Is it possible to set clientcredentials for an WCF in App.config?

I would like to avoid doing this:

Using svc As New MyServiceClient
  svc.ClientCredentials.UserName.UserName = "login"
  svc.ClientCredentials.UserName.Password = "pw"

End Using

Rather the login and password should be part of the configuration.

Jakob Gade
  • 11,803
  • 13
  • 64
  • 111

4 Answers4


Expanding on Ladislav Mrnka’s answer, you might find this implementation useful:

public class UserNameClientCredentials : ClientCredentialsElement
    private ConfigurationPropertyCollection properties;

    public override Type BehaviorType
        get { return typeof (ClientCredentials); }

    /// <summary>
    /// Username (required)
    /// </summary>
    public string UserName
        get { return (string) base["userName"]; }
        set { base["userName"] = value; }

    /// <summary>
    /// Password (optional)
    /// </summary>
    public string Password
        get { return (string) base["password"]; }
        set { base["password"] = value; }

    protected override ConfigurationPropertyCollection Properties
            if (properties == null)
                ConfigurationPropertyCollection baseProps = base.Properties;
                baseProps.Add(new ConfigurationProperty(
                                  typeof (String),
                                  new StringValidator(1),
                baseProps.Add(new ConfigurationProperty(
                                  typeof (String),
                properties = baseProps;
            return properties;

    protected override object CreateBehavior()
        var creds = (ClientCredentials) base.CreateBehavior();
        creds.UserName.UserName = UserName;
        if (Password != null) creds.UserName.Password = Password;
        return creds;

After which you need to register this custom implementation using something like

      <add name="UserNameClientCredentials" type="MyNamespace.UserNameClientCredentials, MyAssembly, Version=, Culture=neutral, PublicKeyToken=null" />
  • 7,635
  • 3
  • 38
  • 73

This is what I did to get the new auth to work

Expanding further on Mormegil's answer this is how to use the customBehavior implementation.

public class UserNameClientCredentialsElement : ClientCredentialsElement
{ // class renamed only to follow the configuration pattern
   ... // using Mormegil's implementation

After which you need to:

  1. Register the behaviorExtension.
  2. Define a new behaviorConfig using the config extension. (which was the tricky part, coverage is scarce on how to do this.)
  3. Apply the config to an endpoint.

Using something like:

    <endpoint ...YourEndpointConfig... behaviorConfiguration="UserNamePasswordBehavior" />
      <behavior name="UserNamePasswordBehavior">
        <userNameClientCredentials userName="skroob" password="12345" />
        <!--Visual Studio will give you warning squiggly on <userNameClientCredentials>
            saying that "The element 'behavior' has invalid child element" 
            but will work at runtime.-->
      <add name="userNameClientCredentials" type="MyNamespace.UserNameClientCredentialsElement, MyAssembly, Version=, Culture=neutral, PublicKeyToken=null" />
Patrick Paquet
  • 141
  • 1
  • 3

As far as I know, that is not possible using the serviceModel configuration section due to the security hole it would create. But you could create regular appSettings for these values and use them in code:

svc.ClientCredentials.UserName.UserName = ConfigurationManager.AppSettings("...")

I would advise against this approach though, unless you encrypt the configuration file.

Johann Blais
  • 9,051
  • 6
  • 43
  • 62
  • 1
    Thanks. But storing the credentials in AppSettings will still require I set the values programmatically. I'm sure it's probably a security-issue, but I just don't see the difference: People are going to store login/pw somewhere anyways - why not right there along with the rest of the WCF configuration?? :) – Jakob Gade Sep 16 '10 at 14:03
  • 1
    As you said, it is related to security. Providing the user with a way to specify a password in clear text is an obvious security hole. Now, if the developer decides to by-pass it with the code I provided, he will be aware of his wrong doing. He will not be able to say "Hey Microsoft, your fault, you said it was OK to put it in the WCF config." – Johann Blais Sep 16 '10 at 16:40

You can try to inherit ClientCredentialsElement (handles default configuration section) and add support for UserName and Password. Than you can register this element in configuration file as behavior extension and use it instead of common configuration section.

Ladislav Mrnka
  • 349,807
  • 56
  • 643
  • 654