diff --git a/HawkNet.WCF/HawkAuthenticationManager.cs b/HawkNet.WCF/HawkAuthenticationManager.cs
new file mode 100644
index 0000000..476ee1a
--- /dev/null
+++ b/HawkNet.WCF/HawkAuthenticationManager.cs
@@ -0,0 +1,79 @@
+using System;
+using System.Diagnostics;
+using System.Collections.ObjectModel;
+using System.Collections.Generic;
+using System.ServiceModel.Channels;
+using System.IdentityModel.Claims;
+using System.IdentityModel.Policy;
+using System.Security.Principal;
+using System.ServiceModel;
+using System.ServiceModel.Security;
+using System.ServiceModel.Web;
+using System.Security;
+using System.Web;
+using System.Linq;
+
+namespace HawkNet.WCF
+{
+    class HawkAuthenticationManager : ServiceAuthenticationManager
+    {
+        const string HawkScheme = "Hawk";
+
+        static TraceSource TraceSource = new TraceSource("HawkNet.WCF");
+
+        Func<string, HawkCredential> credentials;
+        int timeskewInSeconds;
+        string schemeOverride;
+
+        public HawkAuthenticationManager(Func<string, HawkCredential> credentials, int timeskewInSeconds, string schemeOverride)
+            : base()
+        {
+            this.credentials = credentials;
+            this.timeskewInSeconds = timeskewInSeconds;
+            this.schemeOverride = schemeOverride;
+
+            if (Trace.CorrelationManager.ActivityId == Guid.Empty)
+                Trace.CorrelationManager.ActivityId = Guid.NewGuid();
+        }
+
+        public override ReadOnlyCollection<IAuthorizationPolicy> Authenticate(ReadOnlyCollection<IAuthorizationPolicy> authPolicy, Uri listenUri, ref Message requestMessage)
+        {
+            IPrincipal principal = ExtractCredentials(requestMessage);
+            var policies = new List<IAuthorizationPolicy>();
+            policies.Add(new HawkPrincipalAuthorizationPolicy());
+
+            if (principal != null)
+            {
+                requestMessage.Properties["Principal"] = principal;
+            }
+
+            return policies.AsReadOnly();
+        }
+
+        private IPrincipal ExtractCredentials(Message requestMessage)
+        {
+            var request = (HttpRequestMessageProperty)requestMessage.Properties[HttpRequestMessageProperty.Name];
+
+            var authHeader = request.Headers["Authorization"];
+            if (authHeader != null && authHeader.StartsWith(HawkScheme, StringComparison.InvariantCultureIgnoreCase))
+            {
+                var hawk = authHeader.Substring(HawkScheme.Length).Trim();
+
+                TraceSource.TraceInformation(string.Format("{0} - Received Auth header: {1}",
+                    Trace.CorrelationManager.ActivityId, hawk));
+
+                var uri = new Uri(HttpUtility.UrlDecode(requestMessage.Properties.Via.AbsoluteUri));
+
+                var principal = Hawk.Authenticate(hawk,
+                    request.Headers["host"],
+                    request.Method,
+                    new UriBuilder (uri) { Scheme = (!string.IsNullOrEmpty(schemeOverride)) ? schemeOverride : uri.Scheme }.Uri,
+                    this.credentials,
+                    this.timeskewInSeconds);
+
+                return principal;
+            }
+            return null;
+        }
+    }
+}
diff --git a/HawkNet.WCF/HawkAuthorizationManager.cs b/HawkNet.WCF/HawkAuthorizationManager.cs
new file mode 100644
index 0000000..4b10f16
--- /dev/null
+++ b/HawkNet.WCF/HawkAuthorizationManager.cs
@@ -0,0 +1,45 @@
+using System;
+using System.Linq;
+using System.ServiceModel;
+using System.ServiceModel.Channels;
+using System.IdentityModel.Claims;
+using System.Net;
+
+namespace HawkNet.WCF
+{
+    class HawkAuthorizationManager : ServiceAuthorizationManager
+    {
+        public bool SendChallenge { get; set; }
+
+        public HawkAuthorizationManager(bool sendChallenge) : base()
+        {
+            SendChallenge = sendChallenge;
+        }
+
+        protected override bool CheckAccessCore(OperationContext operationContext)
+        {
+            if (!operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets.Any())
+            {
+                if (SendChallenge)
+                {
+                    var newReply = Message.CreateMessage(MessageVersion.None, null);
+                    var responseProperty = new HttpResponseMessageProperty() { StatusCode = HttpStatusCode.Unauthorized };
+
+                    var ts = Hawk.ConvertToUnixTimestamp(DateTime.Now).ToString();
+                    var challenge = string.Format("ts=\"{0}\" ntp=\"{1}\"",
+                        ts, "pool.ntp.org");
+
+                    responseProperty.Headers.Add("WWW-Authenticate", challenge);
+
+                    newReply.Properties[HttpResponseMessageProperty.Name] = responseProperty;
+
+                    //overwrite the original reply with the unauthorized message.
