Objective
This document will explain various combinations of IIS and WCF Ntlm/Windows authentication settings.
What is difference between NTLM and WINDOWS authentication in WCF?
Windows authentication = authentication in NTLM + authentication in Active Directory
NTLM authentication = authentication in only NTLM
IIS configuration
For all scenario IIS is configured for Windows authentication. What I mean is Windows Authentication is enabled and all other authentication is disabled. Navigate to below path to open ApplicationHost.Config file of IIS.
C:\Windows\System32\inetsrv\config\applicationHost.config
Binding used in WCF service
For all scenario basicHttpBinding being used for WCF service.
Scenario #1
Default setting for IIS Applicationhost.Config is
| <windowsAuthentication enabled=“false“>
<providers> <add value=“Negotiate“ /> |
If IIS APP.Config file is having default setting, then we can have any authentication for WCF service corresponding IIS configured; WCF service will run as expected without any error.
Note: SharePoint is running as expected
Browsers Behavior with default settings
- IE 7.0 is not asking for authentication
- Fire Fox 3.5.6 is asking user to authenticate
- Safari 4.0.4 is asking user to authenticate
Scenario #2
If IIS Applicationhost.Config File setting has been modified as below, where forcefully Windows authentication is enabled for Kerberos then we have to modify service with Windows authentication.
| <windowsAuthentication enabled=“true“><providers> <add value=“Negotiate“ /> <!–<add value=”NTLM” />–> </providers> </windowsAuthentication> |
WCF configuration setting for Windows authentication should be
| <basicHttpBinding>
<binding name=“BasicHttpBinding“> |
Note: SharePoint is running as expected
Browsers Behavior with default settings
- IE 7.0 is not asking for authentication
- Fire Fox 3.5.6 is asking user to authenticate
- Safari 4.0.4 is asking user to authenticate
Scenario #3
If IIS Applicationhost.Config File setting has been modified as below, where forcefully Windows authentication is enabled for NTLM
| <windowsAuthentication enabled=“true“> <providers> <!–<add value=”Negotiate” />–> <add value=“NTLM“ /> |
And we go with Windows authentication for the service, we will get below error
| <basicHttpBinding> <binding name=“BasicHttpBinding“> <security mode =“TransportCredentialOnly“> <transport clientCredentialType =“Windows“/> </security> </binding> </basicHttpBinding> |
So to remove above error, WCF configuration setting for should be modified for the NTLM authentication.
| <basicHttpBinding> <binding name=“BasicHttpBinding“> <security mode =“TransportCredentialOnly“> <transport clientCredentialType =“Ntlm“/> </security> </binding> </basicHttpBinding> |
Note: SharePoint is running as expected
Browsers Behavior with default settings
- IE 7.0 is not asking for authentication
- Fire Fox 3.5.6 is asking user to authenticate
- Safari 4.0.4 is asking user to authenticate
Summary
|
Sl No |
IIS (Applicationhost.Config ) setting |
WCF (Web.config) setting |
| 1 | Default | Ntlm and Windows Binding behavior |
| 2 | Windowauthentication = true and Value = Negotiate | Windows authenticated Bidding behavior |
| 3 | Windowauthentication = true and Value = Ntlm | Ntlm authenticated Binding behavior |
So,
- If we have ApplicationHost.Config of IIS configured as default, we can have either of Ntlm or Windows authentications for WCF service.
- If we have ApplicationHost.Config of IIS configured as Ntlm, we can have only Ntlm authentication for WCF service.
If we have ApplicationHost.Config of IIS configured as Windows, we can have only Windows authentication for WCF service.
Dhananjay Kumar 
Leave a Reply