Windows Authentication with Preview 5

Topics: Web Api
Nov 4, 2011 at 1:34 PM

I am trying to enable Windows Authentication and I can't seem to get it working.  At this point, I am just trying to to identity established so I can make some security decisions. I am configuring it with the following code:

            var config = new HttpConfiguration
                             EnableTestClient = true,
                             CreateInstance = (type, context, message) => container.Resolve(type),
                             ReleaseInstance = (context, obj) => container.Release(obj),
                             Security = (uri, binding) =>
                                            binding.Mode = HttpBindingSecurityMode.TransportCredentialOnly;
                                            binding.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;



I also have a PrincipalPermission attribute on my service class:


namespace Turner.Foundation.Environment.Services
    public class PackageService
        private readonly FoundationContext _context;

        public PackageService(FoundationContext context)
            _context = context;

        [WebGet(UriTemplate = "?name={name}&system={system}&solution={solution}&packageType={packageType}")]
        public virtual IEnumerable<Package> Get(string name, string system, string solution, string packageType)

When I try to access that endpoint, I get a SecurityExpection with "Request for principal permission failed." as the message.  I have tried many variations on code and settings and this is the closest that I can get.  Do I need something to to get the right Identity set?  When this exception occurs, the Identity is a System.Security.Principal.GenericIdentity.


Rob Cannon 


Nov 4, 2011 at 11:23 PM

Hi Ron,

You can fish out the ServiceSecurityContext from the HttpRequestMessage.Properties bag if you can change your method to take in additionally HttpRequestMessage.

[WebGet(UriTemplate = "?name={name}&system={system}&solution={solution}&packageType={packageType}")]
        public virtual IEnumerable<Package> Get(string name, string system, string solution, string packageType, HttpRequestMessage request)

       ServiceSecurityContext context = request.Properties["Security"] as ServiceSecurityContext; 


Currently, we don't have layer to set the current thread's identity with that identity yet. If you want to make that work, you can try to register a custom OperationInvoker via WCF.  

Hope this helps.