WCF service without SSL but with Windows Group authentication - wcf

We are trying to create a WCF service that is only accesible by specified windows groups.
How can this be configured in the server web.config and the client configuration?
Note: We want to be able to control the windows groups who are allowed access in the server web.config not in code. Also, we dont want/need SSL at all.
Ive googled around and then best examples I can find are all like this...
WCF Service, Windows Authentication
But that doesnt explain how to limit access only to a specific group or groups.

If this is intranet application you can use netTcpBinding:
<services>
<service name="YourService"
behaviorConfiguration="YourServiceBehavior">
<endpoint
binding="netTcpBinding"
bindingConfiguration="SecureTransportWindows"
contract="YourContract" />
</service>
</services>
<bindings>
<binding name="SecureTransportWindows">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="YourServiceBehavior">
<serviceAuthorization principalPermissionMode="UseWindowsGroups" />
</behavior>
</serviceBehaviors>
</behaviours>
And then in service code you can demand windows role:
class YourService : YourContract
{
[PrincipalPermission(SecurityAction.Demand, Role="MYDOMAIN\Administrators")]
public string SecuredOperation(string name)
{
return "secured operation";
}
}
If you need to set it in config then you must implement custom authorization:
<behavior name="YourServiceBehavior">
<serviceAuthorization principalPermissionMode="Custom">
<authorizationPolicies>
<add policyType="YourCustomAuthorizationPolicy"/>
</authorizationPolicies>
</serviceAuthorization>
</behavior>
And in code implement IAuthorizationPolicy interface:
public class YourCustomAuthorizationPolicy : IAuthorizationPolicy
{
//you need to check msdn
}

Ok this is the solution we came up with. Although it does involve a code change (adding the AspNetCompatibilityRequirements attribute) we can now acheive configuration of the groups/roles in the web.config file rather than hardcoding.
There are a number of steps to this...
1) Add the aspNetCompatibilityEnabled attribute into the serviceHostingEnvironment element and set to true, e.g....
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
This tells the WCF service to running in ASP.NET Compatibility Mode and participate fully in the ASP.NET HTTP request lifecycle. See this MSDN article for full details.
2) In the WCF code add AspNetCompatibilityRequirements attribute to the service class as per the link above and as specified in this MSDN article...
<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Allowed)>
3) Now we can add the usual ASP authorization element in to restrict access to the specified groups/users (without the settings (1) and (2) above, this would be ignored by WCF)...
<system.web>
<authorization>
<allow roles="MYDOMAIN\WCFAuthenticatedUsers" /> <-- allows access to users in this group
<deny users="*" /> <-- denies access to all other users
</authorization>
</system.web>

Related

WCF Service hosted in IIS 7 using basicHttpBinding and TransportCredentialOnly fails

I am trying to configure a basic IIS 7 hosted WCF service that uses Windows Authentication to authorize users. I have seen many examples that demonstrate how to flow credentials using basicHttpBinding with <security mode="TransportCredentialOnly"> and SSL. When I configure my service to use TransportCredentialOnly, I get the following error if I try to view the svc file in IE:
Could not find a base address that matches scheme http for the
endpoint with binding BasicHttpBinding. Registered base address
schemes are [https].
I am hosting in IIS 7. SSL is configured with a valid certificate. Windows Authentication is on. Anonymous authentication is off. Application pool is ASP.Net v4.0 running under the ApplicationPoolIdentity
Here is the config file for my service:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
</roleManager>
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="svcTest" >
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" httpsHelpPageEnabled="true" httpHelpPageEnabled="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpEndpointBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="WCF_Test.Service1" behaviorConfiguration="svcTest">
<endpoint name ="Service1Endpoint"
address="EndpointTest"
binding="basicHttpBinding"
bindingConfiguration="BasicHttpEndpointBinding"
contract="WCF_Test.IService1">
</endpoint>
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
If I change the binding to use Transport instead of TransportCredentialOnly then I am able to view my service file in IE. I can then create a proxy to my web client and call a method on the service from my client and attempt to authorize the user from the service method using this code:
if(System.Web.Security.Roles.IsUserInRole(#"Admins"))
This code does not work because it uses the identity of the account running IIS on the server (IIS APPPOOL\ASP.NET v4.0) and not that of the user calling the web service from a web page.
How do I configure IIS 7 with a valid SSL certificate to use basicHttpBinding with security mode="TransportCredentialOnly"?
How do I flow my users Windows credentials client to the web service so I can authorize users on the web service using this code?
[PrincipalPermission(SecurityAction.Demand, Role = "Admins")]
or this code
if(System.Web.Security.Roles.IsUserInRole(#"Admins"))
Any help would be greatly appreciated.
Thank You
Probably the problem is in the configuration of IIS, before it gets to your code or your web.config.
If IIS has anonymous authentication turned on, the request coming into ASP.net will look like it came from the user identity of IIS.
In the IIS config you must turn off anonymous authentication and turn on windows authentication.
My guess is you need to use the basicHttp s Binding instead.

