Skip to content

SharePoint 2010, Claims-based authentication and delegation

This is just a short walkthrough on how to configure impersonation/delegation for a WCF service hosted inside SharePoint 2010. The site uses claims based-authentication. Our goal is to make a service call from a SharePoint-hosted page (or Control or WebPart) to a WCF service, and to impersonate the identity of the original caller in the WCF service.

(We will do some of the steps manually where prebuilt stuff exists just for the sake of better understanding)

Create the wcf service

… this is just your ordinary WCF [ServiceContract] stuff. Just hack the interface and service implementation together.


Create the svc file and configure the Factory

We will configure the .svc file using the well-known Service-attribute (which points to our implementation of the service). Additionally, we will use the Factory-attribute to configure a custom-built factory (we also could as well go with one of the prebuilt factories which ship in the SharePoint-assemblies).

.svc file


ServiceHostFactory and ServiceHost

The factory is required and will configure the service host for Claims authentication when the service is activated. This is done using a call to SPIisWebServiceApplication.ConfigureServiceHost(appHost, SPServiceAuthenticationMode.Claims);


Deploy .svc to anonsvc-folder

The .svc file will be deployed to the _vti_bin/anonsvc folder in SharePoint 2010, as I want to have a web service which runs in the context of a SharePoint site. The _vti_bin folder will be mapped by SharePoint under the Site collections just like the _layouts folder.

The anonsvc folder maps to {SharePointRoot}\ISAPI\anonsvc, which will be surfaced as _vti_bin/anonsvc.


Configure the bindings for the service

I will use a customBinding which works with http. For https, just duplicate the endpoint and reference a bindingConfiguration with httpsTransport instead of httpTransport. The authenticationMode attribute under the security-element will be configured using the IssuedTokenOverTransport value. The transport uses the authenticationScheme “Anonymous”.


Create the client.config under SharePoints WebClients-folder …

…. and make sure it has matching bindings.  For the WCF client, we will create a folder under the WebClients and put a client.config there. The client.config contains configuration information for the WCF client/ChannelFactory.

Create the client code to call the service.

I always use the ChannelFactory model instead of using the generated clients. The first step here is to load the client configuration …


With the client configuration from the client.config file, which contains the WCF serviceModel, client and binding information, we fire up the ChannelFactory. We use ConfigurationChannelFactory<T> which we can pass a reference to the serviceModel-configuration from the client.config file.

Two things are of note here … first of all, we configure the ChannelFactory to use Claims authentication (ConfigureCredentials is an extension method from SharePoint-land, SPChannelFactoryOperations).

Then we create the Channel using the SPChannelFactoryOperations.CreateChannelActingAsLoggedOnUser (which will call ChannelFactoryOperations.CreateChannelWithIssuedToken from the Microsoft.IdentityModel WSTrust extensions.)


Authentication? Why anonymous? And pay attention to the anonsvc-folder …

The authentication process with IIS, ASP.NET, and WCF can be configured in many different ways, and it is important to understand which component performs authentication and authorization. When hosting a claims-based service, the WCF component must perform the authentication, and as we say “den letzten beißen die Hunde”. Since the WCF service is hosted in IIS (and in our case, SharePoints SPRequestModule class plays a heavy role), we need to make sure the message does in fact reach the WCF stack. Since the WCF stack is hosted in IIS (IIS sees the message before it gets to WCF) and in case for the _vti_bin-Folder, SharePoint also processes the request before it gets to the WCF-stack, we need to make sure that neither IIS nor SharePoint generate an authentication or authorization error. If either IIS or SharePoint generate an error, WCF would never see the request and hence could not perform any authentication on it.

For IIS, we need to enable Anonymous authentication (and disable Windows/Basic/Forms) on the application or virtual directory. When deploying to SharePoints _vti_bin folder, this is already set up correctly.

For SharePoint and services hosted under the _vti_bin-Folder, the only way to truly get anonymous access is to put them under the anonsvc-Folder. This path is hardcoded in the SharePoint request processing pipeline. In case you don’t put the service under the anonsvc folder, you will likely see HTTP 401 Unauhorized errors. The 401 is part of the challenge process for both NTLM and Kerberos authentication, so all SharePoint tries to say here is that it wants the client to authenticate using either NTLM or Kerberos (depending on how the server is configured) and sends its part of the authentication handshake back to the client. So it merely asks the client to pass the authentication information in the next request.

In case you are debugging things like 401 error codes with IIS, ASP.NET and WCF involved, check out the fabulous Failed Request Tracing in IIS. Dunno why it’s called Failed Request Tracing though;)

Posted in SharePoint, SharePoint 2010.

Tagged with , , , , , , , , , , .

4 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Facundo says

    Great work! Claims authentication in SharePoint and WCF is a little confusing and there are several approach to undertake this task. This looks nice! I was wondering if we could get the source code. Thanks in advance!

  2. Charles Chen (@chrlschn) says


    Have you tried to configure your service to support AJAX requests?

  3. Sourabh says

    Great work.. looking for it . Can you please share the code for the same.

  4. manas says

    HI , great help. Can u pls post the working code

Some HTML is OK

or, reply to this post via trackback.