Click here to Skip to main content
14,599,444 members

WCF Basic Authentication with SQL Membership Provider

Rate this:
5.00 (4 votes)
Please Sign up or sign in to vote.
5.00 (4 votes)
6 May 2012CPOL
WCF Basic Authentication with SQL Membership Provider

You can download the source code and see more details on this project here.

We will show you how to set up WCF Basic Authentication using the SQL Membership Provider provided by Microsoft.It is highly recommended that you walk through the explanations by looking at the source code as it will help you gain a more solid understanding. You can also run the application on your computer.

We will assume you already know how to setup WCF to run in https, since basic authentication without https would be meaningless because the user name and password would be passed as plain texts in the network.


We will show you:
  • How to setup the database and the Web Site Administration Tool from the .net framework for managing the Users and Roles 

  • How to setup the WCF Basic Authentication under https and use SQL Memebership Provider to validate users and roles

  • How to make your WCF service consumable by other other platforms such as Java by making the WSDL a single file

      You can also see how to make your service consumable by any technology and also set up error handling here.










The Application 

First let's see the application. You can manage the users and roles using the ASP .net Web Site Administration Tool from the .net framework:

Image 1


You can see the WCF service running under https requiring the user to input username and password for Basic Authentication. The user name and the password would be from the users that you have added from the Administration Tool:

Image 2


In the client application you can test the user name and password:

Image 3

Image 4

You can also test the user's access to a service based on the user's assigned roles from the Administration Tool:

Image 5
Image 6

Setup Database for SQL Membership Provider
First create the database for the SQL Membership Provider by opening the command prompt and navigate to the location of the .net framework library such as:C:\Windows\Microsoft.NET\Framework64\v4.0.30319

Then run the following command:

Aspnet_regsql -S dbServerName -A all -E

replace dbServerName with the name of your database server. Below is what you should see if you create the database on your computer:

Image 7

And you should see the new database created:

Image 8













Make sure to grant the account that you will use to run the wcf service to have permission to execute stored procedures in the aspnetdb database.

Setup User Administration Tool

The ASP .net Web Site Administration Tool works by looking at the web.config of the wcf service, where it has the connection string to the database, and renders the information to the administrator:



Image 9

The tool has to know the location of the wcf application in order to let you manage the users and roles of that application.   

First let's setup the Admin Tool.  Create an application pool to host the Administration Tool in IIS. We just call it AspNetWebSiteAdmin:

Image 10

Then create an application in IIS (much like a virtual directory) that points to the location of the Administration Tool, which is at:

Image 11

Click on the Advanced Settings of the newly created application, and set the Physical Path Credentials to the user account that will have access to the path of the Administration Tool (
Image 12
Be sure to add read and excute permission to the following folder location with the account that runs the Admin Tool:C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles

Open the file below using notepad:

Change the <authorization> part of the xml to allow anonymous users (for your testing purposes): 

Now we need to set up the WCF application that has the web.config that points to the database:

Image 13

First place the wcf application in a folder, for example the path in our case was:


Image 14

Make sure to grant access to this folder for the account that runs the Admin Tool.

You can now access the Admin Tool by opening a browser with the url that points to the location of the wcf service. In case you are wondering:

  1. The Tool can be opened only on the same computer that is running the Admin Tool. It will not run if you open the browser from another computer.
  2. The wcf application does not need to be running for you to use the Admin Tool. The tool just needs to access the web.config of the application.
Below is the url format to open the Admin Tool:


Make sure to substitute the [ApplicationPath] and the [ApplicationUrl] parameters.

An example of the url would be:


Image 15

Using the tool you can now add users, roles, and assign the users to the roles. Go ahead and add a user and a role using the Admin Tool under the Security tab.

Setup the WCF Basic Authentication Application

The wcf application provided runs under https. Be sure to see how to run wcf under https if you are not familiar with it.

Set up the application in IIS to run under the name DevLake.BasicAuth.Service so that it can be found under the following url:


Image 16

Now you can see the service under https after you have entered the user name and password that you have added using the admin tool:

Image 17

Image 18

Basic Authentication

Basic Authentication, the process in which the client is challenged with a user name and a password, is implemented using HttpModule. There are 2 parts in the process:

  • The first part is to ask the client for a user name and a password

  • The second part is to process the user name and password entered by the user and determine the action to take


The logic is in the BasicAuthHttpModule class. The else part prompts the client for a user name and a password, and the if part processes the user name and the password:
Image 19

If the user is validated we assign the user's Principal to the application's context so that we can validate the user's roles.  If the user entered the wrong user name and password we just give it a 401 access denied error.

To make the BasicAuthHttpModule work in wcf we need to add the following configuration in the web.config of the service:
Image 20

Included in the web.config are also the connection string to the database and the membershipProvider, and we set the authentication mode to None since we don't want the client to be redirected to login.aspx:

Image 21

We define a service behavior to be used by the service, and in the service behavior we refer to the membershipProvider:

Image 22
Role Based Authorization

We can define a role so that only users in the role can access the service methods. We have the TestRoleAccess service method that only users in Role1 can access:

Image 23
We then define an authorization policy where we assign the Principal and the Identity from the application context to the evaluation context in the CommonAuthorizationPolicy class:

Image 24
The class is then referred in the web.config's service behavior:

Image 25
In order to retrieve HttpContext.Current in the authorization policy we need to make the service ASP .Net Compatible, otherwise you would get a null for HttpContext.Current when you try to evaluate the authorization policy. To make the service ASP .Net compatible you just need to add the following attribute to the service:

Image 26
And also set the aspNetCompatibilityEnabled property to true in the web.config:

Image 27

Production Environment Implementation The code in this project is used to show you how things work. In a production environment you should separate the project into different parts as diagrammed below: 

Image 28

The ProxyService in the DMZ would host the HttpModule asking the user name and password from the client via https, it should then validate the user using the AuthenticationService inside the internal network via https. After the user is deemed valid the ProxyService can then contact the InternalService to service the user. This is so that:

  • The database for the user accounts and the Administration Tool will not be in the DMZ
  • You can reuse the AuthenticationService as you build more services in the future
Furthermore, Once the client is validated, an encrypted cookie should be sent to the client so that the ProxyService would not need to contact the AuthenticationService for subsequent requests.

Also note that Basic Authentication via https is not the most secure means of providing a public web service. Anyone who has the user name, password, and the url will be able to access your service and you will not be able to tell if the client is who you think they really are. However it is the easiest forms of service for most businesses to consume since a lot of the businesses are not capable of doing a certificate exchange. 

We hope you will find this project helpful in building your wcf services.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

United States United States
No Biography provided

Comments and Discussions

QuestionPassword Pin
Swapnil Bhosale22-Sep-14 23:48
MemberSwapnil Bhosale22-Sep-14 23:48 
QuestionAwesome! Vote of 5 Pin
Member 802152720-Mar-13 14:09
MemberMember 802152720-Mar-13 14:09 
AnswerRe: Awesome! Vote of 5 Pin
Member 802152720-Mar-13 15:26
MemberMember 802152720-Mar-13 15:26 
GeneralMy vote of 5 Pin
sandippatil20-Sep-12 2:03
Membersandippatil20-Sep-12 2:03 
QuestionHow to point the admin tool to wcf web.config Pin
leefrank4031-Aug-12 12:30
Memberleefrank4031-Aug-12 12:30 
BugGetting an issue when i click on test service ok button. Pin
tintokthomas57725-Jun-12 21:41
Membertintokthomas57725-Jun-12 21:41 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Technical Blog
Posted 6 May 2012


26 bookmarked