I have a WCF service hosted in domain A. It requires Windows authentication and Anonymous Access has been disabled at the IIS level. Everything works as expected until another domain B was introduced. Domain A has absolutely no knowledge of the other domain. So my question is: is there a way to use client configuration hosted in the domain B to pass some credentials to the service that will be authenticated against domain A?
No, unless you create a trust relationship between Domain A and Domain B you will not be able to use Windows authentication.
Related
I am trying to host a classic asp page in IIS. I have set Integrated windows authentication as an authentication mechanism to access the page.
It works fine.
I have three domains. A, B, C. A and B both are in trust relationship. C is a separate domain. I have installed IIS in the domain C. I have enabled WIA for the page I have hosted. Windows Authentication will/must check for the user level authentication only in the domain C.
Is there anyway to configure windows authentication in the IIS in domain C, authenticate users against domain A and B without adding it to trust? I checked this question which is not very helpful.
I think your best bet is to create an Active Directory server that is accessible by all your domains and then authenticate against it. This design will give you a lot of advantages.
For more details on how to set it up, you can read this article from Microsoft: How Domain and Forest Trusts Work.
I have a setup where our ADFS 2.0 Server uses a URL with a domain name (https://adfs.MyOtherDomain.com) that is different form our real domain (MyDomain.com).
We have added https://adfs.MyOtherDomain.com to the Windows' Local Intranet Zone and both IE and Chrome pass credential without prompting user.
It seems like the WCF Client does not use the sites defined in Windows' Local Intranet Zone.
Is there a way to tell WCF Client to use them or is there a way to provide it with a list of trusted domain names?
Scenario: We have a server located in a Windows Active Directory domain which implements a web service API, implemented with WCF and exposed via IIS 8 over HTTPS. The clients making requests to the web service are not located in the domain. However, they should be mapped to AD users via SSL client certificates. I.e., when making a HTTP request, they include a client certificate, and I want that certificate to be mapped to the corresponding AD user.
I know that IIS supports two ways of client certificate authentication, IIS Client Certificate Authentication and Client Certificate Authentication using Active Directory. I'd really like to use the AD approach in our scenario, as it makes the management of client certificates easier (we can map certificates to users in the AD rather than in the IIS configuration).
However, the docs linked above say that,
[Client Certificate Authentication using Active Directory] requires that the IIS 7 server and the client computer are members of an Active Directory domain [...]
This indicates that we cannot use this approach, since our client computers are not part of the AD domain. However, this doesn't really make sense to me. How would the server even know whether the client making an HTTPS request is in the same domain?
So, here's the question: Can we use Client Certificate Authentication using Active Directory with clients outside the AD domain or not?
We've now had the chance to implement and test our solution with a machine outside of the AD domain. Indeed, it works - the client computer does not have to be part of the domain, the documentation seems to be wrong here.
I have a WCF authentication service that uses active directory membership provider and provides AD login function and we have this working for one domain A. There is another domain B which is behind the firewall and there is a one way trust relationship between domain A and B. Users from domain B can log onto the domain controller of domain A but not vice versa. The WCF service is on Domain A. I tried to authenticate users from domain B using the service and I received the unknown username or bad password error.
I am wondering if anyone know if the active directory membership provider works across multiple domain with one way trust relationship? I have tried changing the LDAP connection string to point to domain A's domain controller but specify the DC parameter to Domain B and set the connectionUser to DomainB\Username but I received the same error. If I have everything pointing to DomainA I receives the same error too. The domain controllers for A and B can see each other. Does anyone know a solution?
(We can't point the LDAP string to domain B as its behind firewalls)
Thanks in advance
We have a webserver in a DMZ hosting an IIS website. The website talks to a middleware machine in a private domain, which is hosting WCF services.
When the webserver tries to communicate with the middleware machine via a TCP binding, we get the following error message,
The server has rejected the client credentials. The logon attempt
failed.
The website uses an AppPool account from the private domain (DMZ trusts private domain). Forms and Anonymous authentication are enabled.
My question is, would the middleware server be able to authenticate valid credentials (hopefully the appPool credentials), even through they originated from an untrusted domain (dmz)??
#marc_s is right in his comment. It's not just a WCF thing though. it's security in general.
Just look at it from a conceptual point: "authenticate valid credentials" is not what is happening. The middleware service gets credentials. The question is then if those credentials are valid or not. In order to determine validity it needs to known it or ask something that it trust to validate it for him. Asking an untrusted party doesn't work since you can't determine if the answer you get is a valid answer or not. In your case there is no place to determine if passed credentials are valid or just a random token.
If you want to allow unvalidated credentials to pass you should really remove the authentication/authorisation all together.