Home/ Questions/Q 6933531
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T11:50:39+00:00

I am learning and designing a WCF service. I have picked to use Windows

  • 0

I am learning and designing a WCF service. I have picked to use Windows credential as the authentication method, and I have configured it correctly, hopefully, because I can see the authentication audit log from event log viewer when I am testing my service hosted in the local machine.

But now I come up with this weird question: what users will not be authenticated under such configuration? Does my service authenticate all Windows user within the same Windows domain, or can I specify what specific users within my domain will/will not get authenticated?

Or, does it mean that I can only control what users (in my domain) can perform what operations my service is providing through authorization(that I know how to do)?

It sounds simple but all the material I found only tell you how to perform authentication, doesn’t say how to deny authentication request.

Update:
After reading @syneptody answer, I still have two questions:

  1. I must say my confusion between authentication and authorization is still there. The authentication means to identify the user. But if I want to tell a user belonging to the same domain as the service host(it’s IIS, by the way), who just makes a request to my service, “you are not authenticated”, what I really should say is “I do authenticate you, but you are not authorized (to perform your request)”, is it right? There is not a state of “Unauthenticated” for a user in my domain? And what if a user not belonging to my domain makes a request? My service will tell him “You are not authenticated” or “You are not authorized”? As long as this user has an identity, the service will authenticate it, and continue to investigate whether it should be authorized?
  2. @syneptody mentioned This “authorization” element. It belongs to ASP.NET, and it specifies which roles can/can’t access the resource (whether it is the website or an application hosted in the website, depending on which Web.config file it is in). Is it right? But what if I don’t use ASP.NET or don’t host the WCF in ASP.NET Compatibility Mode, will it still work like that? Actually the requirement for us is to only provide the service, so I didn’t think of using ASP.NET because in my opinion it is more like a web client consuming my service.
    By the way, my usage scenario is this service will be hosted and consumed within intranet. So I choose Windows credential for authentication and Windows Groups for role-based authorization because it requires minimum work in my opinion.
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Take a look at this article:
    http://msdn.microsoft.com/en-us/library/aa702682.aspx

    It does a pretty good job explaining the connection between WCF and ASP.NET. If you are able to run your services in ASP.NET compatibility mode you can use the ASP.NET authorization rules. In a domain environment where you can leverage Integrated Authentication there is no easier way to provide authorization to your services.

    Your service implementation:

    [AspNetCompatibilityRequirements(RequirementsMode AspNetCompatibilityRequirementsMode.Allowed)]
[ServiceBehavior]
public class Foo { ... }

    Then in your configuration:

    <system.web>   
    <authorization>
      <allow users="?" />
      <allow roles="DOMAIN_SECURITY_GROUP" />
      <deny users="*" />
    </authorization>

    <authentication mode="Windows" />
    <identity impersonate="false" />
  </system.web>
    • 0