Configuring a local network for WCF Security modes - wcf

I have several machines connected through a wireless router.
When I build a WCF Service in one of the machines with "Security mode = 'None'", then I don't have any problem building client applications that access and use that service from other machines.
But when I try to use a security mode, say "Security mode='Message'", then I start having problems, I get a SecurityNegotiationException: The caller was not authenticated by the service.
Each machine has it's machine name, windows user name and password. I allow peer to peer file access between them.
I'm using netTcpBinding this time.
Please, I need help here...

Have you set 'clientCredentialType' to 'Windows'? The configuration below assumes your sevice pc and client pc are in the same Windows domain.
<bindings>
<netTcpBinding>
<binding name = "mybinding">
<security mode="Message">
<message clientCredentialType="Windows"/>
</security>
</binding>
</netTcpBinding>
</bindings>

Related

"No Endpoint Listening” in WCF Service Hosted in external Windows Service

I'm working on some code refactoring within an existing application.
The application is already hosted and it works fine.
I have WCF services hosted by an external Windows service.
Indeed, I'm working locally and I'm trying to test some code implementations in the Pre prod environment.
So, this is the proxy configuration within the basicHttpBinding code:
<bindings>
<basicHttpBinding>
<!--proxy configuration must be provided-->
<binding name="BindingTimeSheet" maxReceivedMessageSize="6000000" useDefaultWebProxy="false" proxyAddress="http://xxx.xxx.x.x:xxxx" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:01:00" sendTimeout="00:01:00">
<readerQuotas />
<security mode="Transport">
<transport clientCredentialType="Ntlm" />
</security>
</binding>
</basicHttpBinding>
</bindings>
and this is project server endpoint configuration:
<client>
<endpoint address="https://xxxxxxxxxx.asmx" binding="basicHttpBinding" bindingConfiguration="BindingTimeSheet" contract="ProxyClientJeanDoe.JeanDoeSoap" name="JeanDoeSoap" />
</client>
I'm receiving this exceptions:
Inner Exception 1: EndpointNotFoundException: There was no listening
endpoint on https://xxxxxxx.asmx that could accept the message. This
is often due to an incorrect address or SOAP action. If present, see
the InnerException element for more information.
Inner Exception 2: WebException: Can not connect to remote server
Inner Exception 3: SocketException: A connection attempt failed
because the connected party did not respond properly after a certain
amount of time or an established connection failed because the login
host did not respond xxx.xxx.xx.x:xxxx
I have tested the WSDL services and they are working fine but the proxy address is not responding
I have already tried to set the anonymous authentication enabled and I'm working in a local machine where the Internet connection is using a proxy server and it's impossible to configure the firewall for Security reasons.
thanks for your understanding
Finally, The problem was related with the BypassProxyOnLocal flag.
It was enabled so the requests to local Internet resources was not using the proxy server.
This configuration placed into the Web.config works fine.
<system.net>
<defaultProxy useDefaultCredentials="true">
<proxy usesystemdefault="True" proxyaddress="http://xxxxxxxxxxx:8080"
bypassonlocal="False"/>
</defaultProxy>
</system.net>
Thank you.

Accessing ServiceSecurityContext.Current.PrimaryIdentity.Name from within a WCF service

I'm very new to WCF, but I've searched this topic pretty thoroughly and haven't come up with a satisfactory answer, so here goes my question:
While within my WCF service, I need to access the user's username. From everything I've read, I should be able to get that from ServiceSecurityContext.Current.PrimaryIdentity.Name. However, instead of returning Domain\Username as I had hoped, it always returns NT AUTHORITY\NETWORK SERVICE . How can I get the actual Domain and Username of the individual that is logged in to the machine accessing my service?
Thanks.
Have you looked at the ServiceSecurityContext Class?
Represents the security context of a remote party. On the client,
represents the service identity and, on the service, represents the
client identity.
e.g.
ServiceSecurityContext.Current.WindowsIdentity.Name
...ensuring that you have your service set up to authenticate via Windows security.
To Use Windows credentials , set the clientCredentialType to "Windows". use wsHttpBinding, or netTcpBinding if its within LAN
<bindings>
<netTcpBinding>
<binding name="WindowsCredentials">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>

using ssl in wcf service

I want to use SSL using security mode = transport.
Can I use it with following settings in my web config
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
I am installing root certificate on server side and temp ceritficate on the client side. Should this work by current web settings??
Yes, if that's what you want to do:
you'll have SSL-enabled HTTPS transport
you're using the wsHttp binding
your users will be authenticated against the Windows domain (Active Directory)
This requires that your client and server are in the same common Windows domain, or at least in two Windows domains that are in a mutual trust relationship with one another (so that the service can authenticate the calling user against Active Directory).
This will not support anonymous callers, or callers from outside your Windows domain.
The question is: if it's really within your Windows domain and thus behind your corporate firewall, why are you using wsHttpBinding? NetTcpBinding would be much faster and more efficient in this scenario....
Marc

WCF - Preventing Unauthorized Clients

I have a WCF service that I only want my applications to have access to. My applications consist of a traditional web interface that uses JQuery and a Silverlight interface. Neither of these interfaces require the user to login.
Is there a way that I can tell a WCF service to only allow clients that originated from my domain? If so, how?
Thank you!
Yes, of course you can - just require Windows credentials (i.e. an Active Directory account in your domain) from your callers.
Anyone not authenticated against your domain will be rejected.
You can do this by specifying either netTcpBinding with transport security (if everything is behind a corporate firewall), or wsHttpBinding with message security:
<bindings>
<netTcpBinding>
<binding name="DomainUsersOnly">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
<wsHttpBinding>
<binding name="HttpDomainUsersOnly">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
Now, all you need to do is reference one of those binding configurations in your endpoints:
<endpoint name="whatever"
address="......"
binding="netTcpBinding"
bindingConfiguration="DomainUsersOnly"
contract="IYourservice" />
and you should be good to go.
If all of your legitimate users are supposed to be on your internal corporate LAN (on the same subnet), then you could lock it down by IP address using an approach like this. You could also clamp it down to several specific IP masks that way if you wanted to.
But if you want to allow legitimate users to hit it from anywhere, then this is not a good approach. Authentication would be better in that case.
You could add a security restriction in IIS to only allow calls from the domain to the webservice.
Unless you consider windows auth (since requests are coming from your domain), the preferred way to do this would be at a different level, via firewalls. At that level, you can restrict incoming traffic to a known set of IP addresses. This will only go so far, since IPs can be spoofed, but this is an open service, so there you go. A better alternative would be both firewalls and windows auth.
Alternatively, you could check client IP addresses in WCF by querying OperationContext.Current.IncomingMessageProperties.

WCF Authentication With SSL

I am very new to WCF and I have created a service to be consumed via a windows mobile app using the basicHttpBinding. I am now looking at how to implement encrpytion and authenticaion and I am not getting very far.
I have added the following to my server side service configuration (which I believe is correct):
<basicHttpBinding>
<binding name="SecurityByTransport">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
<transport clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
Now after installing a temporary certificate on my IIS instance I can navigate to my service via https.
At this point I used visual studios built in tool for running svcutil.exe and generated my proxy, which connects just fine.
The issue I have is in the client config, in that the endpoint reference is using http and not https. If I change this I get the following error:
The provided URI scheme 'https' is invalid; expected 'http'.
Which obviously I do not want.
Also in my client config the security specified seems to be "None", is this right?