OK, I've managed to use SSL in BizTalk. Now I'm trying to learn how to authenticate using WCF-BasicHttp. I tried to use an option with UserNamePasswordValidator but I haven't succeed.
Guys, I have Root CA certificate installed, I have server certificate and clients certificates. How can I find out who exactly sent me a message?
If I got you right, you should look at BizTalk Parties and Party Resolution components.
Though there are some problems integrating it with WCF.
I would start with this article here. Also I recommend you to inspect received message and see it context properties. It's possible that WCF writes certificate information in one and you could endup with only a custom party resolve component, without WCF extensions.
Try for both client and server configs:
<basicHttpBinding>
<bindingname="BasicHttpBinding_IService">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic"/>
</security>
</binding>
</basicHttpBinding>
Install/Enable basic authentication
You may also need to install and apply basic authentication in IIS.
Goto "Programs and Features" / "Turn windows features on/off ". Enable "basic authentication" somewhere under IIS and security.
I closed and opened the IIS console and was able to enable it under authentication settings.
This of course if for a development testing and it warns you about not having an SSL certificate.
Please refer below document on Microsoft.
For reference see: https://msdn.microsoft.com/en-gb/library/ff648505.aspx
Related
We need to create a WCF service (.NET 4.0) that will be consumed by a client outside of our organization.
The case is that we have two servers that are behind a load balancer which terminates the SSL. This is where it gets confusing for me.
How we could and should handle the authentication?
The previous experience about WCF is only about services for internal use. If I understood correctly we should use basicHttpBinding to guarantee interoperability with Java based client. I don't know if this is an issue with JAX-WS based client.
There will only be this one client that is going to use the service.
We need to somehow ensure that caller is authenticated to use the
system
Make sure the message is encrypted when moving in public network
So far the best article that I found was
http://devproconnections.com/net-framework/wcf-and-ssl-processing-load-balancers
There were few suggestions how to do this.
WCF services can be configured for basic authentication and receive credentials in the clear over HTTP. This can work; however, it precludes passing credentials in the message, and the use of more interesting credentials (such as issued tokens).
We use forms authentication on our website under which the service will be hosted. I think it is not easy or even possible to make the service then use basic authentication.
WCF services can be configured to fake the presence of transport security so that the runtime will allow receiving message credentials without transport or message protection
Will this be the way to go and will this work with basicHttpBinding?
The client and server binding will be different. The client binding will use username auth in eitehr message or transport level with transport security (ssl):
<bindings>
<basicHttpBinding>
<binding name="NewBinding0">
<security mode="Message" />
</binding>
</basicHttpBinding>
</bindings>
then the server config will use the same config but without the transport security. If you chose to use message security then check out WCF ClearUsernameBinding. If you use trasnport security (basic http) then set mode="TransportCredentialOnly".
Even with all of the documentation available instructing me how to configure WCF to allow certificates over SSL, I'm having a hard time discerning where IIS' responsibilities lie and where the WCF's responsibilities lie.
For example, I do not have authority over my IIS server. I requested the admin to setup my virtual directory (application) to require certificates over ssl. I did this because when I tried to configure this security through my web.config, it told me that IIS wasn't setup to permit this.
After that, another developer told me that because the IIS Admin set it up this way, I only have to set security = none and client auth to none in my web.config because IIS will now handle this for my app.
Is this true? Also, is there documentation explaining the options of configuring IIS and WCF and some type of pipeline showing where these authentication processes occur?
Thank You.
Well, you definitely need to install a certificate and enable the SSL binding in IIS before anything will work. You must also set 'Security' mode to 'Transport', and 'clientCredentialType' to 'None'. This may be what your developer friend was getting at, though he is wrong to imply WCF doesn't need to do anything if security is setup in IIS.
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
You would then reference this binding in your service endpoint configuration. This page has a pretty clear step-by-step guide on what to do, though you will obviously need access to IIS to set this up.
The basic idea is that certificates are installed and managed by IIS, which also handles authentication. All WCF does is say what kind of security the service will be using/expecting. This page has a good discussion of Transport security over HTTP, as well as links to setting up IIS for this. Hope this helps!
