WCF Message Security continues to work with certificate removed - wcf

I'm developing a product that consists of a WCF service and several WCF clients deployed to different locations. In order to secure the service, I configured WCF to use Message Security via certificates.
In detail, these are my service configuration files:
Web.config, App.config
This is working fine as far as I can tell, even when the certificate is stored on a SmartCard (WCF even pops up a dialog asking me to enter the SmartCard's PIN in order to unlock the certificate).
But removing the SmartCard after the initial security negotiation took place does not have any effect on the connection - I can still invoke methods on the web service.
What's happening?
Does WCF message security work similar to HTTPS, where a symmetric key is established during the initial security negotiation and after that, the certificate is no longer needed?
Or could it be that I have set up the service to only use the certificate to authenticate the client, but messages aren't encrypted at all?

It is because your security configuration uses security context (default for WsHttpBinding). Security context (implementation of WS-SecureConversation) indeed works similarly to HTTPS. It uses certificate only to initial authentication and generation of security token which is used to secure following communication from the same service proxy instance. The context is established be service proxy instance and it also establish WCF session which is subject of timeout.

<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
Try setting the establishSecurityContext to false.

Related

WCF security with load balancer

We need to create a WCF service (.NET 4.0) that will be consumed by a client outside of our organization.
The case is that we have two servers that are behind a load balancer which terminates the SSL. This is where it gets confusing for me.
How we could and should handle the authentication?
The previous experience about WCF is only about services for internal use. If I understood correctly we should use basicHttpBinding to guarantee interoperability with Java based client. I don't know if this is an issue with JAX-WS based client.
There will only be this one client that is going to use the service.
We need to somehow ensure that caller is authenticated to use the
system
Make sure the message is encrypted when moving in public network
So far the best article that I found was
http://devproconnections.com/net-framework/wcf-and-ssl-processing-load-balancers
There were few suggestions how to do this.
WCF services can be configured for basic authentication and receive credentials in the clear over HTTP. This can work; however, it precludes passing credentials in the message, and the use of more interesting credentials (such as issued tokens).
We use forms authentication on our website under which the service will be hosted. I think it is not easy or even possible to make the service then use basic authentication.
WCF services can be configured to fake the presence of transport security so that the runtime will allow receiving message credentials without transport or message protection
Will this be the way to go and will this work with basicHttpBinding?
The client and server binding will be different. The client binding will use username auth in eitehr message or transport level with transport security (ssl):
<bindings>
<basicHttpBinding>
<binding name="NewBinding0">
<security mode="Message" />
</binding>
</basicHttpBinding>
</bindings>
then the server config will use the same config but without the transport security. If you chose to use message security then check out WCF ClearUsernameBinding. If you use trasnport security (basic http) then set mode="TransportCredentialOnly".

ServiceStack : BasicAuth and Security

I would like to authenticate user trying to use my SS web services. I found the sample code and followed PLURALSIGHT tutorial but I was wondering if user/password used during first connection is encrypted or something on the network?
At this time we used to secure our WCF with certificates but THAT'S A REAL PAIN! and at the same time passing user/password on each WS is a security failure.
How does SS manage security of authentications parameters? Can I use it like that without worrying about possible security failure?
Credentials will be sent plain text and it is expected that you configure SSL for the authentication traffic.
ServiceStack is just a standard ASP.NET or HttpListener web application. The standard way to encrypt HTTP traffic in any Web Application is to call your services over https. HTTPS is enabled/configured outside of your ServiceStack service (i.e. Web Application layer) so ServiceStack itself doesn't require any special attention when enabling SSL.
Setting up HTTPS on ServiceStack is the same as any other IIS/ASP.NET or HttpListener application. In both cases HTTPS is a transport layer security (TLS) protocol that is enabled at the WebServer/Host level (e.g. IIS) and not in your web application (e.g. ServiceStack). So when seeking how to enable SSL you should be looking on how to enable it at the WebServer host level, e.g. IIS, Nginx, HttpListener, etc (and not ServiceStack).
E.g. If you've got ServiceStack hosted in an ASP.NET Host, than a simple search for IIS SSL on Google will provide plenty of instructions and walk throughs like this one. If you've got ServiceStack hosted in a self-hosted HTTP Listener, see this answer instead.
If your service is being consumed in an Enterprise environment and if you have AD, you can consider using WSHttpSecurity binding with binding configuration set to use Windows Credentials. This can eliminate the use of certificate. If your service is cross-enterprise and you dont have AD, you will have to do certificates
If you are doing Windows credential type, here's a sample config
<security mode="Transport">
<message clientCredentialType="Windows" />
</security>

