How to: Use Windows Authentication to Secure a Service for Silverlight Applications

Microsoft Silverlight will reach end of support after October 2021. Learn more.

This topic describes how to use Windows authentication to secure access to services that are intended to be used from Silverlight version 4 applications.

Windows authentication is useful when you are developing an intranet application where the user Windows credentials are automatically used without requiring the user to log on.

Before using this technique, consider the impact on non-Windows platforms if they are important to your scenario.

Configuring the Service

The first step is to configure your service to use Windows authentication. How this is done depends on how the service is being hosted and what technologies are used to configure security.

ASP.NET Hosted Services and Services Using Non-Microsoft Technologies

  • If the service is based on a non-Microsoft technology, refer to the documentation specific to the technology you are using to determine how to configure it to use Windows, NTLM, or Kerberos authentication.

  • If the service is hosted in an ASP.NET-based site, use the usual ASP.NET mechanism to enable Windows authentication:

      <authentication mode="Windows" />

    For more information, see How to: Host a Secure Service in ASP.NET for Silverlight Applications.

  • If the service is a Windows Communication Foundation (WCF) service but is not hosted in ASP.NET, follow the steps in the next procedure.

WCF Services Not Hosted in ASP.NET

  1. Change the binding configuration in the <bindings> element of the <system.serviceModel> section to support Windows authentication. The following example shows how to do this when configuring a CustomBinding binding.

              <binding name="myBinding">
                <httpTransport authenticationScheme="Ntlm"/>

    The following example shows how to do this when configuring a standard BasicHttpBinding binding.

              <binding name="myBinding">
                <security mode="TransportCredentialOnly">
                  <transport clientCredentialType="Ntlm"/>

    NT LAN Manager (NTLM) authentication is a challenge-response scheme that uses Windows credentials to transform the challenge data instead of a user name and password. A full discussion of the proper server-side configuration is outside the scope of this topic. You might need to configure Internet Information Services (IIS) to support Windows authentication. For more information, see Understanding HTTP Authentication and Transport Security Overview.

  2. On the target service, make sure that your service <endpoint> element in the <service> element of the <system.serviceModel> section in the Web.config file is configured with the binding configuration you defined above.

    <endpoint address="" 
              contract="SilverlightApplication2.Web.Service1" />
  3. At this point, you can use any of the usual WCF mechanisms for authorization outlined in Authorization. The following example shows how to use the OperationContext.Current.ServiceSecurityContext.PrimaryIdentity to access the current user’s identity.

            public int GetAccountBalance()
    //Block unauthorized users. SecurityException will return the correct SOAP Fault for this situation.
                if (!OperationContext.Current.ServiceSecurityContext.WindowsIdentity. IsAuthenticated) throw new SecurityException();
    //Retrieve the data for the current user.
                return Database.GetBalanceForUser(OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name);
  4. (Optional) Verify that there are no errors in the service configuration. A convenient way to do this in Visual Studio 2010 is to right-click the .svc file in the Solution Explorer and select View in Browser (or press CTRL + F5) to display a test page for the service. Many HTTPS-related and authentication-related configuration errors are easy to catch at this stage but difficult to debug directly from a Silverlight 4 application.

    You can also use the approach described in this section for Windows Communication Foundation (WCF) services that are hosted in ASP.NET but that are not running in ASP.NET Compatibility Mode, so that not all ASP.NET features are supported.

Accessing the Service from Silverlight

After the service has been set up for Windows authentication, you can access it from Silverlight 4 as usual. No special code is required.

Silverlight 4 does not provide any mechanism to set Windows credentials through code at the service model programming level in WCF, although the setting of credentials is possible at the networking level by using HttpWebRequest and WebClient. Credentials will be supplied by the browser or the underlying operating system (depending on which WebRequestCreator is used), and any problems related to the failure of credentials to be sent must be solved at that level.,VS.95).gif Security Note:
The Silverlight client-side ServiceReferences.ClientConfig configuration file is generated by the Add Service Reference tool for SOAP services. The use of Windows authentication may be specified in this file with the TransportCredentialOnly security mode. However, in Silverlight 4, this mode is exactly equivalent to the None security mode. In both modes, Windows credentials are managed by the browser and are not under your application’s control.

If the browser is not setting Windows credentials correctly, there may be some steps you can take to correct that. The following example assumes you are using Internet Explorer 8.

To configure Internet Explorer 8 to use Windows authentication

  1. Go to the Tools menu in the browser, select Internet Options, click the Security tab, and select the Local Intranet zone.

  2. To configure settings for this zone, click the Custom Level button near the bottom, find the Logon settings in the User Authentication section, and select Automatic logon only in Intranet zone.

  3. Click OK to return to the Internet Options window.

  4. Click the Advanced tab in the Internet Options window, and scroll down to the Security section at the bottom. Ensure that Enable Integrated Windows Authentication* is selected, and click OK to save the new settings.

    Dd744835.Warning(en-us,VS.95).gif Caution:
    Using Windows credentials outside of your local intranet has serious security implications.

Cross-Domain Considerations

When Windows authentication is in use, there are two publishing issues:

  • You must not publish a full-access cross-domain policy file (<domain uri=”*”/>) for the domain where the service is hosted. Doing so would introduce a security vulnerability.

  • You can publish a limited cross-domain policy file (<domain uri=”” />) giving access to a trusted domain, if you cannot host your XAP file on the same domain as the service.

Send comments about this topic to Microsoft.

Copyright © 2010 by Microsoft Corporation. All rights reserved.