Configuring Silverlight to access a NT Authenticated WCF Services :
  • add .xap -> application/x-silverlight-app to the mime type in IIS to get IIS to recognize and transmit the mime type
  • add .xaml -> application/xaml+xml to the mime types in IIS to get IIS to recognize and transmit the mime type
  • add the clientaccesspolicy.xml to the root folder in IIS to get the cross domain working for wcf debugging
  • Ensure that you have the IIS virtual directory security set to use NT authentication only
If we modify or create new services inside the service class, it is necessary to make sure the URL is set correctly in the ServiceReferences.ClientConfig file in the Silverlight project when you update the service reference. It defaults to a value that is different than the value visual studio uses when the debugger is run, which causes an exception to be thrown when the silverlight call goes through to the service.


Clientaccesspolicy.xml file:

The clientAccessPolicy.xml file is a file silverlight uses to determine rules around accessing domains. Without this file, Silverlight throws a ‘404’ error. Docs indicate it has to be in the root of the website – not in the virtual directory

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>

Web.config WCF Settings:

Here’s what worked

  • security binding has to be setup to use transportCredentialsOnly, with Windows for the type.
  • This binding has to be bound to the basicHttpSerivce endpoint behaviour
  • the MEX binding that is created by the service generation tool has to be deleted or it seems to confuse things once security is enabled
  • The service must be setup to use aspNetCompatibilityEnabled = true – and associated code and includes added into the service class. This is done automatically by the add new SilverlightWCF service


<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="basicHttpSecuredBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>

</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="EmployeeDashboardServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
<services>
<service behaviorConfiguration="EmployeeDashboardServiceBehavior"
name="EmployeeDashboardService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpSecuredBinding"
name="basicHttpEndpoint" contract="EmployeeDashboardService" />
</service>
</services>
</system.serviceModel>

Silverlight over SSL With Authentication:

Client Access policy file has to have some additional attributes added to it as below:

   1: <?xml version="1.0" encoding="utf-8" ?>
   2: <access-policy>
   3:   <cross-domain-access>
   4:     <policy>
   5:       <allow-from http-request-headers="*">
   6:         <domain uri="http://*"/>
   7:         <domain uri="https://*" />
   8:       </allow-from>
   9:       <grant-to>
  10:         <resource include-subpaths="false" path="/"/>
  11:       </grant-to>
  12:     </policy>
  13:   </cross-domain-access>
  14: </access-policy>
Client Side:

1 <configuration>

2 <system.serviceModel>

3 <bindings>

4 <basicHttpBinding>

5 <binding name="basicHttpEndpoint" maxBufferSize="2147483647"

6 maxReceivedMessageSize="2147483647">

7 <security mode="Transport" />

8 </binding>

9 </basicHttpBinding>

10 </bindings>

11 <client>

12 <endpoint address="https://name.svc"

13 binding="basicHttpBinding" bindingConfiguration="basicHttpEndpoint"

14 contract="ServiceReferenceEmployeeDashboard.EmployeeDashboardService"

15 name="basicHttpEndpoint" />

16 </client>

17 </system.serviceModel>

18 </configuration>