I'm reading a book on Wcf. I always get confused when there is topic on binding configuration. Eg. In one chapter for securing service in internet environment, author used the following code in the config file.
<bindings>
<wsHttpBinding>
<binding name="ProductsServiceWSHttpBindingConfig">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None"/>
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
Everything works fine as described in the book. But I don't see any description in book, why TransportWithMessageCredential is used in place of Transport. Similarly why the <transport ... is None and <message ... is not None. Is there any matrix (or any other way to figure out) about which options to use with which binding (and in which environment)? My hunch is that certain options will go with certain binding. Thanks in advance.
Yep, here's a few:
http://msdn.microsoft.com/en-us/library/ms730879.aspx
http://mkdot.net/blogs/dejan/archive/2008/03/31/wcf-binding-decision.aspx
http://architectopia.blogspot.com/2008/01/wcf-binding-decision-chart.html
I know this question is already been answered however heres are some thoughts for those who are looking for quick answer.
TransportWithMessageCredential is basically saying that the transmission is over https (secure) and the username and password will be in security header.
"Client authentication is performed by putting the client credential directly in the message. This allows you to use any credential type that is supported by the message security mode for the client authentication while keeping the performance benefit of transport security mode."
http://msdn.microsoft.com/en-us/library/aa354508.aspx
Related
I have a service that uses wsHttpBinding security mode="Message" message clientCredentialType="Windows" negotiateServiceCredential="false" establishSecurityContext="false" .
When a client calls the service, on the service side I can use ServiceSecurityContext context = OperationContext.Current.ServiceSecurityContext; in order to get the callers credentials.
However, now I need a Java client to call this service. Apparently, wsHttpBinding does not interop easily w/Java (I thought that was the whole point of services). So I need to change the binding to basicHttpBinding to get the interop, but now OperationContext.Current.ServiceSecurityContext returns null.
I have tried mutliple combinations from posts I have seen, but all the post are slightly different and did not work for me.
I am hoping that someone smarter than I can resolve this once and for all.
Here are the requirements:
1.)Basicbinding needs to be used.
2.)OperationContext.Current.ServiceSecurityContext needs to be populated automatically and retrieved on server side like it is with wsHttpBinding.
Here are the basic bindings I used among others..
<basicHttpBinding>
<binding name="CustomBasicBinding"
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
Is it possible?
Thanks in advance
Is it possible to use both Transport security (HTTPS, authentication with a Client cert) in addition to message-level encryption via configuration in WCF? Is this done with wsHttpBinding out-of-the-box?
I am attempting to accomplish this with a custom binding, but am unable to tell if the requests are being encrypted at the message level because they appear as plain text in the trace logs.
I've done quite a bit of research but can't seem to find any solid answers. Any help is appreciated!
Yes, it's possible to have both as described in this MSDN article. The article is pretty thorough & detailed but the crux of enabling this functionality is this setting:
<!-- snipped -->
<wsHttpBinding>
<binding name="wsHttp">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="Certificate"
negotiateServiceCredential="true" />
</security>
</binding>
</wsHttpBinding>
<!-- snipped -->
Does anyone know how exactly NTLM authentication works in WCF/basicHttp? I wonder if user credentials are passed for every single service method call, or if some kind of security token is being used for subsequent service method calls.
The exact binding configuration that I am using:
<bindings>
<basicHttpBinding>
<binding name="winAuthBasicHttpBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" />
</security>
</binding>
</basicHttpBinding>
</bindings>
I found this type of configuration on the MSDN reference. But I am not sure if this a good idea performance wise. An alternative would be providing a custom GetAuthenticationToken() kind of method to provide a security token for all subsequent requests of the client. This could be done via the Enterprise Library - Security Application Block.
Further details: The service is being consumed by Browsers/Silverlight Clients.
In this case here, every single method call will be authenticated.
What you're talking about would be what is called "secure sessions", where the client authenticates once against the server and then a common token is used for subsequent exchanges. That secure sessions features however is only available with wsHttpBinding - not with basicHttpBinding.
Marc
This article from Microsoft details how to implement transport security with an anonymous client.
http://msdn.microsoft.com/en-us/library/ms729789.aspx
I'd like to know if it is possible to achieve the same goal, using netTcpBinding instead of WsHttpBinding and hosting the service as a Windows Service.
Yes, I don't see any reason why this wouldn't work over netTcp Binding. By default, netTcp is using transport level security already, but also Windows credentials. Just turn those off, and you should be good to go.
<bindings>
<netTcpBinding>
<binding name="SecureNetTcp">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</netTcpBinding>
</bindings>
I've never done it, but can't you just set the Client Authentication to None?
I have a WCF service that I only want my applications to have access to. My applications consist of a traditional web interface that uses JQuery and a Silverlight interface. Neither of these interfaces require the user to login.
Is there a way that I can tell a WCF service to only allow clients that originated from my domain? If so, how?
Thank you!
Yes, of course you can - just require Windows credentials (i.e. an Active Directory account in your domain) from your callers.
Anyone not authenticated against your domain will be rejected.
You can do this by specifying either netTcpBinding with transport security (if everything is behind a corporate firewall), or wsHttpBinding with message security:
<bindings>
<netTcpBinding>
<binding name="DomainUsersOnly">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
<wsHttpBinding>
<binding name="HttpDomainUsersOnly">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
Now, all you need to do is reference one of those binding configurations in your endpoints:
<endpoint name="whatever"
address="......"
binding="netTcpBinding"
bindingConfiguration="DomainUsersOnly"
contract="IYourservice" />
and you should be good to go.
If all of your legitimate users are supposed to be on your internal corporate LAN (on the same subnet), then you could lock it down by IP address using an approach like this. You could also clamp it down to several specific IP masks that way if you wanted to.
But if you want to allow legitimate users to hit it from anywhere, then this is not a good approach. Authentication would be better in that case.
You could add a security restriction in IIS to only allow calls from the domain to the webservice.
Unless you consider windows auth (since requests are coming from your domain), the preferred way to do this would be at a different level, via firewalls. At that level, you can restrict incoming traffic to a known set of IP addresses. This will only go so far, since IPs can be spoofed, but this is an open service, so there you go. A better alternative would be both firewalls and windows auth.
Alternatively, you could check client IP addresses in WCF by querying OperationContext.Current.IncomingMessageProperties.