Home/ Questions/Q 7537431
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T06:51:02+00:00

EDIT: I’ve decided to go for WCF Data Services as opposed to MVC3 Now

  • 0

EDIT: I’ve decided to go for WCF Data Services as opposed to MVC3

Now that I have decided to go for WCF Data Services – I need a way to authenticate and authorise users.

Have looked at setting up a SQLMembership DB, but am struggling to actually authenticate the users. My clients won’t be .NET applications – most likely will be an iPhone/Android app that will call the RESTFul WCF Data Service to get data…

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Authentication

    WCF Data Services allow for a variety of authentication options, as described on MSDN : Securing WCF Data Services. From the available methods, Windows authentication is the most secure, using either the NTLM or Kerberos mechanism. Due to the constraints on cross-platform availability, the most appropriate and secure authentication method that can be used is NTLM, as it is available on almost all current platforms: Android (from version 4.0 “Ice Cream Sandwich“), iOS, Linux, UNIX, Windows.

    Setting up Windows authentication for an OData service hosted on IIS means disabling Anonymous Access and enabling Integrated Windows authentication. A more detailed guide can be found at Odata and Windows Authentication.

    For a more fine-grained control of the users allowed to access the service, access can be granted or denied to both user roles/groups, as well as specific users, directly from the configuration file (i.e. web.config). The syntax for allowing access for a specific user is described below. For maximum security, it is advised to deny access to all users/groups, and then explicitly allow access, as required. The rules in between the authorization tags are taken in order (i.e. allowing user DOMAIN\user access takes precedence over the denial for all users)

       <authorization>   
      <allow users="DOMAIN\user"/>
      <-- Deny access to every other authenticated or anonymous user
      <deny users="*" />
      <deny users="?" />
   </authorization>

    If the authorization tag is not explicitly defined in the configuration file, then IIS will authenticate and allow access for all connecting users that are recognized (in the Active Directory or local machine).

    Setting up Windows authentication in a cross-domain environment is possible, but requires either:

    • a trust to be established between the domains (so that IIS can authenticate external users), or
    • the same username/password combination to be present on both domains
      or
    • the client in the external domain authenticates with credentials
      valid for the server domain.

    The available options for such situations are described in more detail in this blog post.

    Impersonation

    In order to be able to log in to the database, and retrieve the desired data using the Windows Account credentials sent to the WCF Data Service, the service needs to impersonate the user. This can be done in either in code, or in configuration

    • In the configuration file (i.e. web.config), the following settings
      must be made: 
       identity impersonate="true"

    • If it is not desired for the entire service to run under the
      credentials of the connecting user, impersonation can be set up
      programmatically, where needed, in the following way:

      lUser = TryCast(HttpContext.Current.User.Identity, WindowsIdentity)

      lUserContext = WindowsIdentity.Impersonate(lUser.Token)

    • 0