WWSAPI to WCF interop 4: WSHttpBinding with username over transport security

WWSAPI doesn’t support full message mode security (where security negotiation happens at SOAP message level and parts of the envelope are signed and encrypted using XML signature and XML encryption) in Win7 time frame. This means the default WSHttpBinding is not interoperable with the WWSAPI’s security offering as the WSHttpBinding defaults to use full message mode security with secure conversation. WWSAPI supports mixed mode security that provides message integrity and confidentiality at transport level (e.g. through https). In mixed mode security, the client is authenticated through a token carried in the SOAP message’s security header. Client credential types supported by WWSAPI in Win7 include username/password token and Kerberos AP-REQ token. Now I’ll show how to use username/password token over https transport.


As explained in my previous post, WS_SECURITY_DESCRIPTION contains security bindings that describe the security mechanism to be applied to the message or channel. For https, you need to use WS_SSL_TRANSPORT_SECURITY_BINDING. To use username/password token on top of it, WS_USERNAME_MESSAGE_SECURITY_BINDING needs to be included as well. Inside WS_USERNAME_MESSAGE_SECURITY_BINDING, the binding usage should be WS_SUPPORTING_MESSAGE_SECURITY_USAGE, which means the binding is for client authentication only, not message protection. Then a username/password credential needs to be set in the binding so that it could be included in the messages. Here is how the WS_SECURITY_DESCRIPTION can be filled for this scenario.


    // declare and initialize a username credential

    WS_STRING_USERNAME_CREDENTIAL usernameCredential = {}; // zero out the struct

    WS_STRING userName = WS_STRING_VALUE(L"usr1");

    WS_STRING passWord = WS_STRING_VALUE(L"pwd1");

    usernameCredential.credential.credentialType = WS_STRING_USERNAME_CREDENTIAL_TYPE; // set the credential type

    usernameCredential.username = userName;

  usernameCredential.password = passWord;


    // declare and initialize a username message security binding

    WS_USERNAME_MESSAGE_SECURITY_BINDING usernameBinding = {}; // zero out the struct

    usernameBinding.binding.bindingType = WS_USERNAME_MESSAGE_SECURITY_BINDING_TYPE; // set the binding type

    usernameBinding.bindingUsage = WS_SUPPORTING_MESSAGE_SECURITY_USAGE; // set the binding usage

    usernameBinding.clientCredential = &usernameCredential.credential;


    // declare and initialize an SSL transport security binding

    WS_SSL_TRANSPORT_SECURITY_BINDING sslBinding = {}; // zero out the struct

    sslBinding.binding.bindingType = WS_SSL_TRANSPORT_SECURITY_BINDING_TYPE; // set the binding type


    // declare and initialize the array of all security bindings

    WS_SECURITY_BINDING* securityBindings[2] = { &sslBinding.binding, &usernameBinding.binding };


    // declare and initialize the security description

    WS_SECURITY_DESCRIPTION securityDescription = {}; // zero out the struct

    securityDescription.securityBindings = securityBindings;

    securityDescription.securityBindingCount = WsCountOf(securityBindings);


Then you pass the WS_SECURITY_DESCRIPTION structure to WsCreateServiceProxy:

    // Create the proxy

    hr = WsCreateServiceProxy(



            &securityDescription, // security description

            NULL, // proxy properties

            0, // proxy property count

            NULL, // channel properties

            0, // channel property count



    if (FAILED(hr))


        goto Exit;



Note: the corresponding WSHttpBinding object is created this way:

    WSHttpBinding binding = new WSHttpBinding(SecurityMode.TransportWithMessageCredential);

    binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;

    binding.Security.Message.EstablishSecurityContext = false;

    binding.Security.Message.NegotiateServiceCredential = false;


In config file, it’s presented in the following element:


        <binding name="UPOverHttps">

          <security mode="TransportWithMessageCredential">

            <message clientCredentialType="UserName" negotiateServiceCredential="false" establishSecurityContext="false" />