WCF Using Windows Authentication and SqlRoleProvider over basicHttp

This tutorial is about building a sample WCF Service that makes use of  Windows(Active Directory) as Authentication mechanism and SQLRoleProvider for the Authorization.

1. Lets start by creating a new WCF Service Application. Open VS2010, File New Project under WCF select WCF Service Application. For the name just use the default: WcfService1.

2.  New Project was created, Go to the code of Service1.svc

The goal is: when a client application calls the GetData method, it should have a valid windows account (active directory account) and should be a member of a Role (SqlRole) that we will create later.

Press F6 to compile the project.

3. Next step is to configure service to use Windows and Sql Role Provider.

Right click web.config from WcfService1 project and select Edit WCF Configuration (if this is not available, Click Tools -> WCF Service Configuration Editor then close it, right click the web.config again the menu should be available)

WCF Configuration Editor Opens.


WCF Editor Step 1:  Create Service

In the Services Tab, click Create New Service.  In the service type, click Browse -> bin folder-> Select WcfService1.dll -> then Select WcfService1.Service1 then click Open.

Click Next, Contract should be WcfService1.IService1.

Click Next, for the communication mode select HTTP.

Click Next, for the interoperability select Basic Web Services interoperability.

Click Next, for the address type leave it empty, click Finish. New service was added:

Add BaseAddress, Go to Host -> In Base Address click New:  http://localhost:8000/WcfService1


WCF Editor Step 2:  Add Binding Configuration

In the Configuration Tab, go to Bindings -> Click New Binding Configuration, select basicHttpBinding from the list. Set the name to basicHttpBindingConfig.

Go to security tab set the following:

(General) Mode: TransportCredentialOnly

(TransportSecurityProperties) TransportClientCredentialType: Ntlm

Set the existing endPoint (basicHttp) to use the binding configuration that we just created.

To do this: go to Endpoints -> Click the first endPoint then on the general tab -> Endpoint Properties ->

Click Binding Configuration then select basicHttpBindingConfig.



WCF Editor Step 3:  Configure Service Behaviors

Go to Advance -> Service Behaviors

Modify the existing behavior and rename it to WcfService1.ServiceBehavior.

Click Add and select serviceAuthorization from the list.

Go to general Tab and set the ff:

PrincipalPermissionMode: UseAspNetRoles

RoleProviderName: WcfService1RoleProvider (we would configure this later on).

Update the service to use the service behavior. Go to Services -> WcfService1.Service1 in Behavior configuration select WcfService1.ServiceBehavior.

Click File -> Save.

4. After the WCF editor configuration next step is we need to configure the SQLRoleProvider.

SQLRoleProvider Step 1:  Create SqlRoleProvider database

Open Visual Studio 2010 command prompt and type the following command:

aspnet_reqsql -S {YourDatabaseServer} -E -A r

SQLRoleProvider Step 2:  Update Web.config

Copy and paste the following after configuration tag.

    <!–Setup Connection String for SQLRoleProvider –>
    <add name=”ASPNetDBConnString” connectionString=”Initial Catalog=aspnetdb;data source={YourDatabaseServer};Integrated Security=SSPI;”/>

Under system.web add the ff:

  <!–Setup Role Provider to be used for authorizations –>
    <roleManager enabled=”true” defaultProvider=”WcfService1RoleProvider” >
        <add name=”WcfService1RoleProvider
             type=”System.Web.Security.SqlRoleProvider” />

Click File -> Save.

SQLRoleProvider Step 3:  Assign Roles to windows account

We will create a new role named: PowerUsers and only windows account that has this role will be able to execute the GetData method.

Execute the following script:

USE aspnetdb

— Create a new role
EXEC aspnet_Roles_CreateRole ‘WcfService1’, ‘PowerUsers’

— Assign Windows Account to a Role
EXEC aspnet_UsersInRoles_AddUsersToRoles ‘WcfService1’, ‘{YourDomain\YourUserName}‘, ‘PowerUsers’, 8

5. Last step is to implement the role-based security on GetData method.  Go to WcfService1 project and do the ff:

Add reference to: System.Security

Open Service1.svc code – > Add : using System.Security.Permissions

Update GetData method to:



For the testing i created a console application that calls the webservice with the following code:

 WcfService1.Service1Client client = new WcfService1.Service1Client();
Console.WriteLine(“Data From server: ” + client.GetData(4));


Sample Output (Calling service with an active directory account that is member of PowerUsers role):

 Sample Output (Calling service with an active directory account that is not a member of PowerUsers role):

 To remove the active directory account from a specific role (PowerUsers), execute the following script:

EXEC [aspnet_UsersInRoles_RemoveUsersFromRoles] ‘WcfService1′,’Domain\ActiveDirectoryAccount’, ‘PowerUsers’