WCF client caching windows authentication

Question

I am calling a webservice exposed by Navision, and it is secured with windows authentication. I am able to call it successfully, but after that, it seems like it is caching the credentials somehow, and that is what worries me.

The service is hosted on a remote server, and is in a different domain than my development machine. I am running the code from Visual Studio.

I have created a service reference to the service, and I have no configuration in my app.config, so all settings are created using code.

First run (no client credentials specified):

var binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;

var address = new EndpointAddress("http://externalserver.com/DynamicsNAV/WS/Customer/Page/MyPage");

var client = new MyPage_PortClient(binding, address);
client.ClientCredentials.Windows.AllowNtlm = true;
client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;

var reqObj = new MyPage() { TypeID = "Test", Company_Name = "Test:" + DateTime.Now.ToShortTimeString() };
client.Create(ref reqObj);
client.Close();
Console.WriteLine(reqObj.Company_Name);
Console.ReadLine();

This gives me a securityexception. As Expected.

Second run (with credentials):

var binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;

var address = new EndpointAddress("http://externalserver.com/DynamicsNAV/WS/Customer/Page/MyPage");

var client = new MyPage_PortClient(binding, address);
client.ClientCredentials.Windows.ClientCredential.Domain = "MYDOM";
client.ClientCredentials.Windows.ClientCredential.UserName = "NavWebService";
client.ClientCredentials.Windows.ClientCredential.Password = "foo";
client.ClientCredentials.Windows.AllowNtlm = true;
client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;

var reqObj = new MyPage() { TypeID = "Test", Company_Name = "Test:" + DateTime.Now.ToShortTimeString() };
client.Create(ref reqObj);
client.Close();
Console.WriteLine(reqObj.Company_Name);
Console.ReadLine();

This call succeeds. Again, as expected.

Third run, is the same as the first one. That is, with no credentials specified. That call succeeds. Now I'm confused. The credentials must somehow be cached? I reboot my machine, same result. Still succeeds.

I then try and specify bogus credentials:

var binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;

var address = new EndpointAddress("http://externalserver.com/DynamicsNAV/WS/Customer/Page/MyPage");

var client = new MyPage_PortClient(binding, address);
client.ClientCredentials.Windows.ClientCredential.Domain = "fakeMYDOM";
client.ClientCredentials.Windows.ClientCredential.UserName = "fakeNavWebService";
client.ClientCredentials.Windows.ClientCredential.Password = "badPwd";
client.ClientCredentials.Windows.AllowNtlm = true;
client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;

var reqObj = new MyPage() { TypeID = "Test", Company_Name = "Test:" + DateTime.Now.ToShortTimeString() };
client.Create(ref reqObj);
client.Close();
Console.WriteLine(reqObj.Company_Name);
Console.ReadLine();

This call fails. As expected.

I go back to the first call again, and that still succeeds. So it is actually still caching the credentials from the first succeeded call, even though I have tried with invalid credentials in the meantime.

Can anyone tell me what is going on here? Is it something that I don't understand about windows authentication? Is there some sort of credential caching in Visual Studio/WCF?

Answer 1

You're right, the Windows token is being cached. Here's an MSDN article on Impersonation and Delecation with WCF , which covers cached token impersonation.