Authentication in WCF for every call

Question

I\'m consuming a lot of WCF Services from a Silverlight application in a totally disconnected-way.

I want to ensure that I know the user who is calling every service and

Answer 1

It sounds like using ASP.NET Membership might be a good fit for you. There's two approaches you an use with this. The first is to use the default membership tables as generated by aspnet_regiis. This option has the advantage of being basically done for you. In this case, all you'd need to do is run the aspnet_regiis tool, then add the necessary portions to the Web.config for your WCF service as described here. Then, when calling the service you need to set credentials for your binding as described here - specifically the portion about setting ClientCredential for your binding when consuming the service.

The other option is to write your own custom membership provider as described here. This allows you to do whatever you want behind the scenes in terms of storing and managing your users, rather than using the pre-built ASP.NET mechanisms. This is a good approach if you're mating with an existing user base or want to have more control over how things are implemented.

Also, keep in mind that ASP.NET Membership isn't your only option for securing your WCF service. Spend some time reading up on your options, which include:

• Windows Authentication and Windows Authorization via transport level security on basicHttpBinding
• Windows Authentication and Windows Authorization via message level security on wsHttpBinding
• UsernamePasswordToken Authentication with ASP.NET Membership and ASP.NET Role Authorization via message level security on wsHttpBinding
• UsernamePasswordToken Authentication with custom validator via message level security on wsHttpBinding
• Authorization using a custom Authorization Policy
• Impersonation using Windows credentials

That list comes from this blog post, which is a good place for you to start exploring your options. Reading up on them will give you the opportunity to learn the strengths, weaknesses, and features of each so that you can choose the one that best suits your purposes. You can also begin with the MSDN articles on WCF security here.

In summary, yes there is an "almost-done" way to do it with ASP.NET Membership, and it shouldn't be too hard to implement, but take some time to explore your other options as well before just diving in with one, because they all have trade-offs and you don't want to have to re-implement it in the future if you decide the approach you chose is a bad fit.

Answer 2

One way to do this is if you can impersonate all users for that You need to add following in your service behaviour

<serviceAuthorization    impersonateCallerForAllOperations="true"  />   

more details here http://msdn.microsoft.com/en-us/library/ms731090.aspx

and if you want to know the user then inside your service methods you can use

 System.Threading.Thread.CurrentPrincipal.Identity.Name

to find the user name who is using your services

Edit:

You can use membership api details here

http://msdn.microsoft.com/en-us/library/ms731049.aspx

http://blogs.msdn.com/b/pedram/archive/2007/10/05/wcf-authentication-custom-username-and-password-validator.aspx

http://social.msdn.microsoft.com/forums/en-US/asmxandxml/thread/8a679fb2-e67e-44a9-b491-eb95d5144068