I have enabled the ASP.Net authentication service, as recommended by msdn. I am then attempting to use the service via a console app or winforms app (by adding a service reference to my local WCF service). I am doing custom authentication and transport security (so I am handling the AuthenticationService.Authenticating event in my Global.asax which works fine).
The authentication itself works fine, but the proxy created by adding the Service Reference does not include the CookieContainer property. This is obviously a problem when I try to pass the cookie token to subsequent services which require authentication.
Also, in the following client code, the IsLoggedIn() returns false, I'm guessing this is related to no cookie container being present.
ServiceReference1.AuthenticationServiceClient client =
new ServiceReference1.AuthenticationServiceClient();
bool isLoggedIn = client.Login("test", "test", "", true); //returns TRUE
bool check = client.IsLoggedIn(); //returns FALSE
Here is my web.config on the service:
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.web.extensions>
<scripting>
<webServices>
<authenticationService enabled="true"
requireSSL = "false"/>
</webServices>
</scripting>
</system.web.extensions>
<system.serviceModel>
<services>
<service name="System.Web.ApplicationServices.AuthenticationService"
behaviorConfiguration="AuthenticationServiceTypeBehaviors">
<endpoint contract="System.Web.ApplicationServices.AuthenticationService"
binding="basicHttpBinding"
bindingConfiguration="userHttps"
bindingNamespace="http://asp.net/ApplicationServices/v200"/>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="userHttps" allowCookies="true">
<!--<security mode="Transport" />-->
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="AuthenticationServiceTypeBehaviors">
<serviceMetadata httpGetEnabled="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
</system.serviceModel>
</configuration>
EDIT: Something else I should add, I did a Fiddler session of the service calling the Login method, and the cookie is being set and sent back to the client. But what am I supposed to do with no CookieContainer?
When this option is enabled the client will make sure all cookies received from a given web
service are stored and properly sent on each subsequent request in a transparent fashion.
But there is a catch: the cookie is only handled in the conversation with one web service.
What if you need to send the same cookies to different web services?
If you need to send the same cookies to multiple services, read this article: http://megakemp.wordpress.com/2009/02/06/managing-shared-cookies-in-wcf/
You need to configure the binding to allow cookies.
<system.ServiceModel>
<bindings>
<basicHttpBinding allowCookies="true">
</bindings>
Apparently, when adding a Service Reference (.Net 3.5+) to a WCF service on a client, the proxy class derives from System.ServiceModel.ClientBase. This class does not have a CookieContainer property (because the ClientBase supports non-HTTP protocols that have no concept of cookies).
http://netpl.blogspot.com/2011/11/managing-cookies-in-wcf-client.html
I could add a Web Reference instead, which would use the .Net 2.0 proxy class (and has CookieContainer property exposed) http://msdn.microsoft.com/en-us/library/bb628649.aspx. But I will most likely revisit my approach entirely and use custom headers and service behaviors to accomplish my goal.
Another option is to access the cookie container for the underlying channel like this:
var cookieManager = client.InnerChannel.GetProperty<IHttpCookieContainerManager>();
cookieManager.CookieContainer.Add(new Cookie(....));
For the above manager to be present, you need to set AllowCookies to true, e.g.:
<system.ServiceModel>
<bindings>
<basicHttpBinding allowCookies="true">
</bindings>
Related
I have a MVC application which uses forms authentication. This application also hosts a WCF webservice (the Model). Webservice caters c# objects to the application, and same data is available as JSON when called from outside the application (browser).
Everything is working fine apart from the fact that the Webservice is not authenticating any request. Following is the what I have in web.config:
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<behaviors>
<endpointBehaviors>
<behavior name="ServiceBehavior">
<webHttp />
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding name="webHttpBindingWithJson" crossDomainScriptAccessEnabled="true" />
</webHttpBinding>
</bindings>
<services>
<service name="Services.MyService">
<endpoint address="http://localhost:1234/MyService.svc/" binding="webHttpBinding"
bindingConfiguration="webHttpBindingWithJson"
contract="Services.IService"
behaviorConfiguration="ServiceBehavior"/>
</service>
</services>
I would like to authenticate Webservice requests:
Requests from within the application should be authenticated automatically
When Webservice is called from outside the application, users are asked to get authenticated.