+                    operationContext.RequestContext.Reply(newReply);
+                }
+                return false;
+            }
+
+            return base.CheckAccessCore(operationContext);
+        }
+    }
+}
diff --git a/HawkNet.WCF/HawkNet.WCF.csproj b/HawkNet.WCF/HawkNet.WCF.csproj
index 279d8a7..f6fd04f 100644
--- a/HawkNet.WCF/HawkNet.WCF.csproj
+++ b/HawkNet.WCF/HawkNet.WCF.csproj
@@ -45,10 +45,6 @@
     <Prefer32Bit>false</Prefer32Bit>
   </PropertyGroup>
   <ItemGroup>
-    <Reference Include="HawkNet, Version=1.4.4.0, Culture=neutral, PublicKeyToken=840f8ba19d15c979, processorArchitecture=MSIL">
-      <HintPath>..\packages\HawkNet.1.4.4.0\lib\net45\HawkNet.dll</HintPath>
-      <Private>True</Private>
-    </Reference>
     <Reference Include="Microsoft.ServiceModel.Web">
       <HintPath>..\packages\Microsoft.ServiceModel.Web.1.0.1\lib\net35\Microsoft.ServiceModel.Web.dll</HintPath>
     </Reference>
@@ -66,13 +62,23 @@
     <Reference Include="System.Xml" />
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="HawkAuthenticationManager.cs" />
+    <Compile Include="HawkAuthorizationManager.cs" />
     <Compile Include="HawkClientEndpointBehavior.cs" />
     <Compile Include="HawkRequestInterceptor.cs" />
+    <Compile Include="HawkServiceBehavior.cs" />
+    <Compile Include="HawkPrincipalAuthorizationPolicy.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
   </ItemGroup>
   <ItemGroup>
     <None Include="packages.config" />
   </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\HawkNet\HawkNet.csproj">
+      <Project>{f997ce59-eee3-42e4-b41a-b32985994603}</Project>
+      <Name>HawkNet</Name>
+    </ProjectReference>
+  </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <Import Project="$(SolutionDir)\.nuget\nuget.targets" />
   <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
diff --git a/HawkNet.WCF/HawkPrincipalAuthorizationPolicy.cs b/HawkNet.WCF/HawkPrincipalAuthorizationPolicy.cs
new file mode 100644
index 0000000..d8828aa
--- /dev/null
+++ b/HawkNet.WCF/HawkPrincipalAuthorizationPolicy.cs
@@ -0,0 +1,64 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using System.IdentityModel.Claims;
+using System.IdentityModel.Policy;
+using System.ServiceModel;
+using System.Security.Principal;
+
+namespace HawkNet.WCF
+{
+    class HawkPrincipalAuthorizationPolicy : IAuthorizationPolicy
+    {
+        string id = Guid.NewGuid().ToString();
+
+        public ClaimSet Issuer
+        {
+            get { return ClaimSet.System; }
+        }
+
+        public string Id
+        {
+            get { return this.id; }
+        }
+
+        public bool Evaluate(EvaluationContext evaluationContext, ref object state)
+        {
+            object principalValue;
+
+            if (OperationContext.Current.IncomingMessageProperties.TryGetValue("Principal", out principalValue))
+            {
+                IPrincipal user = principalValue as IPrincipal;
+                if (user != null)
+                {
+                    evaluationContext.AddClaimSet(this, new DefaultClaimSet(this.GetClaims(user)));
+                    evaluationContext.Properties["Identities"] = new List<IIdentity>(new IIdentity[] { user.Identity });
+                    evaluationContext.Properties["Principal"] = user;
+
+                    return true;
+                }
+            }
+            // This lets people get to the help page, and really anything else that isn't restricted by a PrincipalPermission. Is that what we want?
