I have a WCF service which is exposed using a single endpoint with netTcpBinding which sits on Server A, hosted on IIS7.5/WAS on our internal LAN on our domain.
This service is then consumed by an ASP.NET web client application sitting on Server B, also hosted on IIS7.5 with an external hosting provider outside of our domain, and linked to our LAN via a VPN secured to allow only traffic between Server A and Server B.
During development while I was testing the concept I ran the web client application on another IIS server internally on our domain using binding security mode="Transport" and transport clientCredentialType="Windows" which worked fine.
I then moved the web client application to the external Server B for further proof-of-concept testing setting the binding security mode="None", as obviously with this server being outside of our domain I cannot use Windows authentication, and it still works fine.
What I need to do now, to enable the switch back to using transport security is to set the clientCredentialType="Certificate", as you cannot have transport security with clientCredentialType="None".
This is where I have started to come unstuck. I seem to be going around in circles as to where in the web.config of the service and the client web.config to define the certificate and where to store which bits of the certificate.
Essentially what I'm trying to do is authenticate that Server B is indeed Server B calling the service on Server A, thus preventing any spoofing or DNS subversion issues, which could result in the service at Server A being illegally accessed.
My thinking is that I need to create a certificate for Server B to which Server A holds the public key to validate it? If this is the case Server B already has a wildcard SSL certificate installed on it as it serves various applications of ours as subdomains. Could this certificate be used for the WCF authentication?
None of the SO questions I've found seem to cover this, and all the various websites and book examples I've found aren't that clear. It's starting look like WCF configuration is somewhat of a black art.
This is all built using .NET 4 and Visual Basic. Any help would be greatly appreciated.
This MSDN example has examples of how to configure netTcpBinding with certificates in both code and config. Just pick the scenario that suits you. The certificate should be issued by a public (commercial) certificate authority like VeriSign or Thwate so it will be trusted by your external host provider and your internal server.
Related
I have a working WCF Service, that does what it should do, hosted by an IIS.
Now in another environment, this service shall be used as ever, but IIS should additionally require a client certificate for allowing to access.
So I generated some certificates, used iisClientCertificateMappingAuthentication to configure them and map them to users. So I can control which users can access the website and I see to what user the certificates are mapped in the FailedReqLogFiles.
Then I added a sub directory, put the WCF application in there, converted to an application with an apppool and ther the pain began.
The WCF Service is determined to demand that 'Anonymous authentication' must be activated. When I activate anonymous authenticaiton, the service can be invoked, but from then on, it doesn't matter which certificate is used for authentication.
I googled tons of articles and tried lots of configurations, but didn't success so far. I must admit, I'm not very familiar with WCF, this always drove me crazy. I do simply not understand why an application deals with the way the Webserver handles security (it's smiliar to adding SSL, when WCF is not configured properly, IIS shows 404, that's also one thing i do not understand, why the WCF is interfering with the way IIS exposes content to the world...).
Hope there's someone who could give advice, thank you very much in advance.
Regards, Chris
You could try below setting in iis to resolve the issue:
1)Open iis manager, select your site.
2)select the SSL setting from the middle pane.
3)in SSL setting check require SSL, client certificate select accept radio button.
4)click on apply and restart iis.
You could refer the below link for how to set iisclientcertificate authentication with WCF:
WCF Service Using Client Certificates Requires Anonymous Access in IIS and Therefore Doesn't Actually Work?
How do I implement Client Certificate authentication the right way?
https://learn.microsoft.com/en-us/iis/configuration/system.webServer/security/authentication/iisClientCertificateMappingAuthentication/
I have a project consisting of a website (ASP.NET WebForms) and a desktop application (WinForms + WPF). Right now I'm designing a WCF Service to be hosted in IIS, that will be consumed by these applications. Service is authenticated by an Active Directory. Unfortunatelly in WCF all security related stuff needs a certificate to work.
On the development machine I know I can use a temporary certificate, but the problem is with production. The client server is accessible only from the intranet, so there is no SSL configured and no certificate (and it's not an option to buy one).
My question is: can I use a IIS Self-Signed Certificate on production? What are the disadventages of this? Until now I have used WCF only for simple AJAX calls, and haven't played with the security stuff and certificates.