Any help would be appreciated.
/D
Sounds like you need an internal endpoint that serves a wsdl for the binding in to the website (authenticated using the ASP.NET identity the website is running under) and a separate binding externally for the JSON requests that uses something like OAuth to authenticate.
Either way you're looking at two different authentication mechanisms.
I am trying to configure a basic IIS 7 hosted WCF service that uses Windows Authentication to authorize users. I have seen many examples that demonstrate how to flow credentials using basicHttpBinding with <security mode="TransportCredentialOnly"> and SSL. When I configure my service to use TransportCredentialOnly, I get the following error if I try to view the svc file in IE:
Could not find a base address that matches scheme http for the
endpoint with binding BasicHttpBinding. Registered base address
schemes are [https].
I am hosting in IIS 7. SSL is configured with a valid certificate. Windows Authentication is on. Anonymous authentication is off. Application pool is ASP.Net v4.0 running under the ApplicationPoolIdentity
Here is the config file for my service:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
</roleManager>
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="svcTest" >
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" httpsHelpPageEnabled="true" httpHelpPageEnabled="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpEndpointBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="WCF_Test.Service1" behaviorConfiguration="svcTest">
<endpoint name ="Service1Endpoint"
address="EndpointTest"
binding="basicHttpBinding"
bindingConfiguration="BasicHttpEndpointBinding"
contract="WCF_Test.IService1">
</endpoint>
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
If I change the binding to use Transport instead of TransportCredentialOnly then I am able to view my service file in IE. I can then create a proxy to my web client and call a method on the service from my client and attempt to authorize the user from the service method using this code:
if(System.Web.Security.Roles.IsUserInRole(#"Admins"))
This code does not work because it uses the identity of the account running IIS on the server (IIS APPPOOL\ASP.NET v4.0) and not that of the user calling the web service from a web page.
How do I configure IIS 7 with a valid SSL certificate to use basicHttpBinding with security mode="TransportCredentialOnly"?
How do I flow my users Windows credentials client to the web service so I can authorize users on the web service using this code?
[PrincipalPermission(SecurityAction.Demand, Role = "Admins")]
or this code
if(System.Web.Security.Roles.IsUserInRole(#"Admins"))
Any help would be greatly appreciated.
Thank You
Probably the problem is in the configuration of IIS, before it gets to your code or your web.config.
If IIS has anonymous authentication turned on, the request coming into ASP.net will look like it came from the user identity of IIS.
In the IIS config you must turn off anonymous authentication and turn on windows authentication.
My guess is you need to use the basicHttp s Binding instead.
We are trying to create a WCF service that is only accesible by specified windows groups.
How can this be configured in the server web.config and the client configuration?
Note: We want to be able to control the windows groups who are allowed access in the server web.config not in code. Also, we dont want/need SSL at all.
Ive googled around and then best examples I can find are all like this...
WCF Service, Windows Authentication
But that doesnt explain how to limit access only to a specific group or groups.
