Over the next posts I will look at some typical authentication scenarios for WCF in detail.

You all know that WCF has a plethora of different options and knobs to tweak and that is the reason why many people don’t like it. Too much complexity.

But you can keep WCF simple if you use some sensible configuration settings. For me that typically means: use transport security, use the most basic binding that does the job, avoid stateful communication (aka sessions).

This is also the subset of WCF communication option that IMO will go forward in the long run (e.g. here).

Windows Authentication
This is the typical intranet SSO scenario. Transport security works best here and I typically chose BasicHttpBinding in the past. But with .NET 4.5 there is now the new NetHttpBinding which is basically the basic HTTP binding using binary encoding for better performance (we at Thinktecture used that combination via a custom binding for a long time in lots of customer projects). In addition NetHttpBinding supports bi-directional communication over Web Sockets if available.

Another option is the NetTcpBinding. I rarely use it because I don’t like sessions. Up to you.

UserName/Password Authentication
I recommend Basic/Net HTTP binding using TransportWithMessageCredential security mode (aka mixed mode) and the UserName credential type.

Client Certificate Authentication
Again Basic/Net HTTP binding using TransportWithMessageCredential security mode (aka mixed mode) and the Certificate credential type.

Token-based Authentication
The obvious choice is the WS2007FederationHttpBinding. I typically use it in mixed mode and specifically turn off WS-SecureConversation to avoid the session state. I also tend to use bearer tokens these days (if you don’t need the additional security and anti-repudiation features of symmetric keys e.g. – which is rare). This further simplifies the whole system because you don’t need token decryption keys.