0

We have a WCF service that uses Windows authentication (also with option AllowNtlm=true). The documentation says that Windows authentication uses Active Directory to authenticate the user but doesn't describe how, which I need to figure out. How does WCF uses Active Directory?

Here's the binding configuration we're using:

<security mode="TransportWithMessageCredential">
        <transport clientCredentialType="None" />
        <message clientCredentialType="Windows" establishSecurityContext="false" />
</security>
dstr
  • 8,362
  • 12
  • 66
  • 106
  • You can take a look at the tutorial provided at the link below. https://www.c-sharpcorner.com/UploadFile/ledomoon/creating-active-directory-service-using-wcf/ and https://jpda.dev/protecting-wcf-with-azure-ad-586487769b5e – Lan Huang Mar 21 '22 at 09:28
  • https://stackoverflow.com/questions/26930018/azure-active-directory-and-wcf-authentication – Lan Huang Mar 21 '22 at 09:32
  • @LanHuang : thanks but that's not what I'm looking for. What I'm looking for is how WCF framework itself does connect and use Active Directory in background when you set authentication type to Windows. – dstr Mar 21 '22 at 11:23
  • Why are you asking? Are you trying to replicate it somehow? – Gabriel Luci Mar 21 '22 at 15:02

1 Answers1

0

If anyone interested, this is what I've found.

If you set your client credentials type to Windows, WCF uses something called Windows SSPI for Windows authentication.

Windows SSPI makes either Kerberos or CLDAP requests to domain controller. Example:

Kerberos: AS-REQ request

CLDAP:

searchRequest(..) "<ROOT>"

(&(&(&(&(&(&(DnsDomain=...)(Host=...))(User=...))(AAC=...))(DomainGuid=...))(NtVer=...))(DnsHostName=...))

Both can be observed using Wireshark (look for Kerberos5 or CLDAP protocol requests)

dstr
  • 8,362
  • 12
  • 66
  • 106