If this is intranet application you can use netTcpBinding:
<services>
<service name="YourService"
behaviorConfiguration="YourServiceBehavior">
<endpoint
binding="netTcpBinding"
bindingConfiguration="SecureTransportWindows"
contract="YourContract" />
</service>
</services>
<bindings>
<binding name="SecureTransportWindows">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="YourServiceBehavior">
<serviceAuthorization principalPermissionMode="UseWindowsGroups" />
</behavior>
</serviceBehaviors>
</behaviours>
And then in service code you can demand windows role:
class YourService : YourContract
{
[PrincipalPermission(SecurityAction.Demand, Role="MYDOMAIN\Administrators")]
public string SecuredOperation(string name)
{
return "secured operation";
}
}
If you need to set it in config then you must implement custom authorization:
<behavior name="YourServiceBehavior">
<serviceAuthorization principalPermissionMode="Custom">
<authorizationPolicies>
<add policyType="YourCustomAuthorizationPolicy"/>
</authorizationPolicies>
</serviceAuthorization>
</behavior>
And in code implement IAuthorizationPolicy interface:
public class YourCustomAuthorizationPolicy : IAuthorizationPolicy
{
//you need to check msdn
}
Ok this is the solution we came up with. Although it does involve a code change (adding the AspNetCompatibilityRequirements attribute) we can now acheive configuration of the groups/roles in the web.config file rather than hardcoding.
There are a number of steps to this...
1) Add the aspNetCompatibilityEnabled attribute into the serviceHostingEnvironment element and set to true, e.g....
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
This tells the WCF service to running in ASP.NET Compatibility Mode and participate fully in the ASP.NET HTTP request lifecycle. See this MSDN article for full details.
2) In the WCF code add AspNetCompatibilityRequirements attribute to the service class as per the link above and as specified in this MSDN article...
<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Allowed)>
3) Now we can add the usual ASP authorization element in to restrict access to the specified groups/users (without the settings (1) and (2) above, this would be ignored by WCF)...
<system.web>
<authorization>
<allow roles="MYDOMAIN\WCFAuthenticatedUsers" /> <-- allows access to users in this group
<deny users="*" /> <-- denies access to all other users
</authorization>
</system.web>
This is driving me nuts. I have a .net 4, wcf service that is outputting jsonp. It works using the built in web server with vs.net however if i try to host in iis7 on windows 7 64bit i don't get any response.
If I try to navigate to svc file while hosted in iis7 I get
"Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service."
If trying to access via client jquery jsonp request i don't get any response from the service being hosted in iis7
So, the configuration of the service (web.config) is fine when hosted within vs.net web server (just doesn't work with iis)
Here is the config
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="webHttpBehavior">
<webHttp />
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding name="webHttpBindingWithJsonP" crossDomainScriptAccessEnabled="true" />
</webHttpBinding>
</bindings>
<services>
<service name="ServiceSite.CustomersService">
<endpoint address="" binding="webHttpBinding"
bindingConfiguration="webHttpBindingWithJsonP" contract="ServiceSite.CustomersService"
behaviorConfiguration="webHttpBehavior"/>
</service>
</services>
</system.serviceModel>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
The site must be ntlm/windows secured.
I added the following to the web.config bindings section
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm"/>
</security>
When browsing the svc file I now get Cross domain javascript callback is not supported in authenticated services
Really? Is this true jsonp is not supported?
This is probably symptomatic of misconfiguration of the web site. Go to Authntication feature of the website on the IIS Manager and make sure it is setup.
I'm pretty sure because of how JSONP cross domain works with today's shortcomings that you always have to implement your own custom security system.
I use SSL and HMAC security for JSONP cross domain authentication. I do the authentication myself on the service.
When doing JSONP you cannot set headers, or anything, on the request because it's done through adding tags, not an actual XMLHTTP request object.
I have a Silverlight 4 client that invokes several WCF services. We want the communication to be encrypted using SSL (I have this part solved already) and that every call be authenticated against AD LDS (ADAM), do you have any simple example showing how to make this work? There's plenty of documentation on the oh-so-many WCF options but I haven't been able to find a simple working example of this particular (but I think very common) scenario (SSL encryption + ADAM authentication + Silverlight). Any help or pointers greatly appreciated.
You can use CustomUserNameValidator in WCF:
http://msdn.microsoft.com/en-us/library/aa702565.aspx
http://nayyeri.net/custom-username-and-password-authentication-in-wcf-3-5
and in Custom Validator's Validate Method you can query ADAM to authenticate user.
Regards.
Try this link on the Codeplex website, it seems like the setup and configuration for the scenario you've described. It provides a thorough checklist of all of the required settings:
Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
If this isn't you exact scenario, take a look at the following section that may fill the gaps:
Application Scenarios (WCF Security)
The answer may depend on how you will handle permissioning, since you use ASP.net's membership provider for these functions.
If you want claims based authorization ADFS 1.0 (not 2.0) supports ADAM. If you want a STS that has more options try codplex's StarterSTS
If you want to use Role-Based Administration, try Enterprise Library from Microsoft P&P, the ASP.net membership provider, or direct COM access to Authorization manager (formerly known as AzMan)
I prefer & use the claims-based approach:
Use ActiveDirectory + ADFS 2.0
(why not use the built in fault tolerance and replication of AD?, ADAM is a pain)
Silverlight Implementation of Ws-Trust as documented here:
http://www.leastprivilege.com/UsingSilverlightToAccessWIFSecuredWCFServices.aspx
Edgar, I'm also interested in any results you had, I am at the same place you were in.
Shoaib, I have looked at this but I think it is less desirable than using just the .config via ActiveDirectoryMembershipProvider, as then you are just using off the shelf components, not writing your own security system.
EDIT:
I hope this helps someone. I can't belive there is not a good example of this on the internet. It is simple enough. As I said before this is superior to using a custom authentication system.
Using AD LDS (ADAM) authentication with Silverlight compatible WCF calls (non wsHttp)
Client side:
1) Invocations from Silverlight look like this, this works if you are using the Channel Factory too.
var client = new MyWCFServiceClient();
client.GetPersonCompleted += client_GetPersonCompleted;
client.ClientCredentials.UserName.UserName = username;
client.ClientCredentials.UserName.Password = password;
client.GetPersonAsync();
2) return values from server will have an Error property if the login fails. If the user lookup fails, the error is something confusing like “at least one security token could not be validated”. Since your server side code is not able to re-wrap this (as it's all happening in the web.config) it is better for your client code to catch System.ServiceModel.Security.MessageSecurityException and interpret it as a login failure, or check the InnerException message to make sure it is the "security token" thing.
void client_GetPersonCompleted(object sender, GetPersonCompletedEventArgs e)
{
if (e.Error == null)
{
// do stuff with e.Result;
}
if (e.Error is MessageSecurityException)
{
// Your login did not work
}
}
Server side:
1) The WCF service class must have
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)] or Required
2) you have to set up your LDS instance with SSL enabled, which is tricky. See: h't't'p://erlend.oftedal.no/blog/?blogid=7
3) web config - need to:
Add the LDS connection string
Add ActiveDirectoryMembershipProvider
Add <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
change your custom binding to include <security authenticationMode="UserNameOverTransport"/> see http://msdn.microsoft.com/en-us/library/dd833059(VS.95).aspx
Example:
<configuration>
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://myserver:[SSL port number]/[where your user are in LDS, in my case: ‘OU=ADAM Users,O=Microsoft,C=US’]" />
</connectionStrings>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<membership defaultProvider="MyActiveDirectoryMembershipProvider">
<providers>
<add
name="MyActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="[domain]\[username]"
connectionPassword="[plain text windows password]"
connectionProtection="Secure"
/>
</providers>
</membership>
</system.web>
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceBehaviour">
<serviceMetadata
httpsGetEnabled="true"
httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<userNameAuthentication
userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="MyActiveDirectoryMembershipProvider"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="myCustomBinding">
<security authenticationMode="UserNameOverTransport"/>
<!-- <binaryMessageEncoding /> this is optional, but good for performance-->
<httpsTransport />
</binding>
</customBinding>
</bindings>
<services>
<service name="MessageBasedSecurity.Web.MyWCFService" behaviorConfiguration="MyServiceBehaviour">
<endpoint address="" binding="customBinding" bindingConfiguration="myCustomBinding"
contract="MessageBasedSecurity.Web.MyWCFService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
</configuration>
I hope this helps someone. I welcome comments/improvements.