I recently set up a wcf service for an outside company to access our data. The security practices are very hard to configure. I ended up bypassing the certificate and writing a custom auth class that authenticated a username and password in the header. Helpful references I found on my journey.
http://wcfsecurityguide.codeplex.com/releases/view/15892
http://msdn.microsoft.com/en-us/library/aa702565.aspx
I wish I could give you more my situation was not as vital for security so that had a major role in the route I took.
I'm developing a product that consists of a WCF service and several WCF clients deployed to different locations. In order to secure the service, I configured WCF to use Message Security via certificates.
In detail, these are my service configuration files:
Web.config, App.config
This is working fine as far as I can tell, even when the certificate is stored on a SmartCard (WCF even pops up a dialog asking me to enter the SmartCard's PIN in order to unlock the certificate).
But removing the SmartCard after the initial security negotiation took place does not have any effect on the connection - I can still invoke methods on the web service.
What's happening?
Does WCF message security work similar to HTTPS, where a symmetric key is established during the initial security negotiation and after that, the certificate is no longer needed?
Or could it be that I have set up the service to only use the certificate to authenticate the client, but messages aren't encrypted at all?
It is because your security configuration uses security context (default for WsHttpBinding). Security context (implementation of WS-SecureConversation) indeed works similarly to HTTPS. It uses certificate only to initial authentication and generation of security token which is used to secure following communication from the same service proxy instance. The context is established be service proxy instance and it also establish WCF session which is subject of timeout.
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
Try setting the establishSecurityContext to false.
Briefly, here's the scenario. I have an ASP.NET application using forms authentication and a custom membership provider. I've created a WCF client and an ASP.NET ServiceHost using ServiceHostFactory. Everything works perfectly so far, but to deploy this in the real world, I will need to have it secured. I cannot seem to find out how to set the certificate for the service. I want to use the certificate already associated with the ASP.NET application that is hosting my service.
How do I set the certificate in a way that will automatically set the certificate to the hosting web app's certificate without having to manually identify the certificate. It would be a real PITA if the user has to install the WCF assemblies and make changes to the configuration file and have to know something about what certificate is installed.
Here's what I mustered up so far, but haven't been able to get it to work and it isn't configurable during installation without recompilation.
serviceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByIssuerDistinguishedName, "mycertificate");
Is there a ASP.NET Api that would return the certificate associated with the hosting app that I can pass to SetCertificate? Also, how do I handle the situation where no certificate is installed, but I still want WCF to connect, albeit insecurely?
This depends on whether you want to use Transport or Message level security. If you just want your web services to work over https like any other web page, then in your WCF configuration, you do not need to specify the certificate, you simply enable transport security, like:
<basicHttpBinding>
<binding name="basicHttpsSecured" sendTimeout="00:02:00">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
Then in IIS, you set the SSL certificate on the web site just like you would have for any other ASP.NET site. If you were not hosting this through IIS, but were instead making it a self-hosted windows service or something, then you would have to set the certificate in your configuration, but when hosting in IIS, you can let IIS do the work.
If instead you want to do message level security, which means that you are transporting over non-secure regular http, but your message contents are encrypted, then you would set
<security mode="Message">
on the binding, and specify the certificate to use to encrypt the message. However it sounds like you are talking about using ssl / https for your web service.
I have deployed wcf services in machineA and tried to accessed it through wcftestclient which is another system machineB. But i am getting error "The caller is not authenticated by wcf service". This wcf services is working fine when i testing it in machineA itself.
I have used wsHttpBinding.
How to solve this? Please help me.
on Machine A remove security if that service is only exposed in intranet.
Add binding configuration as follows
<binding name="none">
<security mode="None" />
</binding>
and In service add
bindingConfiguration="none"
If you don't want any security then only.
On machine B you'll have to supply some credentials that have access to the service on A.
See this article: Debugging Windows Authentication Errors for details, especially the section Client Credentials Are Not Set Correctly at the bottom of that document.