WCF and Identity in .NET 4.5: Windows Authentication

overview scenarios accessing claims

To host a service using integrated Windows authentication I use this configuration:




      <service name=Common.ClaimsService>

        <endpoint address=windowstransport


                  contract=Common.IClaimsService />







          <security mode=Transport>

            <transport clientCredentialType=Windows />








Since the client is using his Windows identity to authenticate – the code is rather simple (using the same configuration as the service):

var factory = new ChannelFactory<IClaimsService>(“*”);

var proxy = factory.CreateChannel();

var id = proxy.GetIdentity();

When you run that, you will see a WindowsPrincipal/WindowsIdentity on Thread.CurrentPrincipal that contains the username and the effective Windows groups the user is member of. The issuer of all these claims will be AD Authority.

Enabling “WIF” Mode
So far this is standard WCF – just with the additional twist that you get a ClaimsPrincipal-derived principal.

If you rather want to use the security token handler, claims transformation/authorization pipeline from WIF – you add this service behavior:




      <serviceCredentials useIdentityConfiguration=true />





Now the Windows security token handler will do the conversion of the Windows token to claims, this means you will get in addition the authentication method and authentication instant claims – this time with an issuer of LOCAL AUTHORITY.

Also, when you have a ClaimsAuthenticationManager registered in the <system.identityModel /> section, it will run, and you can transform/validate the claim set before it arrives in your service code.

So this is pretty simple. You always get claims, and when you want to use the claims transformation and authorization pipeline, you add the above service behavior.

This entry was posted in IdentityModel, WCF. Bookmark the permalink.

3 Responses to WCF and Identity in .NET 4.5: Windows Authentication

  1. Pingback: WCF and Identity in .NET 4.5: UserName/Password Authentication | www.leastprivilege.com

  2. Pingback: WCF and Identity in .NET 4.5: Client Certificate Authentication | www.leastprivilege.com

  3. Pingback: WCF and Identity in .NET 4.5: External Authentication with WS-Trust | www.leastprivilege.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s