Authentication
Authentication is the act of verifying that the caller of a service is indeed who that caller claims to be. While authentication is typically referred to in the context of verification of the caller, from the client perspective there is also a need for service authentication; that is, assuring the client that the service it calls really is the service it intends to call. This is especially important with clients who call over the Internet, because if a malicious party subverts the client's DNS service, it could hijack the client's calls. WCF offers various authentication mechanisms:
- No authentication
The service does not authenticate its callers, and virtually all callers are allowed.
- Windows authentication
The service typically uses Kerberos when a Windows Domain Server is available, or NTLM when deployed in a workgroup configuration. The caller provides the service with its Windows credentials (such as a ticket or a token) and the service authenticates that against Windows.
- Username and password
The caller provides the service with a username and a password. The service then uses these credentials against some kind of credentials store, such as Windows accounts or a custom credentials store (such as a dedicated database).
- X509 certificate
The client identifies itself using a certificate. Typically, that certificate is known in advance to the service. The service looks up the certificate on the host side and validates it, thus authenticating the client. Alternatively, ...
Get Programming WCF Services, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
