Types of Authentication
WCF Authentication is basically referred to the verification of the caller who claims to the call the service. Verification of caller will be referring as service authentication. WCF offers various authentication mechanisms
Service does not authenticate its caller and it will allow all clients to access.
Services use Kerberos when a windows domain service is available or NTLM when deployed in workgroup configuration. In this mode caller provides the windows credential tickets/token to the service authentication.
Explicit username and password is provided to authenticate the service.
In this mode of security, client will send his certificate information to the service communication. Service host will check and validate the caller certificate information to authenticate the service.
WCF allows developers to replace the build-in authentication mechanism by providing user own protocol and credential type for authentication.
The caller and the service can both rely on a secure token service to issue the client a token that service identify and trust. E.g windows card space
- Always create the service with Interface->Implementation format, mention the contract in Interface.
- Define the service in Class library and refer the class library in Host project. Don’t use service class in host project.
- Change the instance mode to per call as default.
- Always catch exception using try/catch block and throw exception using FaultException < T >.
- Logging and Include exception should be enable while compiling the project in debug mode. While in production deployment disable the logging and Include exception details.