ServiceStack : BasicAuth and Security - authentication

I would like to authenticate user trying to use my SS web services. I found the sample code and followed PLURALSIGHT tutorial but I was wondering if user/password used during first connection is encrypted or something on the network?
At this time we used to secure our WCF with certificates but THAT'S A REAL PAIN! and at the same time passing user/password on each WS is a security failure.
How does SS manage security of authentications parameters? Can I use it like that without worrying about possible security failure?

Credentials will be sent plain text and it is expected that you configure SSL for the authentication traffic.

ServiceStack is just a standard ASP.NET or HttpListener web application. The standard way to encrypt HTTP traffic in any Web Application is to call your services over https. HTTPS is enabled/configured outside of your ServiceStack service (i.e. Web Application layer) so ServiceStack itself doesn't require any special attention when enabling SSL.
Setting up HTTPS on ServiceStack is the same as any other IIS/ASP.NET or HttpListener application. In both cases HTTPS is a transport layer security (TLS) protocol that is enabled at the WebServer/Host level (e.g. IIS) and not in your web application (e.g. ServiceStack). So when seeking how to enable SSL you should be looking on how to enable it at the WebServer host level, e.g. IIS, Nginx, HttpListener, etc (and not ServiceStack).
E.g. If you've got ServiceStack hosted in an ASP.NET Host, than a simple search for IIS SSL on Google will provide plenty of instructions and walk throughs like this one. If you've got ServiceStack hosted in a self-hosted HTTP Listener, see this answer instead.

If your service is being consumed in an Enterprise environment and if you have AD, you can consider using WSHttpSecurity binding with binding configuration set to use Windows Credentials. This can eliminate the use of certificate. If your service is cross-enterprise and you dont have AD, you will have to do certificates
If you are doing Windows credential type, here's a sample config
<security mode="Transport">
<message clientCredentialType="Windows" />
</security>

Related

WCF security with load balancer

We need to create a WCF service (.NET 4.0) that will be consumed by a client outside of our organization.
The case is that we have two servers that are behind a load balancer which terminates the SSL. This is where it gets confusing for me.
How we could and should handle the authentication?
The previous experience about WCF is only about services for internal use. If I understood correctly we should use basicHttpBinding to guarantee interoperability with Java based client. I don't know if this is an issue with JAX-WS based client.
There will only be this one client that is going to use the service.
We need to somehow ensure that caller is authenticated to use the
system
Make sure the message is encrypted when moving in public network
So far the best article that I found was
http://devproconnections.com/net-framework/wcf-and-ssl-processing-load-balancers
There were few suggestions how to do this.
WCF services can be configured for basic authentication and receive credentials in the clear over HTTP. This can work; however, it precludes passing credentials in the message, and the use of more interesting credentials (such as issued tokens).
We use forms authentication on our website under which the service will be hosted. I think it is not easy or even possible to make the service then use basic authentication.
WCF services can be configured to fake the presence of transport security so that the runtime will allow receiving message credentials without transport or message protection
Will this be the way to go and will this work with basicHttpBinding?
The client and server binding will be different. The client binding will use username auth in eitehr message or transport level with transport security (ssl):
<bindings>
<basicHttpBinding>
<binding name="NewBinding0">
<security mode="Message" />
</binding>
</basicHttpBinding>
</bindings>
then the server config will use the same config but without the transport security. If you chose to use message security then check out WCF ClearUsernameBinding. If you use trasnport security (basic http) then set mode="TransportCredentialOnly".

