Total Pageviews

Monday, April 22, 2013

Soap Header Authentication for Web Services in ASP.NET

Hi All,

I will be discussing web service authentication in this article, where you can host your web service publically but it can only be accessed by passing pre-assigned username, password and secure parameter. 

So speaking simple SOAP web services, following are the steps that will make your publically available web service, a secured web service.

When you choose to create a new web service(for .NET 2.0/3.0/3.5), you will see the following Service1.asmx code-behind. (Note: I've added "System.Web.Services.Protocols" namespace and "#region" tag in the default code.

This is an example of default web service code which will let HelloWorld() method to be consumed without any authentication, once this web service is published over the App Server(local IIS or over Internet).

By adding couple of lines of code we can make the existing web service to be secure( enforcing username and password via SOAP Header).

So let's pick some username and password for the web service and place it within <appSettings> tag in Web.config file. 

    <add key="ff_username" value="user1"/>
    <add key="ff_password" value="User!123"/>

Now to implement this username and password, we need to modify the current web service code as shown in highlighted boxes below:

Now this web service is secured with customer username and password. After a successful build you can deploy/publish this web service on your IIS(local or Internet).


You can create a "Test Project" where you can add the service reference by right clicking on "Web Reference"--> choosing "Add Web Reference" and providing the URL of your currently deployed web service.

Assuming that you have given the web reference name of your web service(under Test Project) as "prod", it should look something as shown below.

Now in the code-behind of your "Default.aspx.cs", create the web service instance and consume the HelloWorld() and display it in Label.Text as shown below:

As stated in commented text, if your web service fails the authentication it will display "Authentication Failed" otherwise it will display "Hello World".

Cheers :-)


  1. Hi,
    Thank yo very much for the detailed information. Your information was very very very very helpful.

    Thank you so much.

    Apostille Certificate

  2. Where is the validateLogin type defined?

    1. Hi driftwood,

      validateLogin class is defined inside Service1 class.
      This will come after Authentication region #end tag.

      The code snippet is :

      /// To Validate the user against the user/password provided in web.config
      public class validateLogin : SoapHeader
      public string Username;
      public string Password;


    2. Hi,

      HOw can you write the fuelFinder Method where is the declaration part where should give the detailes

    3. FuelFinder is the web service which contains .asmx file written up with various methods that you would call to communicate with your database tables or objects.
      FuelFinder isn't a method but the web service that contains all the methods defined.


  3. can you suggest me how to add a custom SOAP header in request?

  4. Thanks for sharing fabulous information. It' s my pleasure to read it.I have also bookmarked you for checking out new posts. by HRM 531 Week 1

  5. Hi,
    Great article! Thanks for the information, I think others will find this useful.
    Authentication Services

  6. Hi,
    what can I do if validLoginValue member is not exist?
    I am working on and Required field seems to be depricated..
    Dim sa As New ServiceReference1.Authentication
    sa.User = "dd"
    sa.Password = "dd"

    Dim srv As New ServiceReference1.MEWSSoapClient
    srv. //authenticationValue is not a member?

    1. Hi,
      I am also getting same issue, please let me know you find any solution

    2. What is the Inner Exception message that you have encountered?