WCF Service windows authentication - wcf

a WCF Service in hosted in our internal server. an external client will consume it and, our Service will consume our SharePoint service in order to edit an item list.
The WCF Service will have the automatically earn the windows authentication to access to the SharePoint site so I do not have to provide a login and password not domain name.
I am not sure how I am supposed to code my service:
NetworkCredential credential = CredentialCache.DefaultNetworkCredentials;
will be enough?
Architecture

But if you do need to use a specific account you could go for the following:
NetworkCredential credentials = new System.Net.NetworkCredential("name", "password", "optional:domain");

IMO, it should be enough, if your wcf and SharePoint services in same (or trusted) domains, and you select appropriative security mode.
See for more details:
http://msdn.microsoft.com/en-us/library/ms733836.aspx

Related

WCF Changing credentials

I have a web app that calls a WCF web application with several services, all using basicHttBinding, on different servers (web server, app server and database server). One of the services has to connect to a database that must be called using an active directory account. Coming in from the web site the user is anonymous.
I have been given credentials to set this user to but I cannot get it to work. I create my channel on the web server like this:
ChannelFactory<T> channelFactory = GetChannelFactoryFromPool<T>(enpointAddress);
channelFactory.Credentials.Windows.ClientCredential.UserName = username;
channelFactory.Credentials.Windows.ClientCredential.Password = password;
channelFactory.Credentials.Windows.ClientCredential.Domain = domain;
proxy = channelFactory.CreateChannel();
In the service on the app server I am trying to determine if the credentials are correct by doing this:
var ssc = ServiceSecurityContext.Current;
but ssc is always null. Can this be done with basicHttpBinding?
Thanks,
Paul
The basicHttpBinding does support Windows authentication as documented in this good MSDN article. You also need to ensure the service operations are configured to allow impersonation of the client credentials to have the security context populated as expected.

EWS - Using the service account for impersonation

In our organization we are trying to use EWS Managed API to access mailboxes from a custom UI client on Exchange 2010. We have a .NET 4.0 WCF service running on IIS 7.5 calling the EWS methods on behalf of the UI client. Client and WCF service communicate over https, so does the WCF service and EWS. We now want to create service accounts (basically AD accounts with impersonation rights on certain email inboxes) and run the WCF service under these service accounts. However, when I run the WCF service under a particular AD user in IIS (Anonymous authentication enabled with Anonymous user identity set to the specific AD user), EWS throws a 401 Unauthorized exception. Upon examining the ExchangeService object, the Credentials object is null. If I hardcode the credentials, the service can access EWS. Below is the code that I am using to create the ExchangeService object.
var service = new ExchangeService(ExchangeVersion.Exchange2010)
{
Url = new Uri(ConfigurationManager.AppSettings["EWSUrl"]),
// If I uncomment the below line, the service can access EWS. However, I want the user under which the service is running to access EWS.
//Credentials = new NetworkCredential("ImpersonatingUser", "secretPwd", "TESTDOMAIN"),
ImpersonatedUserId = new ImpersonatedUserId { Id = emailAddress, IdType = ConnectingIdType.SmtpAddress },
};
I read somewhere that the System.ServiceModel.ServiceSecurityContext.Current.WindowsIdentity object will have the current user under which the service is running. However, the System.ServiceModel.ServiceSecurityContext.Current context is null in my case.
How do I get the service account's credentials (without hardcoding it in the code) and pass it to EWS? Please let me know if you need more details.
Edit: In IIS 7.5, I have created a separate app pool running under the impersonating AD user's identity, and configured my WCF service to run in this app pool. Still can't get the service credentials.
Thanks in advance.
Unless your WebService runs on the Exchange box, you'll need to configure Kerberos. NTLM does not allow credential delegation.
Another option is to switch to Basic authentication secured with SSL. But this means to loose single sign on in your client application.

WCF ClientCredentials

please help. Half of the kingdom for a correct answer!!!
Is it possible to use WCF Windows authentication with the anonymous access option? My WCF service deployed in the AD domain, and there are some clients outside of the domain. Can I use windows authentication to get client credentials for users that are in the AD and the same time allow access to the users they are not in the domain? Thanks.
P.S. Sorry for poor English.
To do this you need to create a service configuration that exposes two different endpoints. One endpoint would use your current config. The new endpoint would be for the non-AD clients and you would configure it using the options listed here. For anonymous access, you could pick an unsecured client configuration. If your service host is IIS, you may need to have two different sites/applications because I believe enabling Windows authentication will disable anonymous access.

Can WCF do WindowsAuthentication with username password?

I'm building an wcf service that is meant to run in an intranet environment using Windows Authentication. I have been merrily working along with some kind of default settings on the local computer.
Problem now is that I need to test it installed to an off site demo computer. I just need to get it running with username password used against the wcf service computer's user accounts.
This is my client code:
using (ImportServiceClient client = new ImportServiceClient("ImportServiceSoap12", REMOTE_ADDRESS))
{
client.ClientCredentials.Windows.AllowNtlm = true;
client.ClientCredentials.Windows.ClientCredential =
new NetworkCredential(userName, password, computerName);
result = client.Sync(items.ToArray());
}
Is it possible to configure the wcf service such that it translates the credential to a windows account on it's machine?
I've been reading contradicting posts here and there, but I feel rather sure IIS shouldn't be part of the authentication. I'm unsure wether ASP.Net authentication node applies or if it's all binding configuration.
Ideally I'd like it to be an NTLM type authentication so that I wouldn't need to set up https.
Is it possible to configure the wcf service such that it translates the credential to a windows account on its machine?
No. Integrated Windows Authentication requires that both the server and the client are part of the same domain (or domains with a trust relationship, in any case). You can't usefully run IWA against local computer accounts on the server.
You will have to use some other (potentially custom) form of authentication and then impersonate to the user you want to run as in the server code.

WCF Service - authentication / SSPI error

When I run my WCF service on my local machine, it works fine. When I deploy the same files to our test server, I get this error when my test client tries to connect to the WCF service:
Security Support Provider Interface (SSPI) authentication failed. The
server may not be running in an account with identity 'host/Server01'.
If the server is running in a service account (Network Service for
example), specify the account's ServicePrincipalName as the identity
in the EndpointAddress for the server. If the server is running in a
user account, specify the account's UserPrincipalName as the identity
in the EndpointAddress for the server.
What does this mean and what area should I be looking to fix? I played around with the web.config identity section, but I'm still unsure what is needed.
I got a similar error before but the message is somewhat different
Right click on the application pool the web site is running under, click on Property then go to the Identity tab. Try to put the "host/Server01" identity in and see if that helps.
This error can also happen for Microsoft Dynamics GP Web Services. In our case, it turns out that the person who set up the GP Web Services used his personal user account as the service account. When he changed his password, it broke the web services.
So, check your user identity and password if your web service used to work but no longer works.