tags:

views:

753

answers:

2
+3  Q: 

WCF - How to configure netTcpBinding for NTLM authentication?

I know how to configure basicHttpBinding for NTLM authentication, but can't figure out a way to do the same for netTcpBinding.

Does netTcpBinding support NTLM? If so, how to force WCF service to use NTLM?

BTW a well known method using identity element for some reason didn't work at all. I am looking for something like this - clientCredentialType ="Ntlm" but for tcp. Here is basicHttp setting:

<basicHttpBinding>
  <binding name="BasicHttpBinding">
  <security mode ="TransportCredentialOnly">
  <transport clientCredentialType ="Ntlm"/>
  </security>
  </binding>
</basicHttpBinding>
A: 

The Net TCP Binding does not support "NTLM" as a client credentials type - you have a choice of None, Windows or Certificate only (see the MSDN docs on TcpClientCredentialType).

So in your case, try this:

<netTcpBinding>
  <binding name="tcpWindows">
    <security mode ="TransportCredentialOnly">
      <transport clientCredentialType ="Windows"/>
    </security>
  </binding>
</netTcpBinding>

Any reason why this doesn't work??

marc_s  2010-02-05 06:15:58
Thank you marc_s. This is what I was trying to use for tcp binding on a first place, but it does not work - it does not force NTLM. From the event viewer I can see that it still trying to use Kerberos, which is not configured in the environment. Hence the service call fails. Interesting enough that it works, if I specify the IP address rather than a full name (hostname plus domain) of the server machine. In this case it does utilize the NTLM. I can see it from the event viewer.
ablei2000  2010-02-05 15:07:19
+1  A: 

Here is the comprehensive answer that I finally found, tested, and confirmed.

A. My WCF client used to build an EndPoint.Address dynamically as follow

EndPointAddress  myEdpintAddress = new EndPointAddress(stringURL);

But in the case of a secure transport (net.tcp) it has to be initialized as follow EndPointAddress myEdpintAddress = new EndPointAddress(new UrRL(string), myEndPointIdentity)

Without the EndPointIdentity parameters the Identity property in the EndPointAddress object is null, and generates the “...target principal name is incorrect... " error on the server side.

B. Our domain controller supports both Kerberos and Ntlm authentication. After above is done, generally there are four configuration scenarios on the client side for the net.tcp binding if security is other than “None”, and the WCF service runs as a domain account:

  1. No <identity> elements in the client endpoint specified - WCF call fails

  2. <identity> element provided, but with an empty value for dns, userPrioncipalName or servicePrincipalName elements - WCF call successful, but uses the Ntlm authentication

  3. <identity> element provided with the a value for dsn or SPN – WCF call successfull; service uses Ntlm to authenticate.

  4. <identity> element provided with the correct value for upn – WCF call successfull; service uses Kerberos for authenticate. Incorrect or missing value for upn trigger Ntlm authentication

Thanks.

ablei2000  2010-02-14 15:45:02

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication