How to Specify Transport-Level and Message-Level Client Credential Types for WCF Services?

Both transport-based and message-based binding configurations can specify one of six client credential types. Each binding supports some or all of the credential types that are listed below. 

The following code examples show how to set the client credential type for transport mode security.

[Visual Basic]

binding.Security.Mode = BasicHttpSecurityMode.Transport

binding.Security.Transport.ClientCredentialType = _




[Visual C#]

binding.Security.Mode = BasicHttpSecurityMode.Transport;

binding.Security.Transport.ClientCredentialType =



The following code examples show how to set the client credential type for message mode security.

[Visual Basic]

binding.Security.Mode = BasicHttpSecurityMode.Message

binding.Security.Message.ClientCredentialType = _




[Visual C#]

binding.Security.Mode = BasicHttpSecurityMode.Message;

binding.Security.Message.ClientCredentialType =



For more information, see RFC 2617, Selecting a Credential Type, and Federation and Issued Tokens

Transport level

The transport-level client credential types are:

  • None. Security is disabled.

  • Basic. The caller passes the user name and password in clear text as part of the authentication.

  • Digest. The side that demands authentication provides a one-time value. The caller creates a hash of the user name, the password, the one-time value, the HTTP method, and the requested uniform resource identifier (URI). The side that demands the authentication re-creates this hash and compares the two values to determine whether to authenticate the client application.

  • Ntlm. Uses NTLM as a fallback within a Windows domain if a Kerberos protocol is not available.

  • Windows. Uses integrated Windows authentication with a Kerberos protocol or NTLM.

  • Certificate. Uses X.509 certificates to authenticate the caller.


Message level

The message-level client credential types are:

  • None. Specifies that the client application does not need to present any credential. This translates to an anonymous client application.

  • Windows. The client application must present a Windows token for authentication.

  • Username. The client application must present the combination of a user name and password for authentication.

  • Certificate. The client application must provide an X.509 certificate to be authenticated.

  • Issued Token. The client application must present a custom token type that is configured according to a security policy. The default token type is Security Assertions Markup Language (SAML). The token is issued by an STS.