WCF Windows Authentication / Delegation - wcf

I'm having trouble getting the user credentials to be delegated over to our Sql Server DB. I'm pretty sure I have my configuration for the WCF set up correctly because everything works on my local IIS where there is only one hop, the problem is getting the double hop to work in a real environment.
The first Error I was getting was a Sql Exception when trying to login with Network Service/anonymous Login. From reading blogs I think the service was falling back to NTLM which cannot perform the double hop.
First question, am I correct in thinking the only way to perform a double hop is with Kerberos?
I switched the config to not allow NTML and got a 'The requirement for mutual authentication was not met by the remote server' error.
I read that I needed to set up a user for delegation. This is where I get lost. The user of the AppPool is NetworkService, what do I need to do to get delegation to work for this? Do I go into the Domain Controller and enable Delegation somehow? What do I need to add to the client config to tell the service about delegation?
I did try adding a new domain user to active directory, enabling delegation for the user, and making the user for my app pool, and added an identity section in the config to speciy this user, but got this error: 'The target principal name is incorrect'.
If possible I would like to keep the network service as my app pool identity. Does anyone know what steps I need to take to get this work?

Related

What is causing this Shibboleth error: SAML 2 SSO profile is not configured for relying party?

I am setting up Shibboleth on a Rackspace CentOS 6 server and it was working fine with testshib.org, but when I try to test it against the real IdentityProvider, I continue to get this error:
SAML 2 SSO profile is not configured for relying party
or more specifically
ERROR
An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.
This service requires cookies. Please ensure that they are enabled and try your going back to your desired resource and trying to login again.
Use of your browser's back button may cause specific errors that can be resolved by going back to your desired resource and trying to login again.
If you think you were sent here in error, please contact technical support
Error Message: SAML 2 SSO profile is not configured for relying party
I would like to rule out SSL as a possible cause -- I was testing my Service Provider without running SSL, and it worked fine with testshib.org, so I don't think it could cause this error but I can't get SSL set up right now so I want to know if anybody has seen this error being caused by a lack of SSL?
The main difference between testshib.org and this setup is that I uploaded my SP metadata file to the testshib.org server, whereas with my current Identity Provider I haven't given them anything. Would that cause this error, does anybody know? I was under the impression that IdPs can manage requests from anonymous Service Providers...
Thanks for your help.
The real Identity Provider generally needs your metadata up front before you can begin accepting SSO sessions. The IdP will need to load your metadata, and optionally configure/release attributes to your Service Provider, which your SP may require to make an authorization decision.
IdPs can accept requests from anonymous Service Providers, given it is configured appropriately. I don't believe the Shibboleth IdP is configured to accept anonymous requests by default.
If the IdP administrator is open to accepting anonymous requests, there is more information on that configuration here: http://shibboleth.1660669.n2.nabble.com/Problem-configuring-and-IdP-to-support-anonymous-relying-parties-td6750775.html

Authentication in WCF

I am currently following this scenario
Instead of a Windows Forms client, I have an ASP.NET MVC web app.
I am a little worried about the sending of the username and the password
on every call to the Web Service.
That means I will have to carry this information all the time in the session.
Wouldn't that be little security problem ?
Why would you have to carry the credentials all the time in the session? According to the example you're following, they're being set in the proxy (when it's created).
If you're worried about having to cache the credentials for recreating the proxy as needed, then you can cache an instance of ChannelFactory, and then generate new proxies from that instance as needed.
Regardless of what path yout take, the credentials are going to have to be stored somewhere, somehow, unless your application prompts the user for their credentials for every WCF operation.
You can implement WS-Security in your service.
This means you can send user credentials in the header of the message encrypted. Lots of examples out there for this.

WCF Authentication -- Authenticate user/pass one time, then authenticate some other way afterwards?

Basically, I have the following scenario and information:
We're using HTTPS.
We want to authenticate a user by user/pass when they first log in.
After they are authenticated, I want any future calls to OTHER services (not the login service) to use the username and some sort of session (in case the password changes in the middle of a session).
I want to make sure my sessions can timeout and control them in a way that if a user tries to call a service and they don't have a session they get an error (cause they haven't logged in). Not sure if there's a WCF built-in way to do sessions this way or if I'll have to do something customized with a database.
I think we want to use WSHttpBinding (not BasicHttpBinding), 90% sure on this.
I just can't seem to figure out how to do this. Often time's I'll find information on the client code doing client.ClientCredentials.UserName.UserName = username and client.ClientCredentials.UserName.Password = password. But, that just doesn't work because what is my server checking against? I'm trying to grab that info and validate it against a database of user/passes. I'm not looking to use Windows Authentication or that sort (because I don't care who is logged into the computer, just who is logging into the app).
You want to use a Secure Token Service (STS) to authenticate and get a Security Token (maybe SAML) back that identifies the user which can then be passed to your other services and they can just use the identity information to identify and authorize because they trust the STS has verified the user's identity up front.
This is a large subject to discuss, so I suggest searching for WCF STS and doing some more research, but that's definitely the direction I'd recommend going. If you're going to build your own STS implementation, I also recommend looking into using the Windows Identity Foundation (WIF) components to ease your development efforts.
Here's the download link for WIF v1.0 which is the latest version at the time of this answer.

how to access MSMQ in web proxy class

I've created a wcf web service hosted on IIS 5.1. In the service implementation class there is a method GetAlarm which access the MSMQ on that system. In a sample win form application i instantiate web proxy to call GetAlarm method. But the problem is that when i use GetAlarm method using proxy for local machine then it propmts error like "he queue does not exist or you do not have sufficient permissions to perform the operation.". While i've given all the users full permission in corresponding queue users (properties/security). I can access the rest of methods using web proxy but not msmq.
If i use the GetAlarm method without proxy then it works fine.
please help;
arvind
You say "I've given all the users full permission".
What permissions did you give and to which accounts?
An easy test for security issues is to temporarily give "Everyone" and "Anonymous Logon" Full Control to the queue. If that works then it is a permissions issue.
If you have given the permissions to the account that you think is accessing the queue but still get access denied then you could enable security auditing on the queue to check what account is actually being used.
Also see
https://stackoverflow.com/questions/4758627/how-to-access-message-queue-msmq-via-wcf
Cheers
John Breakwell

WCF service and ActiveDirectory

I am using a WCF call to update my database with any changes from ActiveDirectory.
I call this WCF functin via client browser and the function trys to get details from AD within the servive itself. However the issue is AD needs UserName and Password to get any records.
Please advise how can I overcome this problem so that Windows looged in credentials are automactically accepted and AD is read.
I am using wsHttPBinding,Security: message and clientCredentials="Windows".
Thanks
Vikram
The call to Active Directory is going from the service.
The default settings for the service is impersonate=false and the identity of the application pool is NETWORK SERVICE.
Therefore, the call to AD is going in the security context of Network Service, which does not have the correct access, and cannot be given them, since it is a machine local account.
There are 3 ways to fix this.
Set Authenticate=true in the web.config to allow access to AD to be done in the security context of the calling user.
Change the identity of the application pool to that of a domain user that is allowed to access AD. Be sure to add this user to the local IIS_WPG group.
Store the username and password of a user that is allowed to access AD, in the web.config file, and use these credentials to access AD.