WCF Certificate Configuration with ASP.NET

Briefly, here's the scenario. I have an ASP.NET application using forms authentication and a custom membership provider. I've created a WCF client and an ASP.NET ServiceHost using ServiceHostFactory. Everything works perfectly so far, but to deploy this in the real world, I will need to have it secured. I cannot seem to find out how to set the certificate for the service. I want to use the certificate already associated with the ASP.NET application that is hosting my service.
How do I set the certificate in a way that will automatically set the certificate to the hosting web app's certificate without having to manually identify the certificate. It would be a real PITA if the user has to install the WCF assemblies and make changes to the configuration file and have to know something about what certificate is installed.
Here's what I mustered up so far, but haven't been able to get it to work and it isn't configurable during installation without recompilation.
serviceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByIssuerDistinguishedName, "mycertificate");
Is there a ASP.NET Api that would return the certificate associated with the hosting app that I can pass to SetCertificate? Also, how do I handle the situation where no certificate is installed, but I still want WCF to connect, albeit insecurely?
This depends on whether you want to use Transport or Message level security. If you just want your web services to work over https like any other web page, then in your WCF configuration, you do not need to specify the certificate, you simply enable transport security, like:
<basicHttpBinding>
<binding name="basicHttpsSecured" sendTimeout="00:02:00">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
Then in IIS, you set the SSL certificate on the web site just like you would have for any other ASP.NET site. If you were not hosting this through IIS, but were instead making it a self-hosted windows service or something, then you would have to set the certificate in your configuration, but when hosting in IIS, you can let IIS do the work.
If instead you want to do message level security, which means that you are transporting over non-secure regular http, but your message contents are encrypted, then you would set
<security mode="Message">
on the binding, and specify the certificate to use to encrypt the message. However it sounds like you are talking about using ssl / https for your web service.

Authentication settings in IIS Manager versus web.config versus system.serviceModel

I have a WCF web service, and I want to use Basic authentication. I am getting lost in the authentication options:
In IIS 6 Manager, I can go in to the properties of the web site and set authentication options.
In the web site's web.config file, under system.web, there is an <authentication mode="Windows"/> tag
In the web site's web.config file, under system.serviceModel, I can configure:
<wsHttpBinding>
<binding name="MyBinding">
<security mode="Transport">
<transport clientCredentialType="Basic"/>
</security>
</binding>
</wsHttpBinding>
What is the difference between these three? How should each be configured?
Some context: I have a simple web site project that contains a single .svc web service, and I want it to use Basic authentication over SSL. (Also, I want it to not use Windows accounts, but maybe that is another question.)
The first two are really about access to an ASP.NET virtual directory or virtual application in IIS6 - that has basically nothing to do with WCF (WCF is actually not part nor dependent on ASP.NET). The settings control how the HTTP request coming into the IIS6 web server is being handled in terms of authentication. This basically controls whether anonymous callers from the internet can just call in without authenticating, or whether they need to enter username/password, or whether only callers with a valid Windows identity in this domain are allowed in.
The only reason this is interesting to your WCF service is the fact that when you host the WCF service in IIS (only one of the many options), then you have a (myservice).svc file that needs to reside inside a virtual directory. Of course, access to that SVC file is controlled by the authentication settings of IIS6/ASP.NET.
The security mode inside the <wsHttpBinding> section is the security-related definition of how the WCF service will communicate with its clients. Mode=Transport means, you're securing the actual transport layer - typically using SSL - not each message separately. This setting works great in Intranet scenarios where you have all clients behind a corporate firewall - but it won't work too well in Internet scenarios, since you can't really control the whole chain from the client (anywhere on this planet) over a series of intermediary hops to your server - you just can't. In this case, you'd have to use Mode=Message which basically encrypts and signs each message that goes over the wires - that works over any number of routers and relays along the way from the point of origin to your server.
The first two are related, if they don't match your service will not be able to activate. If you choose Windows authentication obviously there is an assumption that you will be tied to a windows domain or local machine.
Since you are going to be doing SSL basic authentication you are going to set this to None and then configure your transport security.
Your one stop shop for setting up transport + basic authentication
MSDN Article on Transport+Username + Windows Forms
I am not sure if you are still planning out how you are going to be doing security but i would recommend thinking about using message security versus transport(personal bias toward message security)..
Transport vs Message Comparison
Patterns & Practices on Message and Transport Security

