WCF Forms Based Authentication Via Web App - Passing Credentials

Question

I have a simple web service whereby the security is handled via forms based authentication.

WCFTestService.ServiceClient myService = new
          WCFTestService.ServiceClient();
myService.ClientCredentials.UserName.UserName = "user";
myService.ClientCredentials.UserName.Password = "secret";
lblResult.Text = myService.GetData(1231);
myService.Close();

I'm accessing this via a web app. So I want to do the above once but for security/performance not have to do it again. I was thinking something like the the below but as I'm using FormsAuthentication this wont work...

//Obtain the authenticated user's Identity and impersonate the original caller
using (((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate())
{
  WCFTestService.ServiceClient myService2 = new WCFTestService.ServiceClient();
  lblResult.Text = "From Logged On Credentials"+myService2.GetData(1231);
  myService2.Close();
}

Answer 1

What you're trying to do is establish a "secure session" between your client and your service. This is a concept that will only work with the wsHttpBinding - so if you're not using that particular binding, it won't work.

To establish a secure session, you need to set a number of specific config properties in the client and server's config files - you can certainly find those settings by reading the docs (look for "establishSecurityContext") or check out Michele Leroux Bustumante's excellent WCF screencast on security fundamentals on MSDN.

But really: I wouldn't recommend trying to use secure session by all means. Under normal circumstances, using per-call services is the preferred option, and the overhead for re-authenticating with each service call is really negligable.

Marc