.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

Can service authenticate itself ( at transport security level ) using username/password authenticati

Posted By:      Posted Date: December 04, 2010    Points: 0   Category :WCF


At transport level clients can be authenticated ( depending on the binding ) via certificate, username/password or windows account. I know service can authenticate itself to clients via certificates, but can it also authenticate itself at transport security level using username/password authentication or perhaps windows authentication?

For example, I thought we can set a username/password with which service authenticates itself via ServiceCredentials.UsernameAuthentication property, but it appears this property is only used to configure how clients get authenticated ( via username/password ) by a service.

thank you

View Complete Post

More Related Resource Links

Transport level security with netTcpBinding

Does service and client need to be part of domain with netTcpBinding endpoint configured to used Transport security mode with Certificate based client credential type and protect level set to EncryptAndSign <bindings> <netTcpBinding> <binding name="CertificateWithTransport" maxBufferPoolSize="100000000" maxBufferSize="100000000" maxReceivedMessageSize="100000000" portSharingEnabled="true"> <readerQuotas maxDepth="100000000" maxStringContentLength="100000000" maxArrayLength="100000000" maxBytesPerRead="100000000" maxNameTableCharCount="100000000" /> <security mode="Transport"> <transport clientCredentialType="Certificate" protectionLevel="EncryptAndSign"/> </security> </binding> </netTcpBinding> </bindings> Thanks      -= JL =-

An exception occurred when trying to issue security token: The security token username and password



  I get a problem authenticating people in Sharepoint 2010 LDAP provider.

  Right now, I can successfully config the central admin for LDAP provider, (I can search people that in LDAP server,assign ldap people without problem). Also I can search LDAP people in my site. Then I tried to login using ldap username and password, it shows "An exception occurred when trying to issue security token: The security token username and password could not be validated.."

  First, I thought maybe there were some typo in my site web.config, so I enabled the windows login, log into my site using my windows account, there, I can search LDAP user in my site with no problem. So I believe that my site web.config is alright. The only thing left is the STS.But I am not sure what could be wrong , because membership and role part are just simple copied and pasted from my site web.config.

  Here is the web.config for STS. Please Help. Thank you.

<?xml version="1.0" encoding

How do I pass username/password credentials from php client to self-hosted wcf service?

I have a self-hosted wcf service that just adds 2 numbers and returns the value.  It works fine, but I am not sure how I can send the username and password through the php client, so it will validate against my CustomUserNamePasswordValidator.  Here is the implementation for the Add Method:

public class MathService : IMathService
    public double Add(double x, double y)
      return x + y;

Here is my current App.Config:

<?xml version="1.0" encoding="utf-8" ?>

Transport Level Security Vs Message Level Security in WCF

*Transport Level Security
It secures the actual transport (i.e. the pipe) over which the message passes through from client to a service. For
example it uses SSL (Secure Socket Layer) to ensure point-to-point protection.

*Message Level Security
It secures the message itself that is being transported from client to a service and vice versa.

Security Briefs: Regular Expression Denial of Service Attacks and Defenses


Microsoft security expert Bryan Sullivan believes denial-of-service blackmail attacks will become more common as privilege escalation attacks become more difficult to execute. He demonstrates how to protect your apps against regular expression DoS threats.

Bryan Sullivan

MSDN Magazine May 2010

Security Briefs: XML Denial of Service Attacks and Defenses


This article reviews what makes XML vulnerable to denial of service attacks and how to mitigate these attacks.

Bryan Sullivan

MSDN Magazine November 2009

Geneva Framework: Building A Custom Security Token Service


A Security Token Service, or STS, acts as a security gateway to authenticate callers and issue security tokens carrying claims that describe the caller. See how you can build a custom STS with the "Geneva" Framework.

Michele Leroux Bustamante

MSDN Magazine January 2009

Security: Safer Authentication with a One-Time Password Solution


One-time passwords offer solutions to dictionary attacks, phishing, interception, and lots of other security breaches. Here's how it all works.

Dan Griffin

MSDN Magazine May 2008

Security: Authenticate Users Across Organizations Using ADFS


Jack Couch looks at how to set up ADFS and when to use it; he then shows how to connect to an outside organization to offer single sign-on.

Jack Couch

MSDN Magazine December 2007

Security Briefs: Password Minder Internals


In my last column I introduced Password Minder, the tool I use to manage all of my passwords. It generates a long, random password for each site I visit, and makes it possible for me to use the most complex passwords possible, without ever having to see the actual password material or type it in manually.

Keith Brown

MSDN Magazine October 2004

Secure It: WS-Security and Remoting Channel Sinks Give Message-Level Security to Your SOAP Packets


As more organizations adopt XML-based Web Services, the need for message-level security has become evident. WS-Security, now supported in the Microsoft .NET Framework, addresses this need. Using the WS-Security framework, developers can implement channel sinks to intercept Remoting messages as they pass through the .NET Remoting infrastructure. The sink can read the message, change it, and pass it along. During this process, the message can be signed for added security. This article explains how to implement a Remoting channel sink that will modify the Remoting message by including a UserName token in the header, then sign the body using the token.

Neeraj Srivastava

MSDN Magazine November 2003

Password recovery by entering email not username



I am using the ASP.Net password recovery control.  By default the user needs to enter their username before an email gets sent out to them.

If it possible instead of entering the username, email is used instead?  Alot of my users forgets their username but not email.


Password / Application Security.


I am using a function which requires a user name and password. I have written this username and password in my code behind file. How safe is it? If it is not safe, what are the risks and how to provide security to my code and application?

Accessing Username, password, roles in xml file


Currently I am storing my username and password (passwordFormat="SHA1") credientails in my web.config.  I would like to figure out how to access them in an xml file that I have stored in my App_Data directory rather than the web.config file because I do not want my application restarting everytime I manually add a user (small list of 5 authorized users for the CMS section).

Here is what my web.config section looks like:


<authentication mode="Forms">
      <forms name=".Administration"

How to Pass UserName & Password to codebehind page using jquery

here is login form I would like to use.
Right now it is not communicating with my codebehind page.
How do I modify the jquery  login code to post the username and password to the codebehind?
<%@ Page Language="VB" AutoEventWireup="false" CodeFile="Default.aspx.vb" Inherits="Default2" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<link rel="stylesheet" type="text/css" href="styles/chop1.css" />
<script type="text/javascript" src="js/chopjs/jquery-1.3.2.min.js"></script>

<script type="text/javascript" src="js/chopjs/three.js"></script>
<!--[if IE 6]>
<script type="text/javascript" src="js/ie_png_fix.js"></script>

Windows Identity Foundation Security Token Service can't stay logged in

I'm using the Windows Identity Foundation **(WIF)** Security Token Service **(STS)** to handle authentication for my application which is working all well and good. However I can't seem to get any long running login with the STS. From my understanding I shouldn't care about the client tokens at the application level since they can expire all they want to and it should redirect me to the STS and as long as they're still logged in on the STS it should refresh their application token. Yet it doesn't seem to want to keep them signed in. Here's what occurs in my login.aspx on the STS var cookie = FormsAuthentication.GetAuthCookie(userName, persistTicket); if (persistTicket) cookie.Expires = DateTime.Now.AddDays(14); Response.Cookies.Add(cookie); var returnUrl = Request.QueryString["ReturnUrl"]; Response.Redirect(returnUrl ?? "default.aspx"); Which was taken almost directly from existing application using normal Forms Auth. From my web.config <authentication mode="Forms"> <forms loginUrl="Login.aspx" protection="All" timeout="2880" name=".STS" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" /> </auth
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend