I've configured my SSAS connection to use HTTP and everything works fine. The problem is that the connection is very slow when I'm using just Basic Authentication and passing the username and password as part of the ConnectionString. If I change MSMDPUMP.dll IIS app to use Anonymous Authentication, the connection works "as fast" as without HTTP. Again, the problem is that Anonymous Authentication is not acceptable for me and I really need Basic Authenticated security.
What's happening with the Basic Authentication and is there a way to make it faster? The solution is unusable at the moment.
Related
I've read some about authentication and authorization inside of asp.net web api and I've understood that i basically must use ssl in order for not letting people get hold of the authentication tokens. And if i'm not misstaken theese authenticantokens are sent inside of the header? and SSL hides theese headers for the public not to to catch up if they use some tools for internet listening? If thats the case i guess i could create a "custom" authentication by not allowing the api to run unless a specific header is sent with the api call? Which people shouldn't be able to catch up if i use ssl?
I realized I've used alot of questionmarks but it is just to illustrate where my unclear thoughts are, any help or input is highly appreciated, thanks!
Authentication, Authorization and securing the connection over SSL are 3 different parts of a web application.
Authentication
Basically authentication handles who you are. For example with a login you provide a user and a password. The application knows now, who you are.
Authorization
Authorization manages the access rights for the user. It says, on what you have access. For example if you've provided the correct credentials, you are authenticated, but maybe not authorized for everything.
SSL
SSL is securing the connection like you said. You can't sniff (with WireShark or Fiddler) the network traffic if it's over HTTPS. This is a setting on your IIS on which the web api application is running. You don't need to create a "custom" authentication.
I hope this helps.
I will state up front that this is a well discussed topic however I have been unable to find the answer I need. I have created a winforms app that makes WCF calls to a server. All works fine with no http proxy as well as an http proxy present (non-authenticating). I did no extra coding to achieve this since many problems with proxies were fixed after .NET 1.1. It just works by accepting the Internet Options (from IE). This is my primary goal. I want the proxy config to "just work" including authentication. Right now, proxy with auth fails. I do not want to programmatically specify credentials, server names, port, etc... It was pointed out here
How should I set the default proxy to use default credentials? that the following entry is needed:
<system.net>
<defaultProxy useDefaultCredentials="true" />
</system.net>
I've got this in my app.config but not having success. I'm using squid as my proxy server and I have it setup with Basic authentication. With this setup, I am forced to programmatically provide username/password (don't want this). I know how to do this and I can get it to work but that's not the point. I would like all settings to be discovered including my current credentials I used to authenticate with windows. The following has an interesting answer Web service calls and proxy authentication in the real world. It states that if IE had to prompt for username and password then so would my application. In fact, IE DOES prompt for username and password. I found good info here as well http://blogs.msdn.com/b/stcheng/archive/2008/12/03/wcf-how-to-supply-dedicated-credentials-for-webproxy-authentication.aspx. I'm going wrong somewhere. If Basic Auth is wrong, then what type of authentication would allow everything to "just work".
After more research, you really can't do what I'm trying to do across authentication protocols. The following MSDN page http://msdn.microsoft.com/en-us/library/system.net.credentialcache.defaultcredentials.aspx points that out. Understandably, basic auth if very old and not supported for calls to DefaultCredentails according to this page, but I'm deploying to users that might be running XP with older proxy servers. I will have to provide my user base with a manual method to configure user/password for basic auth with a proxy server. I believe what I'm trying to achieve is certainly doable with NTLM and Negotiate type auth methods. The bottom line is you have to manually provide user/password with basic auth with code like this:
WebRequest.DefaultWebProxy.Credentials = new NetworkCredential("user", "password123");
I'm currently using Thinktecture's Identity Server as a security token service to handle the issuing of tokens based on username and password claims. This fits perfectly for a scenario where the authenticating client is an actual user authenticating against a web application for instance, but I'm now interested in scenario for when the authenticating party happens to be an independent process on the server that needs to establish a security token to pass to another server process. I'm ideally after a few pieces of advice here:
1. Is this a valid approach to authentication for server processes communicating with each other?
2. What if I were to move one of the server processes to a different machine talking across a TCP boundary instead perhaps? Is this approach still valid.
3. What ClaimTypes would I use for authentication of the process? And is the Thinktecture Identity Server happy to authenticate against these? I assume I'll probably have to write a custom authentication extension to it to do so...
Thanks very much,
Clint.
One of IdentityServer's authentication protocols is the "simple http" -- you pass in credentials and get back a token. This might be what you want.
Oh, there's also the WS-Trust endpoints as well.
I am trying to call a Sharepoint Web Service via WCF from inside a .ASHX on a different server. My code works if I run inside of Visual Studio's debug web server, but not from IIS. The working server works in various authentication modes (Kerberos, NTLM), and the non-working one doesn't work in any. I am impersonating the same user in both cases.
Using NTLM, I recorded a working session and non-working session in Wireshark. In the working one, Wireshark parses the NTLM data and reports a DOMAIN and USER NAME that I expect. In the non-working one, it shows
DOMAIN: NULL
USER NAME: NULL
I have debugged in IIS and impersonation is definitely working at the point of the service call. If I check WindowsIdentity.GetCurrent(), it's the user I expect.
If I inspect the WCF service proxy on the working and non-working servers, they look identical -- the part that deals with ClientCredentials is set to "" for Username and Password for both versions.
Any ideas on what else to check? Why would the NTLM data have DOMAIN and USER NAME set to NULL -- where does it pick that up from?
According to this:
http://support.microsoft.com/kb/207671
When IIS services an HTTP request, IIS performs impersonation so that access to resources to handle the request is limited appropriately. The impersonated security context is based on the kind of authentication performed for the request. The five different types of authentication available from IIS 4.0 are:
Authentication Type Impersonation Type
------------------------------------ ---------------------
Anonymous Access (no authentication) Network
Auto Password Synchronization is
ON (ON=default)
Anonymous Access (no authentication) IIS Clear Text
Auto Password Synchronization is OFF
Basic Authentication IIS Clear Text
NT Challenge/Response Authentication Network
Client SSL Certificate Mapping Interactive
In my case, I have a Network Token, but
Network tokens are "NOT" permitted to access network resources. (Network tokens are named so because this kind of token is traditionally created by a server when a user is authenticated across the network. To allow the server to use a network token to act as a network client and access another server is called "delegation" and is considered a possible security hole.)
The KB has many possible ways to avoid the problem
I am currently following this scenario
Instead of a Windows Forms client, I have an ASP.NET MVC web app.
I am a little worried about the sending of the username and the password
on every call to the Web Service.
That means I will have to carry this information all the time in the session.
Wouldn't that be little security problem ?
Why would you have to carry the credentials all the time in the session? According to the example you're following, they're being set in the proxy (when it's created).
If you're worried about having to cache the credentials for recreating the proxy as needed, then you can cache an instance of ChannelFactory, and then generate new proxies from that instance as needed.
Regardless of what path yout take, the credentials are going to have to be stored somewhere, somehow, unless your application prompts the user for their credentials for every WCF operation.
You can implement WS-Security in your service.
This means you can send user credentials in the header of the message encrypted. Lots of examples out there for this.