The proxy is generated with the ServiceModel Metadata Utility Tool (Svcutil.exe) which uses the service metadata to create the proxy.
This procedure also creates an instance of the xref:System.ServiceModel.WSHttpBinding class to communicate with the service, and then calls the service.
This example uses only code to create the client. As an alternative, you can use a configuration file, which is shown in the section following this procedure.
-
Use the SvcUtil.exe tool to generate the proxy code from the service's metadata. For more information, see How to: Create a Client. The generated proxy code inherits from the xref:System.ServiceModel.ClientBase%601 class, which ensures that every client has the necessary constructors, methods, and properties to communicate with a WCF service. In this example, the generated code includes the
CalculatorClient
class, which implements theICalculator
interface, enabling compatibility with the service code. -
This procedure's code is inserted at the beginning of the
Main
method of the client program. -
Create an instance of the xref:System.ServiceModel.WSHttpBinding class and set its security mode to
Message
and its client credential type toWindows
. The example names the variableclientBinding
. -
Create an instance of the xref:System.ServiceModel.EndpointAddress class named
serviceAddress
. Initialize the instance with the base address concatenated with the endpoint name. -
Create an instance of the generated client class with the
serviceAddress
and theclientBinding
variables. -
Call the xref:System.ServiceModel.ClientBase%601.Open%2A method, as shown in the following code.
-
Call the service and display the results.
[!code-csharpc_secureWindowsClient#1] [!code-vbc_secureWindowsClient#1]
Instead of creating the binding with procedural code, you can use the following code shown for the bindings section of the configuration file.
If you do not already have a service defined, see Designing and Implementing Services, and Configuring Services.
Note
This configuration code is used in both the service and client configuration files.
-
Add a <wsHttpBinding> element to the <bindings> element section of the configuration file.
-
Add a <
binding
> element to the <WSHttpBinding
> element and set theconfigurationName
attribute to a value appropriate to your application. -
Add a <
security
> element and set themode
attribute to Message. -
Add a <
message
> element and set theclientCredentialType
attribute to Windows. -
In the service's configuration file, replace the
<bindings>
section with the following code. If you do not already have a service configuration file, see Using Bindings to Configure Services and Clients.<bindings> <wsHttpBinding> <binding name = "wsHttpBinding_Calculator"> <security mode="Message"> <message clientCredentialType="Windows"/> </security> </binding> </wsHttpBinding> </bindings>
This procedure shows how to generate two files: a proxy that communicates with the service and a configuration file. It also describes changes to the client program, which is the third file used on the client.
-
Use the SvcUtil.exe tool to generate the proxy code and configuration file from the service's metadata. For more information, see How to: Create a Client.
-
Replace the <bindings> section of the generated configuration file with the configuration code from the preceding section.
-
Procedural code is inserted at the beginning of the
Main
method of the client program. -
Create an instance of the generated client class passing the name of the binding in the configuration file as an input parameter.
-
Call the xref:System.ServiceModel.ClientBase%601.Open%2A method, as shown in the following code.
-
Call the service and display the results.
[!code-csharpc_secureWindowsClient#2]
[!code-csharpc_SecureWindowsService#0]
[!code-csharpc_SecureWindowsClient#0] [!code-vbc_SecureWindowsClient#0]
- xref:System.ServiceModel.WSHttpBinding
- ServiceModel Metadata Utility Tool (Svcutil.exe)
- How to: Create a Client
- Securing Services
- Security Overview