WCF Authentication Service Proxy - CookieContainer not available

I have enabled the ASP.Net authentication service, as recommended by msdn. I am then attempting to use the service via a console app or winforms app (by adding a service reference to my local WCF service). I am doing custom authentication and transport security (so I am handling the AuthenticationService.Authenticating event in my Global.asax which works fine).
The authentication itself works fine, but the proxy created by adding the Service Reference does not include the CookieContainer property. This is obviously a problem when I try to pass the cookie token to subsequent services which require authentication.
Also, in the following client code, the IsLoggedIn() returns false, I'm guessing this is related to no cookie container being present.
ServiceReference1.AuthenticationServiceClient client =
new ServiceReference1.AuthenticationServiceClient();
bool isLoggedIn = client.Login("test", "test", "", true); //returns TRUE
bool check = client.IsLoggedIn(); //returns FALSE
Here is my web.config on the service:
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.web.extensions>
<scripting>
<webServices>
<authenticationService enabled="true"
requireSSL = "false"/>
</webServices>
</scripting>
</system.web.extensions>
<system.serviceModel>
<services>
<service name="System.Web.ApplicationServices.AuthenticationService"
behaviorConfiguration="AuthenticationServiceTypeBehaviors">
<endpoint contract="System.Web.ApplicationServices.AuthenticationService"
binding="basicHttpBinding"
bindingConfiguration="userHttps"
bindingNamespace="http://asp.net/ApplicationServices/v200"/>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="userHttps" allowCookies="true">
<!--<security mode="Transport" />-->
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="AuthenticationServiceTypeBehaviors">
<serviceMetadata httpGetEnabled="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
</system.serviceModel>
</configuration>
EDIT: Something else I should add, I did a Fiddler session of the service calling the Login method, and the cookie is being set and sent back to the client. But what am I supposed to do with no CookieContainer?
When this option is enabled the client will make sure all cookies received from a given web
service are stored and properly sent on each subsequent request in a transparent fashion.
But there is a catch: the cookie is only handled in the conversation with one web service.
What if you need to send the same cookies to different web services?
If you need to send the same cookies to multiple services, read this article: http://megakemp.wordpress.com/2009/02/06/managing-shared-cookies-in-wcf/
You need to configure the binding to allow cookies.
<system.ServiceModel>
<bindings>
<basicHttpBinding allowCookies="true">
</bindings>
Apparently, when adding a Service Reference (.Net 3.5+) to a WCF service on a client, the proxy class derives from System.ServiceModel.ClientBase. This class does not have a CookieContainer property (because the ClientBase supports non-HTTP protocols that have no concept of cookies).
http://netpl.blogspot.com/2011/11/managing-cookies-in-wcf-client.html
I could add a Web Reference instead, which would use the .Net 2.0 proxy class (and has CookieContainer property exposed) http://msdn.microsoft.com/en-us/library/bb628649.aspx. But I will most likely revisit my approach entirely and use custom headers and service behaviors to accomplish my goal.
Another option is to access the cookie container for the underlying channel like this:
var cookieManager = client.InnerChannel.GetProperty<IHttpCookieContainerManager>();
cookieManager.CookieContainer.Add(new Cookie(....));
For the above manager to be present, you need to set AllowCookies to true, e.g.:
<system.ServiceModel>
<bindings>
<basicHttpBinding allowCookies="true">
</bindings>

