WCF Using UserName Authentication with Message Security

Question

Hi, I am developing an ASP.NET application which will be calling (extensively) WCF services. Now, I am obviously having some kind of mental melt down as I can't for the life of me get this wrapped around my head correctly.

I am using ws2007HttpBinding with Message security and ClientCredentialType of UserName. The WCF is using the ASP.NET Membership provider to validate the user's credentials.

This all works fine but I obviously need to include the user details in ever call:

var service = new MyService.MyServiceClient();
service.ClientCredentials.UserName.UserName = "my_username";
service.ClientCredentials.UserNane.Password = "mypassword";

.... etc ...

service.Close();

Now, this is easy from the login page as the user has just given us their username and password. I am not comfortable with storing the password for use later on down the road when we need to call another service with the users credentials.

Am I missing something obvious? I have read about tokens etc but I not entirely sure how to go about implementing that kind of thing. I have spent all day searching and reading and I am still unsure, so any help you can give will be greatly appreciated!

Answer 1

The easiest way might be really to store the password in a custom indentity. In an ideal world you would use e.g. Kerberos and delegation. Look for further information about impersonation and delegation.

Quite a good article:

http://msdn.microsoft.com/en-us/library/ms998358.aspx#paght000025_usingimpersonation

But all this stuff does not work with a membership provider. You need Windows authentication with an Active Directory.

This topic is not a too easy one... just as an idea: do you really need to authenticate at the web service with the credentials of the interactivly logged on user?

HTH a bit, Alex