+            /*
+            var anonymous = new GenericPrincipal(new GenericIdentity(""), new string[] { });
+
+            evaluationContext.AddClaimSet(this, new DefaultClaimSet(new Claim(ClaimTypes.Anonymous, "", Rights.PossessProperty)));
+            evaluationContext.Properties["Identities"] = new List<IIdentity>(new IIdentity[] { anonymous.Identity });
+            evaluationContext.Properties["Principal"] = anonymous;
+
+            return true;
+            */
+            return false;
+        }
+
+        public virtual IList<Claim> GetClaims(IPrincipal user)
+        {
+            IList<Claim> claims = new List<Claim>();
+            claims.Add(Claim.CreateNameClaim(user.Identity.Name));
+            return claims;
+        }
+
+    }
+}
diff --git a/HawkNet.WCF/HawkServiceBehavior.cs b/HawkNet.WCF/HawkServiceBehavior.cs
new file mode 100644
index 0000000..87e6e90
--- /dev/null
+++ b/HawkNet.WCF/HawkServiceBehavior.cs
@@ -0,0 +1,180 @@
+using System;
+using System.Collections.Generic;
+using System.Configuration;
+using System.Linq;
+using System.ServiceModel.Channels;
+using System.ServiceModel.Configuration;
+using System.ServiceModel.Description;
+using System.ServiceModel.Dispatcher;
+using System.Text;
+using System.Threading.Tasks;
+using System.ServiceModel;
+using System.Diagnostics;
+using System.IdentityModel.Configuration;
+
+namespace HawkNet.WCF
+{
+    public class HawkCredentialConfigurationElement : ConfigurationElement
+    {
+        [ConfigurationProperty("id", IsRequired = true)]
+        public string Id
+        {
+            get { return (string)this["id"]; }
+            set { this["id"] = value; }
+        }
+
+        [ConfigurationProperty("algorithm", IsRequired = true)]
+        public string Algorithm
+        {
+            get { return (string)this["algorithm"]; }
+            set { this["algorithm"] = value; }
+        }
+
+        [ConfigurationProperty("key", IsRequired = true)]
+        public string Key
+        {
+            get { return (string)this["key"]; }
+            set { this["key"] = value; }
+        }
+
+        [ConfigurationProperty("user", IsRequired = true)]
+        public string User
+        {
+            get { return (string)this["user"]; }
+            set { this["user"] = value; }
+        }
+    }
+
+    [ConfigurationCollection(typeof(HawkCredentialConfigurationElement), CollectionType = ConfigurationElementCollectionType.BasicMap)]
+    public class HawkCredentialConfigurationElementCollection : ConfigurationElementCollection
+    {
+        public override ConfigurationElementCollectionType CollectionType
+        {
+            get { return ConfigurationElementCollectionType.BasicMap; }
+        }
+
+        protected override string ElementName
+        {
+            get
+            {
+                return "credential";
+            }
+        }
+
+        protected override ConfigurationElement CreateNewElement()
+        {
+            return new HawkCredentialConfigurationElement();
+        }
+
+        protected override object GetElementKey(ConfigurationElement element)
+        {
+            return (element as HawkCredentialConfigurationElement).Id;
+        }
+    }
+
+    public class HawkServiceBehavior : BehaviorExtensionElement, IServiceBehavior
+    {
+        [ConfigurationProperty("sendChallenge", DefaultValue = true)]
+        public bool SendChallenge
+        {
+            get { return (bool)this["sendChallenge"]; }
+            set { this["sendChallenge"] = value; }
+        }
+
+        [ConfigurationProperty("schemeOverride")]
+        [RegexStringValidator("^(https?)?$")]
+        public string SchemeOverride
+        {
+            get { return (string)this["schemeOverride"]; }
+            set { this["schemeOverride"] = value; }
+        }
+
+        [ConfigurationProperty("timeskewInSeconds", DefaultValue = 60)]
+        [IntegerValidator]
+        public int TimeskewInSeconds
+        {
+            get { return (int)this["timeskewInSeconds"]; }
+            set { this["timeskewInSeconds"] = value; }
+        }
+        
+        [ConfigurationProperty("credentials", IsDefaultCollection = true, IsKey = false, IsRequired = false)]