WCF + IIS6 + HTTPS + Basic authentication

I have seen loads of questions about this, I've spent over a day researching and trying to fix it but I've drawn a blank.
I want to deploy a WCF service onto a server connecting with HTTPS and using basic authentication. Here is my service web.config
I am using an extremely simple Calculator as a test which has a single method which adds together two numbers.
<configuration>
<system.web>
<compilation debug="false" targetFramework="4.0" />
<customErrors mode="Off" />
</system.web>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="UsernameWithTransport">
<security mode="Transport">
<transport clientCredentialType="Basic" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="Service">
<endpoint address="https://myserver.mydomain.co.uk/CalculatorService"
binding="wsHttpBinding"
bindingConfiguration="UsernameWithTransport"
name="BasicEndpoint"
contract="TestCalculator" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
In IIS 6.0 I have enabled basic authentication and required HTTPS.
I can browse to the .svc file and it asks for my credentials. I provide them and it displays the default page. However it says:
You have created a service.
To test this service, you will need to create a client and use it to
call the service. You can do this using the svcutil.exe tool from the
command line with the following syntax:
svcutil.exe
http://myserver.mydomain.co.uk/CalculatorService/Service.svc?wsdl
This will generate a configuration file and a code file that contains
the client class. Add the two files to your client application and use
the generated client class to call the Service. For example: ......
Basically, the issue seems to be that the path to the .wsdl is a http:// not an https:// and I don't think I understand why.
I am now trying to create a C# console application to test consuming the service. I cannot add the reference to the .svc path directly because it just goes around and around in a loop asking me for my username and password. If I add the reference to the .svc?wsdl then that did work but then invoking the service gives a "Method not allowed" because it is trying to use HTTP not HTTPS.
Hope I have expained this well enough. Thanks for any help.
You requires HTTPS but in the same time you allow WSDL only over HTTP. Change this:
<serviceMetadata httpGetEnabled="true"/>
To this:
<serviceMetadata httpsGetEnabled="true"/>
Now you will be able to access WSDL over https://..../....svc?wsdl but you will still have to authenticate because authentication is global for your deployed site.

Integrated Windows Authentication WCF Multiple Host Headers IIS 6 not working

I have a asp.net 2.0 web site with WCF service hosted inside it running on .NET 3.5 framework. The website is setup with Integrated Windows Authentication only. The web server is IIS 6 with load balancing on Windows 2003 Sp2 (2 servers). I am unable to access the WCF service (.svc) using the full url (http://myqa2.abcdefg.com/trxn/WCFTrxnService.svc). Also note that the server is configured with multiple host headers. The website is protected by siteminder. Initially I was getting an error
This collection already contains an address with scheme http. There can be at most one address per scheme in this collection. Parameter name: item
So added the following config entry
<serviceHostingEnvironment>
<baseAddressPrefixFilters>
<clear/>
<add prefix="http://myqa2.abcdefg.com"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
That error went away, but now I am being prompted for login by the browser. For same website, I am able to access .aspx page. The login prompt is appearing only for .svc file.
Here is the binding / endpoint from config file that I am using.
<system.serviceModel>
<serviceHostingEnvironment>
<baseAddressPrefixFilters>
<clear/>
<add prefix="http://myqa2.abcdefg.com"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
<bindings>
<basicHttpBinding>
<binding name="IISIntegratedAuthBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="TestWCFFromSL.Web.WCFTrxnServiceBehavior">
<serviceMetadata httpGetEnabled="true" httpGetUrl="http://myqa2.abcdefg.com/fmc/WCFNotesService.svc"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="TestWCFFromSL.Web.WCFTrxnService" behaviorConfiguration="TestWCFFromSL.Web.WCFTrxnServiceBehavior">
<endpoint
address="http://myqa2.abcdefg.com/trxn/WCFTrxnService.svc"
binding="basicHttpBinding"
bindingConfiguration="IISIntegratedAuthBinding"
contract="TestWCFFromSL.Web.IWCFTrxnService" />
</service>
</services>
<!--<serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>-->
if a website is protected by SiteMinder, WCF / SOAP calls don't work. But a different solution to this problem is working.
The URL myqa2.abcdefg.com/trxn/WCFTrxnService.svc is protected by SiteMinder, but
myqa2/trxn/WCFTrxnService.svc is not protected by siteminder, Looks like SiteMinder only protects FQDN (Fully Qualified Domain Names). So I configured the application to call WCF service using short url instead FQDN. I also had to use crossdomainpolicy because the application considers myqa2.abcdefg.com and myqa2 as 2 seperate domains.