If SSL is handled by a load balancer, do I still need to configure it in the WCF serviceCertificate node? My scenario is to use message level security. If someone can explain how load balancing with wcf and ssl works, that would be very nice.
WCF requires security tokens to be passed over a secure transport if the message itself is not signed/encrypted. Since traffic is HTTP between your Big-IP and your individual web servers, you need a way to have security tokens that you know are secured between the client and the Big-IP up front still be passed to your server farm. There's a couple ways to do that depending on what version of WCF you're using:
If you're using WCF 4.0 you can just create a custom binding and set the AllowInsecureTransport property on the built in SecurityBindingElement to signify that you don't care that the transport isn't secure.
If you're using WCF 3.5 you have to "lie" about security with a custom TransportSecurityBindingElement on the server side. You can read my old post about this here.
FWIW, they created a hotfix release for 3.5 SP1 that adds the AllowInsecureTransport to that version, but I don't know if your company will allow you to install custom hotfixes.
If you want to use message security then each message is encrypted and signed separately - there is no secure connection and load balancer behaves as with any other HTTP transport. Loadbalancer doesn't know about security and doesn't need certificate.
There are two gotchas:
All load balanced application servers hosting your WCF service must use the same certificate
You must ensure that your WCF binding doesn't use sessions (reliable, security) otherwise you will need load balancing algorithm with sticky sessions (all request for single session always routed to the same server)
It doesn't. Don't bother with this. You will be in a world of hurt. Just install the certs on each machine. We've recently been through this fiasco. WCF is not worth the effort it thinks it needs SSL but sees that it doesn't have it. Take a look at openrasta or something else if you want to do all your SSL on the loadbalancer. #microsoftfail
I have created and tested a WCF REST service that is protected with SSL and Windows Authentication through IIS 7. I have also created and tested a pure html/javascript web client that is hosted in IIS 7 that is protected with SSL and Windows Authentication -- same server, different "site" within IIS. The REST service is not public, but the web client is.
Without security, everything works beautifully, but now we are ready for field testing and security must be implemented.
My end goal is to have the user visit mywebclient.com and authenticate using their Active Directory accounts. Initially I thought it would be safe to leave the service calls from the client to the REST service unprotected (since the traffic from the web client to the web service would be internal), but this does not protect us from an internal attacker. Also, in the future, the REST services will be available to handhelds through native applications.
I've tried to gain as much information on this subject as possible, but every piece of Microsoft documentation contains client examples written in .NET.
How can I share the security context between these sites without converting the web client to a .NET-based application? Could this be accomplished by combining the web client and service into one IIS "site"?
Edit: If the client and service exist in the same app pool, does that mean they could share authentication information between client and server processes?
Here is my scenario:
I have a proxy that actually has the SSL Cert installed and this sits in front of a load balanced web farm. Each IIS server does not have SSL so I can't use transport security via wsHttp binding. I have not investigated basicHttp because we want to provide SOAP 1.2 going forward w/ this solution. In addition to this, my network team won't allow any use of certs to encrypt at the message level. (this alone would solve my dilemma i'm sure)
My security group has a requirement that we use Forms Authentication (membership provider).
The final solution must allow SSL via the front proxy, yet some type of WCF binding to keep complexity encapsulated in a config file.
I was working with a custom binding that allowed for username/password sent via clear text, but when I try to connect via https i get the usual "http expected" uri error.
How can I use SSL via the proxy to connect securely from client app to web service, but not have SSL installed on IIS and leverage the WCF stack + forms authentication?
I'm not new to WCF, but this very custom setup seems to have me unsure if the requirements allow for any type "easy" solution.
Thank you in advance!
EDIT: I did finally get this working and decided to write a short blog post with complete source code required to write the custom binding.
I think this is similar to a problem many have had when wanting to provide WCF services over SSL when the actual service in IIS is behind an SSL-offloading device. In which case, the following two pages should help you out:
http://blog.hackedbrain.com/archive/2006/09/26/5281.aspx
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/87a254c8-e9d1-4d4c-8f62-54eae497423f/
Basically you need to lie to WCF and say that the service is secure, even though the traffic will be conducted over HTTP (between the service and the proxy).