WCF Message Security continues to work with certificate removed

I'm developing a product that consists of a WCF service and several WCF clients deployed to different locations. In order to secure the service, I configured WCF to use Message Security via certificates.
In detail, these are my service configuration files:
Web.config, App.config
This is working fine as far as I can tell, even when the certificate is stored on a SmartCard (WCF even pops up a dialog asking me to enter the SmartCard's PIN in order to unlock the certificate).
But removing the SmartCard after the initial security negotiation took place does not have any effect on the connection - I can still invoke methods on the web service.
What's happening?
Does WCF message security work similar to HTTPS, where a symmetric key is established during the initial security negotiation and after that, the certificate is no longer needed?
Or could it be that I have set up the service to only use the certificate to authenticate the client, but messages aren't encrypted at all?
It is because your security configuration uses security context (default for WsHttpBinding). Security context (implementation of WS-SecureConversation) indeed works similarly to HTTPS. It uses certificate only to initial authentication and generation of security token which is used to secure following communication from the same service proxy instance. The context is established be service proxy instance and it also establish WCF session which is subject of timeout.
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
Try setting the establishSecurityContext to false.

Authentication settings in IIS Manager versus web.config versus system.serviceModel

I have a WCF web service, and I want to use Basic authentication. I am getting lost in the authentication options:
In IIS 6 Manager, I can go in to the properties of the web site and set authentication options.
In the web site's web.config file, under system.web, there is an <authentication mode="Windows"/> tag
In the web site's web.config file, under system.serviceModel, I can configure:
<wsHttpBinding>
<binding name="MyBinding">
<security mode="Transport">
<transport clientCredentialType="Basic"/>
</security>
</binding>
</wsHttpBinding>
What is the difference between these three? How should each be configured?
Some context: I have a simple web site project that contains a single .svc web service, and I want it to use Basic authentication over SSL. (Also, I want it to not use Windows accounts, but maybe that is another question.)
The first two are really about access to an ASP.NET virtual directory or virtual application in IIS6 - that has basically nothing to do with WCF (WCF is actually not part nor dependent on ASP.NET). The settings control how the HTTP request coming into the IIS6 web server is being handled in terms of authentication. This basically controls whether anonymous callers from the internet can just call in without authenticating, or whether they need to enter username/password, or whether only callers with a valid Windows identity in this domain are allowed in.
The only reason this is interesting to your WCF service is the fact that when you host the WCF service in IIS (only one of the many options), then you have a (myservice).svc file that needs to reside inside a virtual directory. Of course, access to that SVC file is controlled by the authentication settings of IIS6/ASP.NET.
The security mode inside the <wsHttpBinding> section is the security-related definition of how the WCF service will communicate with its clients. Mode=Transport means, you're securing the actual transport layer - typically using SSL - not each message separately. This setting works great in Intranet scenarios where you have all clients behind a corporate firewall - but it won't work too well in Internet scenarios, since you can't really control the whole chain from the client (anywhere on this planet) over a series of intermediary hops to your server - you just can't. In this case, you'd have to use Mode=Message which basically encrypts and signs each message that goes over the wires - that works over any number of routers and relays along the way from the point of origin to your server.
The first two are related, if they don't match your service will not be able to activate. If you choose Windows authentication obviously there is an assumption that you will be tied to a windows domain or local machine.
Since you are going to be doing SSL basic authentication you are going to set this to None and then configure your transport security.
Your one stop shop for setting up transport + basic authentication
MSDN Article on Transport+Username + Windows Forms
I am not sure if you are still planning out how you are going to be doing security but i would recommend thinking about using message security versus transport(personal bias toward message security)..
Transport vs Message Comparison
Patterns & Practices on Message and Transport Security

WCF - Why netTCPBinding works fine with Kerberos authentication without any SPN setting?

In one of our networks we are utilizing the netTCPBinding. The WCF service hosted in windows service that run as a domain account.
From the event viewer I can see that my WCF service uses Kerberos authentication. Everything works seamlessly "out-of-the-box" with simple default configuration without an <identity> element in the configuration file and without any SPN setting for the machine like:
setspn -a WcfServiceName//Server domaonAccount
But from the multiple online references I concluded that SPN setting is necessary
Its not clear, why in my case it works without those settings?
Looking forward for an explanation from WCF-Security experts.
Per the WCF Security Guidance:
netTcpBinding : Specifies a secure, reliable, optimized binding suitable for
cross-machine communication. By default, it generates a runtime
communication stack with transport security and
Windows authentication as default security settings. It uses
TCP protocol for message delivery, and binary message
encoding.
In essence, its secure by default, callers must provide Windows creds for authentication.

