WCF and Windows Security Revisited

Configuring WCF to require Windows authentication is a pretty trivial task. But this alone does not set any requirements for what the clients credentials need to be. If you want the clients to belong to a certain Active Directory group, you are required to do some coding to achive it.

One option is to define PrincipalPermission attributes in every class to define its security requirements. But this means hard coding the requirements. The only flexible solution I found was to write my own  ServiceAuthorizationManager and read the group name from the app.config.

public class CustomAuthorizationManager : ServiceAuthorizationManager
protected override bool CheckAccessCore(OperationContext operationContext)

    // For mex support
    if (operationContext.ServiceSecurityContext.IsAnonymous)
        return true;

    // When Windows authentication has been setup using an application setting
    if (Properties.Settings.Default["UserGroup"] != null)

        WindowsIdentity identity = operationContext.ServiceSecurityContext.WindowsIdentity;

            throw new SecurityTokenValidationException("Windows authentication required");

        WindowsPrincipal principal = new WindowsPrincipal(identity);
        string group = Properties.Settings.Default["UserGroup"].ToString();

        return principal.IsInRole(group);

    } else {

        return base.CheckAccessCore(operationContext);}



In the service app.config:

<serviceBehaviors><behavior name="Service1Behavior">
<serviceAuthorization serviceAuthorizationManagerType="CustomAuthorizationManager, MyAssembly"/>


One thought on “WCF and Windows Security Revisited

  1. Hi,

    Thank yor article. Seems this can help me in solving one of my requirement.

    I am developing an WCF service for intranet purpose. Clients to my service are some web

    applications in intranet. Users login into web application using Windows Authrntication

    (Active Directory).

    And My WCF service provides a method, only users of group, say “Group_1” is allowed to call

    this method. I want to implement this authorization at WCF service end. My WCF hosted in IIS;

    App pool runs under a domain account to access server side resources, like database.

    If I follow the above approch you mentioned, it is taking App_pool identity instead of the caller. If I impersonate the method, I am able to get the caller, but I am not able to access server resources like database – becuase service is trying to access them using caller identiry.

    Hope I am able to give the proper context. Can you please help in doing this.

    Thanks in Advance.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s