Implement a WCF custom authentication

Configuring a WCF service is sometime a complex operation, expecially when we need to define the security of the service.

On the Microsoft web site we have some detailed articles about the different configurations, what I discuss in this post is enable a custom authentication where, based on a username and password a custom code verify the credential and allow or not the access to the service.

What we have to do are two different steps; the first one is implementing a C# class form the base class UserNamePasswordValidator (namespace System.IdentityModel.Selectors); the second one is specify the class name in the service behaviour in the web.config file.

The class validator needs to override the Validate method of the UserNamePasswordValidator:

public class UserAuthentication : UserNamePasswordValidator


public override void Validate(string userName, string password)


In this method we implement our custom layer that will validate the credentials; in case of fault we’ll return an Exception with a specific message.

This class have to be specified in the web.config file:

        <binding name="BindingServices">
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="UserName" />
        <behavior name="BehaviourServices">
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Namespace.UserAuthentication,Assembly Name" />

We activate the security mode as TransportWithMessageCredential that means SSL over HTTPS and we setup clientCredentialType as UserName as well.

While transport-layer security provides integrity and confidentiality, message-layer enable some credential modes and one of those is UserName.

We create then a specific behaviour where we declare the class that deal with the authentication, the tag is userNameAuthentication and with the attribute customUserNamePasswordValidatorType we declare the class and the assembly names.

Now the configuration is completed and we can enable the behaviour to the services involved:

<service name="....." behaviorConfiguration="BehaviourServices">
<endpoint contract="....." binding="basicHttpBinding" bindingConfiguration="BindingServices" />

The authentication layer for the service now is activated, if we use the wcf service, we have to declare the credentials:

var client = new WCFService();
client.ClientCredentials.UserName.UserName = ".....";
client.ClientCredentials.UserName.Password = ".....";



We can enable a custom authentication for wcf services, in order to do that we have to implement a class that inherit from UserNamePasswordValidator, enable TransportWithMessageCredential security mode, add a configuration to the web.config file and then specify the credentials before invoking the method.

After these steps we can enable/disable users based on a specific business logic.







Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s