Authenticating a WCF call from Silverlight using ADAM (AD LDS)

I have a Silverlight 4 client that invokes several WCF services. We want the communication to be encrypted using SSL (I have this part solved already) and that every call be authenticated against AD LDS (ADAM), do you have any simple example showing how to make this work? There's plenty of documentation on the oh-so-many WCF options but I haven't been able to find a simple working example of this particular (but I think very common) scenario (SSL encryption + ADAM authentication + Silverlight). Any help or pointers greatly appreciated.
You can use CustomUserNameValidator in WCF:
http://msdn.microsoft.com/en-us/library/aa702565.aspx
http://nayyeri.net/custom-username-and-password-authentication-in-wcf-3-5
and in Custom Validator's Validate Method you can query ADAM to authenticate user.
Regards.
Try this link on the Codeplex website, it seems like the setup and configuration for the scenario you've described. It provides a thorough checklist of all of the required settings:
Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
If this isn't you exact scenario, take a look at the following section that may fill the gaps:
Application Scenarios (WCF Security)
The answer may depend on how you will handle permissioning, since you use ASP.net's membership provider for these functions.
If you want claims based authorization ADFS 1.0 (not 2.0) supports ADAM. If you want a STS that has more options try codplex's StarterSTS
If you want to use Role-Based Administration, try Enterprise Library from Microsoft P&P, the ASP.net membership provider, or direct COM access to Authorization manager (formerly known as AzMan)
I prefer & use the claims-based approach:
Use ActiveDirectory + ADFS 2.0
(why not use the built in fault tolerance and replication of AD?, ADAM is a pain)
Silverlight Implementation of Ws-Trust as documented here:
http://www.leastprivilege.com/UsingSilverlightToAccessWIFSecuredWCFServices.aspx
Edgar, I'm also interested in any results you had, I am at the same place you were in.
Shoaib, I have looked at this but I think it is less desirable than using just the .config via ActiveDirectoryMembershipProvider, as then you are just using off the shelf components, not writing your own security system.
EDIT:
I hope this helps someone. I can't belive there is not a good example of this on the internet. It is simple enough. As I said before this is superior to using a custom authentication system.
Using AD LDS (ADAM) authentication with Silverlight compatible WCF calls (non wsHttp)
Client side:
1) Invocations from Silverlight look like this, this works if you are using the Channel Factory too.
var client = new MyWCFServiceClient();
client.GetPersonCompleted += client_GetPersonCompleted;
client.ClientCredentials.UserName.UserName = username;
client.ClientCredentials.UserName.Password = password;
client.GetPersonAsync();
2) return values from server will have an Error property if the login fails. If the user lookup fails, the error is something confusing like “at least one security token could not be validated”. Since your server side code is not able to re-wrap this (as it's all happening in the web.config) it is better for your client code to catch System.ServiceModel.Security.MessageSecurityException and interpret it as a login failure, or check the InnerException message to make sure it is the "security token" thing.
void client_GetPersonCompleted(object sender, GetPersonCompletedEventArgs e)
{
if (e.Error == null)
{
// do stuff with e.Result;
}
if (e.Error is MessageSecurityException)
{
// Your login did not work
}
}
Server side:
1) The WCF service class must have
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)] or Required
2) you have to set up your LDS instance with SSL enabled, which is tricky. See: h't't'p://erlend.oftedal.no/blog/?blogid=7
3) web config - need to:
Add the LDS connection string
Add ActiveDirectoryMembershipProvider
Add <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
change your custom binding to include <security authenticationMode="UserNameOverTransport"/> see http://msdn.microsoft.com/en-us/library/dd833059(VS.95).aspx
Example:
<configuration>
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://myserver:[SSL port number]/[where your user are in LDS, in my case: ‘OU=ADAM Users,O=Microsoft,C=US’]" />
</connectionStrings>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<membership defaultProvider="MyActiveDirectoryMembershipProvider">
<providers>
<add
name="MyActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="[domain]\[username]"
connectionPassword="[plain text windows password]"
connectionProtection="Secure"
/>
</providers>
</membership>
</system.web>
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceBehaviour">
<serviceMetadata
httpsGetEnabled="true"
httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<userNameAuthentication
userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="MyActiveDirectoryMembershipProvider"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="myCustomBinding">
<security authenticationMode="UserNameOverTransport"/>
<!-- <binaryMessageEncoding /> this is optional, but good for performance-->
<httpsTransport />
</binding>
</customBinding>
</bindings>
<services>
<service name="MessageBasedSecurity.Web.MyWCFService" behaviorConfiguration="MyServiceBehaviour">
<endpoint address="" binding="customBinding" bindingConfiguration="myCustomBinding"
contract="MessageBasedSecurity.Web.MyWCFService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
</configuration>
I hope this helps someone. I welcome comments/improvements.