+        public HawkCredentialConfigurationElementCollection HawkCredentials
+        {
+            get
+            {
+                HawkCredentialConfigurationElementCollection hawkCredentials =
+                (HawkCredentialConfigurationElementCollection)base["credentials"];
+                return hawkCredentials;
+            }
+        }
+
+        public override Type BehaviorType
+        {
+            get { return typeof(HawkServiceBehavior); }
+        }
+
+        protected override object CreateBehavior()
+        {
+            return this;
+        }
+        #region IServiceBehavior Members
+
+        public void AddBindingParameters(ServiceDescription serviceDescription, ServiceHostBase serviceHostBase, System.Collections.ObjectModel.Collection<ServiceEndpoint> endpoints, BindingParameterCollection bindingParameters)
+        {
+
+        }
+
+        public virtual Func<string, HawkCredential> GetCredentialFunction()
+        {
+            var credentials = new Dictionary<string, HawkCredential>();
+
+            foreach (HawkCredentialConfigurationElement hawkCredential in this.HawkCredentials)
+            {
+                credentials.Add(hawkCredential.Id,
+                    new HawkCredential
+                    {
+                        Id = hawkCredential.Id,
+                        Key = hawkCredential.Key,
+                        Algorithm = hawkCredential.Algorithm,
+                        User = hawkCredential.User
+                    });
+            }
+
+            return (id) => (credentials.ContainsKey(id)) ? credentials[id] : null;
+        }
+
+        public void ApplyDispatchBehavior(ServiceDescription serviceDescription, ServiceHostBase serviceHostBase)
+        {
+            var authenticationBehavior = serviceDescription.Behaviors.Find<ServiceAuthenticationBehavior>();
+            var hawkAuthenticationManager = authenticationBehavior.ServiceAuthenticationManager as HawkAuthenticationManager;
+            if (hawkAuthenticationManager == null)
+            {
+                hawkAuthenticationManager = new HawkAuthenticationManager(this.GetCredentialFunction(), this.TimeskewInSeconds, this.SchemeOverride);
+                authenticationBehavior.ServiceAuthenticationManager = hawkAuthenticationManager;
+            }
+
+            ((IServiceBehavior)authenticationBehavior).ApplyDispatchBehavior(serviceDescription, serviceHostBase);
+
+            var authorizationBehavior = serviceDescription.Behaviors.Find<ServiceAuthorizationBehavior>();
+            var hawkAuthorizationManager = authorizationBehavior.ServiceAuthorizationManager as HawkAuthorizationManager;
+            if (hawkAuthorizationManager == null)
+            {
+                authorizationBehavior.ServiceAuthorizationManager = new HawkAuthorizationManager(this.SendChallenge);
+            }
+
+            authorizationBehavior.PrincipalPermissionMode = PrincipalPermissionMode.Custom;
+
+            ((IServiceBehavior)authorizationBehavior).ApplyDispatchBehavior(serviceDescription, serviceHostBase);
+        }
+
+        public void Validate(ServiceDescription serviceDescription, ServiceHostBase serviceHostBase)
+        {
+
+        }
+
+        #endregion
+
+    }
+
+
+}
diff --git a/README.md b/README.md
index 124b58f..a0ed6a0 100644
--- a/README.md
+++ b/README.md
@@ -5,3 +5,21 @@ Hawk protocol implementation for .NET. Hawk is an HTTP authentication scheme usi
 
 The project includes a basic library for generating/verifying a Hawk authorization header, and set of integration projects for existing web frameworks such as ASP.NET Web API or ServiceStack. An OWIN handler is also included, which can used for any OWIN compatible implementation.
 
+For use in WCF you'd include something like this:
+
+```xml
+<serviceBehaviors>
+<behavior name="HawkAuthenticatedService">
+  <hawk sendChallenge="false" schemeOverride="https">
+    <credentials>
+      <credential user="yourusername" id="yourid" key="your key should be long and random and NOT THIS" algorithm="sha256"/>
+    </credentials>
+  </hawk>
+</behavior>
+</serviceBehavior>
+```
+
+And apply it on your service like this:
+```xml
+<service name="Assembly.HawkAuthenticatedService" behaviorConfiguration="HawkAuthenticatedService">
+```