Bogdan Djukic

In this post we will discuss posible ways of user authentication in Silverlight 3 application which is utilizing WCF service running on IIS 7 and Microsoft Windows Server 2008.

So, the idea is to authenticate user in Silverlight application through Windows Authentication mechanism. Since Silverlight platform is a sanboxed environment, your application is not able to get user’s Windows credentials that easily. Basically, there are two ways. The first solution is passing the credentials to Silverlight application using Init parameters. In this case, your Silverlight application is relaying on ASP.NET page which is hosting it. You can read the credentials using standrad ASP.NET classes.

In this post we will use the second approach and that is authentication through WCF infrastructure. We will go step by step. First let’s go to our IIS manager and make sure that Windows Authentication is enabled. You can also notice on the picture that we disabled Anonymous Authentication.

The second step is setting up configuration files on the Silverlight client and WCF service. Let’s take a look at our ServiceReferences.ClientConfig file of Silverlight application:

<configuration>
     <system.serviceModel>
         <bindings>
             <basicHttpBinding>
                 <binding name="BasicHttpBinding_IService" maxBufferSize="2147483647"
                     maxReceivedMessageSize="2147483647">
                     <security mode="TransportCredentialOnly" />
                 </binding>
             </basicHttpBinding> 
        </bindings>
         <client>
             <endpoint address="http://localhost:98/Service.svc"
                 binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IService"
                 contract="Service.IService" name="BasicHttpBinding_IService" />
         <client>
     <system.serviceModel>
 <configuration>

Notice that security mode of the binding is set to the TransportCredentialOnly. The Web.config of the WCF is next:

<system.serviceModel>
     <behaviors>
       <serviceBehaviors>
         <behavior name="ServiceBehavior"> 
         <serviceMetadata httpGetEnabled="true"/>
           <serviceDebug includeExceptionDetailInFaults="true"/>
         </behavior>
       </serviceBehaviors>
     </behaviors>
     <services> 
      <service behaviorConfiguration="ServiceBehavior" name="Service"> 
        <endpoint address="" binding="basicHttpBinding" bindingConfiguration="ServiceBinding" contract="IService">
           <identity>
             <dns value="localhost"/>
           </identity>
         </endpoint>
       </service>
     </services>
     <bindings>
       <basicHttpBinding>
         <binding name="ServiceBinding" maxReceivedMessageSize="2147483647">
           <security mode="TransportCredentialOnly">
             <transport clientCredentialType="Windows" />
           </security>
         </binding>
       </basicHttpBinding>
     </bindings>
 </system.serviceModel>

You should also pay attention to the security mode set to TransportCredentialOnly and credential type set to Windows. With this two configuration files in place we enabled that our Silverlight application is using WCF plumbing for user authentication. All we have left is pick up the credentials from code. Let’s see how do we do that, it’s a one-liner:

string userName = OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name

This way your string variable will containg DOMAIN\user credential values. The first time you load you Silverlight application you will be asked to provide your user name and password. When the user is authenticated the credentials are sent to the WCF service.

You should also make sure that your browser is set to support Windows authentication. Here’s a part of the text regarding this issue from MSDN:

To use Windows authentication, the browsers for all of the end users of your application will need to be configured correctly. For example, with Internet Explorer 7, the procedure to do this is as follows, Go to Tools menu in the browser, select Internet Options, then Security tab, and select the Local Intranet zone. When you click Custom Level… button on the bottom right-hand side to configure settings for this zone, find the Logon setting in the User Authentication section, and select Automatic logon only in Intranet zone. Then click OK, and click OK again to save the new settings.

When you enter the credentials once they will be cashed so the next time you load your Silverlight application you will skip this step.

As a small note regarding this post which you should consider is a multiplatform support of your Silverlight application. Therefore you should be carefull when using this form of authentication.