Zulfiqar's weblog

Architecture, security & random .Net

PasswordDigest authentication in WCF

Posted by zamd on July 12, 2010

WS-Security UsernameToken Profile describes how a client can authenticate to a web service using a "username" and a password. Two variations of the password are defined as part of the specification which includes "PasswordText" and "PasswordDigest". Neither WCF nor WIF out of box support "PasswordDigest" however there are some interop scenarios which might require "PasswordDigest". For example, WSE 3.0 supports "PasswordDigest" and if you have to interop your WSE 3.0 clients with WCF services you might need PasswordDigest functionality. In this post I’ll show you a basic implementation of PasswordDigest closely integrated with WCF API. Please note, this could be much easier to implement using the SecurityTokenHandler based API shipped with WIF.

I have created a new assembly and added all the security extensions in this new assembly named Microsoft.ServiceModel.SecurityExtensions.dll.

Microsoft.ServiceModel.SecurityExtensions.dll extends WCF to support Password Digest authentication while retaining WCF’s public programming model. You need to reference this assembly in all your web service projects where you want to enable PasswordDigest authentication. The security extensions are very closely aligned to the standard WCF model of userName/Password validation so you should be able to leverage all of your existing knowledge. 

Please note this is a trivial implementation primarily focused on WCF integration rather than spec implementation. This example doesn’t contain any countermeasure code against replay attacks. You can add such functionality by maintaining a cache of used nonces on the server side and then checking against the replay.

To use these extensions in your web service(s), you need to do following:

  • Specify the type attribute of serviceCredentials to Microsoft.ServiceModel.SecurityExtensions.ServiceCredentialsEx for the extensions to kick in.
  • Specify your custom validator using the standard WCF syntax. Your custom validator MUST inherit from Microsoft.ServiceModel.SecurityExtensions.UserNamePasswordDigestValidator




      <serviceCredentials type="Microsoft.ServiceModel.SecurityExtensions.ServiceCredentialsEx, Microsoft.ServiceModel.SecurityExtensions, Version=, Culture=neutral, PublicKeyToken=null">

        <userNameAuthentication userNamePasswordValidationMode="Custom"

                                customUserNamePasswordValidatorType="PasswordDigest.MyValidator, PasswordDigest, Version=, Culture=neutral, PublicKeyToken=null"/>





  • Finally implement your custom validator by inheriting from Microsoft.ServiceModel.SecurityExtensions.UserNamePasswordDigestValidator. This class integrates with various extensions and implements the logic of PasswordDigest validation.

I have attached the source code and sample project with this post.

3 Responses to “PasswordDigest authentication in WCF”

  1. Ubayeed Syed said

    I found the following bug when I was testing “Password Type = PasswordDigest” from SoapUI. The issue is with createdate format (i.e. in UserNamePasswordDigestValidator.cs\ComputePasswordDigest) for e.g. the security header added by SoapUI looks as follows


    But the code checks for the following format (line commented below) and does not account for milli-seconds (i.e. ‘f’). Modifying the following line fixes it.

    //byte[] createdBytes = Encoding.UTF8.GetBytes(XmlConvert.ToString(created.ToUniversalTime(), “yyyy-MM-ddTHH:mm:ssZ”));
    byte[] createdBytes = Encoding.UTF8.GetBytes(XmlConvert.ToString(created.ToUniversalTime(), “yyyy-MM-ddTHH:mm:ss.fffZ”));

    Once I made the fix I was able to validate the Password digest (i.e. “xkmd5cSn0qLDCgKPglXq973Do+Y=”). Anybody who uses SoapUI for testing may come across this issue on a side note I am not sure if this would be an issue when testing from other tools. For troubleshooting this issue I’ve used WCF trace logs and noticed an inner-exception “Invalid password.”

    Thanks Zulfiqar for your sample as it works great.

    • Ubayeed Syed said

      Reposting the sample SoapUI PasswordDigest xml as in above the xml tags were stripped off.


  2. It’s Excelent your code, and saved my life :), i added some changes for custom needs, but everything is fine.

    You should share this on github is very nice and no one else have same solution for password digest auth in wcf.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: