Home/ Questions/Q 7437625
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T10:25:43+00:00

I have a web project that used to use Forms Authentication. I have new

  • 0

I have a web project that used to use Forms Authentication. I have new requirements to support Windows Authentication. This project contains two web services, one for a Silverlight page (MapService) and one for various ajax calls (AsyncService) Everything is now working, but there are 2 things I don’t quite understand.

The configuration from Web.Config is as follows:

<bindings>
      <basicHttpBinding>
        <binding name="WindowsClientOverTcp">
          <security mode="Transport">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
      <webHttpBinding>
        <binding name="AsyncWindowsOverTcp">
          <security mode="Transport">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </webHttpBinding>
    </bindings>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
    <services>
      <service name="Project.MapService.MapService">
        <endpoint address="" binding="basicHttpBinding" bindingConfiguration="WindowsClientOverTcp" name="WindowsClientOverTcp" contract="Project.MapService.MapService" />
      </service>
      <service name="Project.AsyncService.AsyncService">
        <endpoint address="" binding="webHttpBinding" bindingConfiguration="AsyncWindowsOverTcp" name="AsyncWindowsOverTcp" behaviorConfiguration="Project.AsyncService.AsyncServiceAspNetAjaxBehavior" contract="Project.AsyncService.AsyncService" />
      </service>
  </services>

  1. With this setup, is it basically required to use SSL? I’ve read that using Transport Security with Windows ClientCredentialType forces an HTTPS endpoint, which seems to be the case. I just want to know if it is reasonable to state generally to a client or management “If they want Windows authentication, our application must use https”

  2. For the AsyncService, it clearly requires Windows credentials from the client, but I didn’t have to change my JS/Ajax code at all and it still works fine. Is there some magic being done by the client browser? Since there’s no client configuration, I don’t get how the calls are authenticated.

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    1. No, you don’t need HTTPS in order to use Windows Authentication. You do need to configure IIS to use Integrated Security, and if the caller is from the same Windows domain or a trusted Windows domain, IIS will be able to authenticate the user.

    2. If the browser is running using credentials of your Windows domain, or a trusted domain, and your Web app is configured to use Windows authentication, then the browser includes the credentials it runs under to IIS.

    EDIT:
    Some additional information. If you’re using BasicHttpBinding as above and want to secure it, a good option is to use TransportWithMessageCredential as your security mode. This secures the message using the Transport layer (HTTPS) and includes the Windows credentials in the message. See also “Programming WCF Security” at http://msdn.microsoft.com/en-us/library/ms731925.aspx.

    • 0