Difference between ClientCredentialType=Windows and =Ntlm

Joe picture Joe · Apr 17, 2009 · Viewed 26.6k times · Source

Can anyone give a clear explanation of the difference between using

  • clientCredentialType=Windows, and
  • clientCredentialType=Ntlm

in a server-side Web.config when hosting a WCF service?

I have a SOAP 1.1 (basicHttpBinding) service for interop with existing clients. It uses ASP.NET roles so needs clients to be authenticated.

When I am using the VS2005 (Cassini) server to host the service, I have to specify ClientCredentialType=Ntlm as above, and check the Ntlm authentication box in the project properties in VS2005. ClientCredentialType=Windows doesn't work - clients get a:

401 Unauthorized error

However when I'm running under IIS, it's the other way around: ClientCredentialType=Windows works, and ClientCredentialType=Ntlm fails.

Can anyone explain this, and preferably suggest a way I can have the same web.config file to run the service in Cassini and IIS?

Update

I have .NET 3.5 SP1 on my dev machine, which is XP SP2 running in a domain. Cassini therefore runs under a domain account, and IIS 5.1 under a local account.

I wonder if it could be related to the breaking change in .NET 3.5SP1 described in these articles.

http://www.aspnetpro.com/newsletterarticle/2008/12/asp200812ab_l/asp200812ab_l.asp http://msmvps.com/blogs/alvin/archive/2008/11/14/net-3-5-sp1-breaking-change-to-wcf.aspx http://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=354236

The situation sounds similar as clientCredentialType=Windows fails when the server is running under a domain account (which is my situation with Cassini - running as my normal domain user account), and works when running under a local account (which is my situation with IIS).

The problem is that the suggested fixes require changes to a WCF client configuration file - but in my case I'm using SOAP 1.1 (basicHttpBinding) with non-WCF clients.

Answer

Erik picture Erik · Apr 18, 2009

clientCredentialType=Windows uses the built in Windows authentication which can be through Active Directory and NTLM.

Obviously the NTLM type will only use NTLM for authentication.

I'm sure you've seen it already, but here is a link to WCF security: http://msdn2.microsoft.com/en-us/library/ms734769.aspx

Some more details on your setup would help. Are the IIS and Cassini servers running on the same box? If not do you have the same accounts setup on each box? IIS6 by default supports NTLM, so you shouldn't have a problem getting it to work.