1

There are lots of existing questions/answers with subsets of my question (basicHttpBinding with Windows Authentication, using custom bindings, specifying binaryMessageEncoding). However, there are no existing answers with this particular combination of all THREE of those items.

I started with a simple WCF service using basicHttpBinding, with Windows authentication, so the bindings section looked like:

    <bindings>
        <basicHttpBinding>
            <binding name="BasicHttpWindowsBinding">
                <security mode="TransportCredentialOnly">
                    <transport clientCredentialType="Windows" />
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>

I tested the WCF service and it works just fine with respect to Windows authentication. But then, I wanted to utilize binary message encoding to boost performance. So, that's when I veered into custom binding territory because it appears that one can only specify binary message encoding for basicHttpBinding in a custom binding section, such as for example:

    <bindings>
        <customBinding>
            <binding name="BasicHttpWindowsBinding">
                <binaryMessageEncoding />
                <httpTransport />
            </binding>
        </customBinding>
    </bindings>

(And I need this EXACT combination of things; please don't advise me to switch to wsHttpBinding, or use netTcpBinding, etc.)

But now I have a problem (unless I'm missing something) because you can only specify the windows authentication under the basicHttpBinding section, and you can only specify the binaryMessageEncoding for the http protocol under the customBinding section.

So my question is, how does one specify basicHttpBinding protocol, with Windows authentication, and using binaryMessageEncoding, if it is possible? (I have to be honest and admit that I am finding the configuration of WCF services to be very difficult to grok, at least when custom bindings are thrown into the mix...)

I THINK that the correct custom binding specifications would be:

    <bindings>
        <customBinding>
            <binding name="BasicHttpWindowsBinding">
                <binaryMessageEncoding />
                <httpTransport authenticationScheme="Windows" />
            </binding>
        </customBinding>
    </bindings>

... but is this really exactly equivalent to 

    <bindings>
        <basicHttpBinding>
            <binding name="BasicHttpWindowsBinding">
                <security mode="TransportCredentialOnly">
                    <transport clientCredentialType="Windows" />
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>

... with respect to specifying windows authentication (Kerberos, not just Ntlm) for the WCF service?

Improve this question

2 Answers 2

Reset to default
0

Windows Authentication:

<bindings>
  <basicHttpBinding>
    <binding name="BasicHttpEndpointBinding">
     <security mode="TransportCredentialOnly">
        <transport clientCredentialType="Windows" />
      </security>
    </binding>
  </basicHttpBinding>
</bindings>

HttpBinding:

<services>
  <service behaviorConfiguration="ServiceBehavior" name="Service">
    <endpoint address="" binding="basicHttpBinding"
      bindingConfiguration="BasicHttpEndpointBinding"
      name="BasicHttpEndpoint" contract="IService">
      <identity>
        <dns value="localhost" />
      </identity>
    </endpoint>
    <endpoint address="mex" binding="mexHttpBinding"
        contract="IMetadataExchange" />
  </service>
</services>
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks Venkat, that all looks correct with respect to windows authentication, but I also need to use binaryMessageEncoding. This is where the problem arises (since it seems as if binaryMessageEncoding can only be specified for basicHttpBinding by using a custom binding).
0

So, I did some experimenting and (1) To really specify Kerberos-based windows authentication in a custom binding, one would do it like so:

<bindings>
    <customBinding>
        <binding name="BasicHttpWindowsBinding">
            <binaryMessageEncoding />
            <httpTransport authenticationScheme="IntegratedWindowsAuthentication" />
        </binding>
    </customBinding>
</bindings>

However, with this specified in both the deployed-to-IIS client MVC web app's web.config file, and the deployed-to-IIS WCF service application's web.config file, I could not get this to work without getting various errors, from 401's to 'Kerberos cannot get a token', etc. (I did a ton of research and experimentation, made sure both the deployed client MVC web app and the deployed WCF service application (deployed to IIS Express 7.5 on my Windows 7 64-bit laptop by Visual Studio 2012 publish process) specify windows authentication in their web.config files and that both IIS virtual directory / applications had Disable Anonymous Authentication and Enable Windows Authentication, etc etc.)

I ended up just making the bindings section in the MVC client web app's web.config say:

<bindings>
    <customBinding>
        <binding name="BasicHttpWindowsBinding">
            <binaryMessageEncoding />
            <httpTransport authenticationScheme="Ntlm" />
        </binding>
    </customBinding>
</bindings>

but leaving "IntegratedWindowsAuthentication" in the deployed-to-IIS WCF service application's web.config bindings section. Then it worked just fine.

I am going to make a complete duplicate of my solution - MVC client app, WCF service library/application - and leave out the binaryMessageEncoding and just do basicHttpBinding with windows authentication using the regular config sections (i.e., NOT utilizing a custom binding), to see if the same behavior exists or if IntegratedWindowsAuthentication can work from "end-to-end" (specified in WCF service application web.config's bindings section AND the MVC web app's web.config bindings section).

If specifying IntegratedWindowsAuthentication in both client and service web.config bindings sections DOES work with no problems, then I will know that either (1) there is an actual problem specifying IntegratedWindowsAuthentication on both the client and service sides when utilizing custom bindings, or (2) I just can't figure out how to make it work when specifying IntegratedWindowsAuthentication on both the client and service sides when utilizing custom bindings (that is, of course, unless the way it really IS supposed to be done is to say "IntegratedWindowsAuthentication" in the WCF service web.config and "Ntlm" in the MVC client web app's web.config).

Will add a short blurb with the results of the not-utilizing-custom-bindings (and therefore with the default text message encoding) experiment when I have time.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.