How to: Customize User Login When Using the WCF Authentication Service

This topic shows how to validate customized credentials to authenticate users when you call the ASP.NET authentication service by using Windows Communication Foundation (WCF). Typically, authentication requires only a user name and password. However, in some cases you might have to verify a user's identity by using additional credentials, such as an identification number.

You use the WCF implementation of the authentication service when you want to log a user in from a client application that can send and consume a SOAP 1.1 message, such as a Java application.

To validate customized credentials for authentication

  1. In the Global.asax file of the Web application, create an event handler for the Authenticating event.

  2. In the handler, read the contents of the CustomCredential property of the handler's AuthenticatingEventArgs parameter, and then authenticate the values.

    The following example shows how to read two authentication values from the CustomCredential property and then pass them to a custom authentication class named StudentAuthentication.

    Sub AuthenticationService_Authenticating _
       (ByVal sender AsObject, _
        ByVal e As System.Web.ApplicationServices.AuthenticatingEventArgs)
        Dim studentid AsString = String.Empty
        Dim answer AsString = String.Empty
        Dim credentials AsString() = _
             e.CustomCredential.Split(NewChar() {","c})
        If (credentials.Length > 0) Then
            studentid = credentials(0)
            If (credentials.Length > 1) Then
                answer = credentials(1)
            e.Authenticated = _
                StudentAuthentication.ValidateStudentCredentials _
                (e.Username, e.Password, studentid, answer)
        Catch ex As ArgumentNullException
            e.Authenticated = FalseEndTry
        e.AuthenticationIsComplete = TrueEndSub
    void AuthenticationService_Authenticating(object sender, System.Web.ApplicationServices.AuthenticatingEventArgs e)
        string studentid = String.Empty;
        string answer = String.Empty;
        string[] credentials =
            e.CustomCredential.Split(newchar[] { ',' });
        if (credentials.Length > 0)
            studentid = credentials[0];
            if (credentials.Length > 1)
                answer = credentials[1];
            e.Authenticated =
                (e.UserName, e.Password, studentid, answer);
        catch (ArgumentNullException ex)
            e.Authenticated = false;
        e.AuthenticationIsComplete = true;
  3. In the Application_Start method of the Global.asax file, bind the event handler for the Authenticating event.

    The following example shows how to bind a handler to the Authenticating event.

    Sub Application_Start(ByVal sender AsObject, ByVal e As EventArgs)
        AddHandler System.Web.ApplicationServices.AuthenticationService.Authenticating, _
    void Application_Start(object sender, EventArgs e) 
        System.Web.ApplicationServices.AuthenticationService.Authenticating += 
            new EventHandler<System.Web.ApplicationServices.AuthenticatingEventArgs>(AuthenticationService_Authenticating);
  4. Call the authentication service from an application that can consume a SOAP message from a Web service, and pass the extra values to be authenticated in the CustomCredential property.

Compiling the Code

Robust Programming

The previous code examples show a custom authentication class that throws the ArgumentNullException if any of the parameters are null. Your code must handle any exceptions that are raised during validation.


Always access the authentication service by using the Secure Sockets Layer (SSL), using HTTPS protocol.

See Also


Windows Communication Foundation Authentication Service Overview