How to configure security when calling WCF Service from .Net 2.0 Client

I have a WCF service up and running and am able to communicate between the service and a .Net 2.0 Client using basicHttpBinding.
I now need to lock down the WCF service so that it can only be called by authenticated clients.
I have control over the clients that will be calling my service. The clients are part of a product that will be installed in the wild and "phoning home" to push and pull data. The client app is written for .Net 2.0 framework and cannot be upgraded to 3.0 or 3.5 at this time. I cannot add windows user accounts to the client machines.
What are my options for securing the WCF Service and being able to authenticate from my .Net 2.0 clients? Also, data needs to be passed over https.
I've been searching the web, and feel like I'm on a wild goose chase.
You can configure a WCF endpoint to use 2-way SSL authentication. That means that you can require clients to present an X.509 certificate that confirms their identity whenever they make a request to the service.
On the server side of things, you can use one of the built-in validation schemes in WCF or provide your own validation logic to check the X.509 certificate.
If you were hosting your service in IIS, it would be trivial to configure SSL to require client certificates at the transport-level. However, you can find a good guide on how to implement this behaviour in a self-hosted WCF service here:
http://leastprivilege.com/2007/08/25/certificate-based-authentication-and-wcf-message-security/
I haven't tried this myself but, since this creates a security requirement at the message-level, I think you will have to use wsHttpBinding to enforce it in your WSDL contract, since imposing security requirements to access a web service is part of the WS-* standards.
If you have to use basicHttpBinding, you can try this solution instead that moves things up at the transport-level:
http://leastprivilege.com/2007/08/26/certificate-based-authentication-and-wcf-mode-independent/
Hope this helps
OK so, with SSL you have transport level security; which is fine, that protects the message from sniffing and changing.
So now you have options; do you need the validation to be silent, or can you prompt the user for a username/password when your program starts? If it must be silent then you can go the client side certificate as mentioned (although that is painful, you will need to generate the certificates yourself and validate them, so you need to look at running your own certificate authority). Or you can embed a custom header in the message which contains a client ID and do it the kludgey way.
If however you can prompt for a username and password then you authenticate that way and plug it into a database lookup quite easily using a custom authenticator, or even using the ASP.NET membership database.
Here is what I ended up doing which seemed to be the simplest solution in our situation, which is pretty small scale with only a handful of web services exposed:
Secured the transport with SSL
Clients first login to the web service by calling a Login method on the web service. If the login succeeds, it returns an encrypted FormsAuthenticationTicket to the client.
Clients must then supply the forms authentication ticket with each web service call. Each method checks if the ticket is valid and if so it does its work. If the ticket has expired or is invalid, clients must re-authenticate.
Hope that helps someone...
You security will be covered by the ssl.
For authentication you have two options - basic (username and password) or certificate.
Here is a video that demonstrates configuring certificate authentication.
In that you are configuring the security elements of the basicHttpBinding shown below:
<basicHttpBinding>
<binding name="basicHttp">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
There is also a good page on this here. Google on clientCredentialType and you should find yourself on the right track soon enough.
For setting up the client certificates you are after the wse* policy file.
You will need to work out how you will provide the client certificate to the various sites.- that depends on security concerns of the project. There are various ways (none of which I can remember sorry, I last did this for wse* to wse* about two years ago so the details are forgotten, but it is certainly possible, took a few days solid research to find a good method).
Using SSL certificate is the only option for .NET 2.0 client accessing WCF service as basicHttpBinding provides no security. By using SSL, you are securing the whole transport channel.
Check the link http://www.codeplex.com/WCFSecurityGuide/Release/ProjectReleases.aspx?ReleaseId=15892 . It covers WCF Security covering all scenarios.
To get free SSL certificate please visit http://www.comodo.com/ or http://www.instantssl.com/ and try out in your application.