Hi,

I have a WCF service which I would like to secure using a username/password
kombination. I have added the following code in the config file on the host:

<basicHttpBinding>
<binding name="Binding1">
<security mode="TransportWithMessageCredential">
<message clientCredentialType ="UserName" />
</security>
</binding>
</basicHttpBinding>
....
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="My.Host.MyUse rNameValidator, My.Host"
/>
</serviceCredentials>
....

I have added this code in the config file on the client:

<basicHttpBinding>
<binding name="NewBinding">
<!--<security mode="TransportCredentialOnly">-->
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Basic" />
</security>
</binding>
</basicHttpBinding>


Before I create my proxy I am setting a username and a password on the
ChannelFactory

ChannelFactory<IMyService> fact =
new ChannelFactory<IMyService>("main");
fact.Credentials.UserName.UserName = "Henrik";
fact.Credentials.UserName.Password = "MyPass";

proxy = fact.CreateChannel();

I now get the following error:
The provided URI scheme 'http' is invalid; expected 'https'.

I can understand why I get it, because I am not passing a https url, but
both the service and the application is running inside the firewall, so I
would like to use normal http or mayby binary.

I have tried to use TransportCredentialOnly instead of
TransportWithMessageCredential. Then I get no error, but the code in my
server side UserNameValidator is never run, which means nothing is being
validated. So I am kind of stuck in between.

Any ideas?

Best regards
Henrik Skak Pedersen

Hi Henrik,

TransportWithMessageCredential required transport security (aka HTTPS). It
is also not compatible with TransportCredentialOnly. The former uses a SOAP
header, the latter an HTTP header.

It is not trivial to get this scenario to work with .NET 3.0. In 3.5 you
can use Transport security with custom usernames.

See:
http://www.leastprivilege.com/Finall...onInWCF.a spx
http://www.leastprivilege.com/WCFUse...ISHosting.aspx


Regardless I wouldn't advise sending credentials in clear text over the wire.
Intranet or not.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hi Dominick,

Again, thank you very much for your help :-)

The service will run in 3.5, so it is no problem at all.

Cheers
Henrik

"Dominick Baier" <dbaier (AT) pleasepleasenospam_leastprivilege (DOT) com> wrote in
message news:8e6a913a1a78f8ca05ac8f6523e0 (AT) news (DOT) microsoft.com...