tags:

views:

1194

answers:

1
Q: 

WCF/basicHttp and NTLM authentication

Does anyone know how exactly NTLM authentication works in WCF/basicHttp? I wonder if user credentials are passed for every single service method call, or if some kind of security token is being used for subsequent service method calls.

The exact binding configuration that I am using:

<bindings>
  <basicHttpBinding>
    <binding name="winAuthBasicHttpBinding">
      <security mode="TransportCredentialOnly">
        <transport clientCredentialType="Ntlm" />
      </security>
    </binding>
  </basicHttpBinding>
</bindings>

I found this type of configuration on the MSDN reference. But I am not sure if this a good idea performance wise. An alternative would be providing a custom GetAuthenticationToken() kind of method to provide a security token for all subsequent requests of the client. This could be done via the Enterprise Library - Security Application Block.

Further details: The service is being consumed by Browsers/Silverlight Clients.

+2  A: 

In this case here, every single method call will be authenticated.

What you're talking about would be what is called "secure sessions", where the client authenticates once against the server and then a common token is used for subsequent exchanges. That secure sessions features however is only available with wsHttpBinding - not with basicHttpBinding.

Marc

marc_s  2009-05-10 20:15:49
Unfortunately Silverlight only supports basicHttpBinding. Do you think this authentication overhead is worth caring about?
driAn  2009-05-10 20:47:20
Ah yes, you had left out that little detail (Silverlight) in your original post :-) As a rule of thumb, I'd say, if a built-in mechanism is available, first give it a try and see if it really pans out to be a problem. Don't pre-optimize too much.... also WCF in general is known for good to stellar performance, so I assume all these bits and pieces have been performance-tweaked to the maximum. Give it a go and see - if it's *REALLY* a problem, then start looking for another solution....
marc_s  2009-05-11 04:59:38

related questions

In .NET, will empty method calls be optimized out?
Good Resources for Relational Database Design
How to overload std::swap()
What is good server performance monitoring software for Windows?
Unit test execution speed (how many tests per second?)
Has anyone used Jaxer in production?
Replicating load related crashes in non-production environments
ADO.NET Connection Pooling & SQLServer
Has anyone run performance benchmarks comparing LINQ
Best tool for performance testing ASP.NET
Has anybody used Google Performance Tools?
Improving Productivity of my Teams
Scaling multithreaded applications on multicored machines
Is String.Format as efficient as StringBuilder
Faster way to find duplicates conditioned by time
.NET Remoting Speed and VPNs
How much database performance overhead when using LINQ?
CSharpCodeProvider Compilation Performance
C# DataTable Loop Performance
FileHelpers performance
ConfigurationManager.AppSettings Performance Concerns
Why are SYSTEM and taskmgr.exe taking up 100% of my CPU?
Speed Comparisons - Procedural vs. OO in interpreted languages
Anatomy of a "Memory Leak"
Fastest way to get value of pi