static void

WCF Security

Security Modes

See MSDN Security modes

If using transport security, you can only use Certificate or Windows credential type. behavior/serviceCredentials configure where to find authentication (eg certificate)


Like Asp.Net's HttpContext, WCF has OperationContext and also ServiceSecurityContext which works the same way for just security stuff.

//For windows authentication access the current user by
var name1 = OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name;
var name2 = ServiceSecurityContext.Current.PrimaryIdentity.Name;

In a json webHttp endpoint with [AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)] you can use HttpContext.Current.User.Identity.Name as normal.


You can use the securitycontext for impersonation (MSDN) ServiceSecurityContext.Current.Windowsldentity.ImpersonationLevel = TokenlmpersonationLevel.Impersonation (or to access remote systems) .Delegation

You can impersonate some operations (Allowed or Required) using the ServiceAuthorization behavior ImpersonateCallerForAllOperations=true

Custom authentication

For custom authentication, set the credentialType="UserName", and create a class that inherits from UserNamePasswordValidator (Validate doesn't return boolean- throw a SecurityTokenValidationException) For authorization, you can use OperationContext.Current.ServiceSecurityContext - you can get claimSets.

There's an IAuthorizationPolicy interface for custom authentication (reference System.IdentityModel). Implement the Evaluate method and assign a readonly list<IAuthorizationPolicy> to host.Authorization.ExternalAuthorizationPolicies or in config <serviceAuthorization>
    <add policyType=""/>

Use ASP Membership with WCF


<serviceCredentials> has a <userNameAuthentication> element- set userNamePasswordValidationMode="MembershipProvider" for ASP.Net membership instead of windows.

Or use <serviceAuthorization
  roleProviderName ="SqlProvider" />


serviceCredentials has a clientCertificate and serviceCertificate.
clientCertificate/serviceCredentials/authentication has a certificateValidationMode can be Custom (a customCertificateValidatorType), ChainTrust (chain to root certificates) or PeerTrust (self-issued in Trusted People store).


In code you can set ProtectionLevel [OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign)] (if you're using Transport security, this has no effect; you can't use it with BasicHttpBinding as that has no default security)

Debugging Security

Add the serviceSecurityAudit element to the server, and check the audit log:

  <behavior name="defaultBehavior">
          messageAuthenticationAuditLevel="Failure" />