How to configure security when calling WCF Service from .Net 2.0 Client

I have a WCF service up and running and am able to communicate between the service and a .Net 2.0 Client using basicHttpBinding.
I now need to lock down the WCF service so that it can only be called by authenticated clients.
I have control over the clients that will be calling my service. The clients are part of a product that will be installed in the wild and "phoning home" to push and pull data. The client app is written for .Net 2.0 framework and cannot be upgraded to 3.0 or 3.5 at this time. I cannot add windows user accounts to the client machines.
What are my options for securing the WCF Service and being able to authenticate from my .Net 2.0 clients? Also, data needs to be passed over https.
I've been searching the web, and feel like I'm on a wild goose chase.
You can configure a WCF endpoint to use 2-way SSL authentication. That means that you can require clients to present an X.509 certificate that confirms their identity whenever they make a request to the service.
On the server side of things, you can use one of the built-in validation schemes in WCF or provide your own validation logic to check the X.509 certificate.
If you were hosting your service in IIS, it would be trivial to configure SSL to require client certificates at the transport-level. However, you can find a good guide on how to implement this behaviour in a self-hosted WCF service here:
http://leastprivilege.com/2007/08/25/certificate-based-authentication-and-wcf-message-security/
I haven't tried this myself but, since this creates a security requirement at the message-level, I think you will have to use wsHttpBinding to enforce it in your WSDL contract, since imposing security requirements to access a web service is part of the WS-* standards.
If you have to use basicHttpBinding, you can try this solution instead that moves things up at the transport-level:
http://leastprivilege.com/2007/08/26/certificate-based-authentication-and-wcf-mode-independent/
Hope this helps
OK so, with SSL you have transport level security; which is fine, that protects the message from sniffing and changing.
So now you have options; do you need the validation to be silent, or can you prompt the user for a username/password when your program starts? If it must be silent then you can go the client side certificate as mentioned (although that is painful, you will need to generate the certificates yourself and validate them, so you need to look at running your own certificate authority). Or you can embed a custom header in the message which contains a client ID and do it the kludgey way.
If however you can prompt for a username and password then you authenticate that way and plug it into a database lookup quite easily using a custom authenticator, or even using the ASP.NET membership database.
Here is what I ended up doing which seemed to be the simplest solution in our situation, which is pretty small scale with only a handful of web services exposed:
Secured the transport with SSL
Clients first login to the web service by calling a Login method on the web service. If the login succeeds, it returns an encrypted FormsAuthenticationTicket to the client.
Clients must then supply the forms authentication ticket with each web service call. Each method checks if the ticket is valid and if so it does its work. If the ticket has expired or is invalid, clients must re-authenticate.
Hope that helps someone...
You security will be covered by the ssl.
For authentication you have two options - basic (username and password) or certificate.
Here is a video that demonstrates configuring certificate authentication.
In that you are configuring the security elements of the basicHttpBinding shown below:
<basicHttpBinding>
<binding name="basicHttp">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
There is also a good page on this here. Google on clientCredentialType and you should find yourself on the right track soon enough.
For setting up the client certificates you are after the wse* policy file.
You will need to work out how you will provide the client certificate to the various sites.- that depends on security concerns of the project. There are various ways (none of which I can remember sorry, I last did this for wse* to wse* about two years ago so the details are forgotten, but it is certainly possible, took a few days solid research to find a good method).
Using SSL certificate is the only option for .NET 2.0 client accessing WCF service as basicHttpBinding provides no security. By using SSL, you are securing the whole transport channel.
Check the link http://www.codeplex.com/WCFSecurityGuide/Release/ProjectReleases.aspx?ReleaseId=15892 . It covers WCF Security covering all scenarios.
To get free SSL certificate please visit http://www.comodo.com/ or http://www.instantssl.com/ and try out in your application.