I want to configure basic authentication on my IIS7 that is hosting several WCF/ASMX services, moreover I want my clients to store user name and passwords inside the web.config file without modify client code, is that possible?
You can configure IIS7 for basic authentication, however this would authenticate against Local Users and Groups rather than the web.config configuration file.
I would not recommend putting them in the configuration file as then you would have to go to the effort of encrypting the passwords and you would also have to modify your code to use a custom authentication method.
Related
I will state up front that this is a well discussed topic however I have been unable to find the answer I need. I have created a winforms app that makes WCF calls to a server. All works fine with no http proxy as well as an http proxy present (non-authenticating). I did no extra coding to achieve this since many problems with proxies were fixed after .NET 1.1. It just works by accepting the Internet Options (from IE). This is my primary goal. I want the proxy config to "just work" including authentication. Right now, proxy with auth fails. I do not want to programmatically specify credentials, server names, port, etc... It was pointed out here
How should I set the default proxy to use default credentials? that the following entry is needed:
<system.net>
<defaultProxy useDefaultCredentials="true" />
</system.net>
I've got this in my app.config but not having success. I'm using squid as my proxy server and I have it setup with Basic authentication. With this setup, I am forced to programmatically provide username/password (don't want this). I know how to do this and I can get it to work but that's not the point. I would like all settings to be discovered including my current credentials I used to authenticate with windows. The following has an interesting answer Web service calls and proxy authentication in the real world. It states that if IE had to prompt for username and password then so would my application. In fact, IE DOES prompt for username and password. I found good info here as well http://blogs.msdn.com/b/stcheng/archive/2008/12/03/wcf-how-to-supply-dedicated-credentials-for-webproxy-authentication.aspx. I'm going wrong somewhere. If Basic Auth is wrong, then what type of authentication would allow everything to "just work".
After more research, you really can't do what I'm trying to do across authentication protocols. The following MSDN page http://msdn.microsoft.com/en-us/library/system.net.credentialcache.defaultcredentials.aspx points that out. Understandably, basic auth if very old and not supported for calls to DefaultCredentails according to this page, but I'm deploying to users that might be running XP with older proxy servers. I will have to provide my user base with a manual method to configure user/password for basic auth with a proxy server. I believe what I'm trying to achieve is certainly doable with NTLM and Negotiate type auth methods. The bottom line is you have to manually provide user/password with basic auth with code like this:
WebRequest.DefaultWebProxy.Credentials = new NetworkCredential("user", "password123");
After migrating from IIS6 to IIS7, all sites using a WCF oData service would prompt for credentials when attempting to make Post/Put/Patch/Delete request. The user would be continually prompted for credentials until the cancelled the request. After cancelling the request, they would receive a 401.3 response from the server.
If a user is granted modify permission on the folder containing the *.svc file for the WCF oData service they are then authorized to make requests with those verbs. Asp.Net impersonation is not turned on.
The AppPool is running Integrated .Net 4 under a service account with modify permissions to the site's folders/files.
Update:
It seems this is as designed. GrantingServerName\Users modify access to the *.svc, does resolve the issue. Addendum: Specifically, it looks like Domain Users or Authenticated Users needs modify rights to the *.svc.
Final update: changed the wording to make the question more general/easy to find for others
This is by design. If you disable impersonation, then NTFS ACLs are used to secure the resource. I know it seems odd at first, but some thought will lead you to an understanding that it is a reasonable approach given the constraints of this particular configuration. This behaviour is documented on MSDN.
please help. Half of the kingdom for a correct answer!!!
Is it possible to use WCF Windows authentication with the anonymous access option? My WCF service deployed in the AD domain, and there are some clients outside of the domain. Can I use windows authentication to get client credentials for users that are in the AD and the same time allow access to the users they are not in the domain? Thanks.
P.S. Sorry for poor English.
To do this you need to create a service configuration that exposes two different endpoints. One endpoint would use your current config. The new endpoint would be for the non-AD clients and you would configure it using the options listed here. For anonymous access, you could pick an unsecured client configuration. If your service host is IIS, you may need to have two different sites/applications because I believe enabling Windows authentication will disable anonymous access.
I have several WCF services in an ASP.NET application. I want to prevent applications from outside of my domain from accessing these services. Is there a configuration setting that allows me to block requests from outside of my domain?
Thank you!
What you want is authentication. Limiting access based on domain is not a secure manner of authentication.
If you don't want expose services to Internet you should not host them on public server. If you really need this you should first start to look for way to secure your services on network level. For example I guess ISA server should be able to block requests to your services.
EDIT: This will prevent all non-authenticated users from getting to your services. If you need users in your domain who aren't authenticated to access the services, let me know and I'll update accordingly.
Are you using authentication in your ASP.NET application?
<system.web>
...
<authentication mode="Forms">
<forms protection="All" defaultUrl="login.aspx" ... />
</authentication>
...
</system.web>
If so, your .svc files will be inaccessible until your users authenticate. If a non-authenticated user tries to access a .svc file, they will be redirected to your login page.
EDIT(2):
Since you need non-authenticated access to the services within your site, one thing you can consider is having a cookie that's sent to the user's machine upon the first visit to the site. The cookie could use a create date and some secret key to create a hash, and you can validate the hash on the server for each request. Requests from other sites wouldn't pass the cookie and your service would manually check to see if that cookie is there or not -- if it's not there, then the request is denied.
If your WCF services has ASP.NET compatibility enabled (true) and AspNetCompatibilityRequirementsMode set to Allowed or Required, you should have access to HttpContext and cookies. Here's more information about ASP.NET compatibility mode.
This may not be the most appropriate solution as I don't know your scenario and requirements. But hopefully this helps.
We have OSB services that are currently secured with a username and a password. I get a 401 unauthorized when attempting to generate a service proxy using svcutil. I know you need to set up a svcutil.exe.config file but I cannot find any examples except for one that passes a certificate.
Dows anyone know how to send a username and password using svcutil?
I don't think you can do that.
What you can do in this case is either connect to that address in a browser and just download and save the WSDL file to your local disk and call svcutil.exe on that local copy - or ask the publisher of that webservice to either give you an URL which doesn't require authentication, or to simply send you the relevant WSDL and possibly XSD files so you can create a client side proxy for that service.
You can't authenticate in svcutil, but you can set up credentials in Windows for the target machine. Go to your account management page, then to your stored credentials. Add a new entry with the target hostname and credentials. After this, you can use svcutil with the URL.
Try this. This should work with any web page requiring username and password.
svcutil http://user:password#someurl?wsdl