We have a webserver in a DMZ hosting an IIS website. The website talks to a middleware machine in a private domain, which is hosting WCF services.
When the webserver tries to communicate with the middleware machine via a TCP binding, we get the following error message,
The server has rejected the client credentials. The logon attempt
failed.
The website uses an AppPool account from the private domain (DMZ trusts private domain). Forms and Anonymous authentication are enabled.
My question is, would the middleware server be able to authenticate valid credentials (hopefully the appPool credentials), even through they originated from an untrusted domain (dmz)??
#marc_s is right in his comment. It's not just a WCF thing though. it's security in general.
Just look at it from a conceptual point: "authenticate valid credentials" is not what is happening. The middleware service gets credentials. The question is then if those credentials are valid or not. In order to determine validity it needs to known it or ask something that it trust to validate it for him. Asking an untrusted party doesn't work since you can't determine if the answer you get is a valid answer or not. In your case there is no place to determine if passed credentials are valid or just a random token.
If you want to allow unvalidated credentials to pass you should really remove the authentication/authorisation all together.
Related
I'm doing my school project and in my case, I have a client and 2 WCF cloud service in Azure cloud and the first service then needs to call another service. The client (caller) need to call the WCF service and verify the caller identity without Login, and what way can I use in this case, My idea is to use SSL Authentication or IP to verify the caller identity and is this method is correct or any suggestion method to this case?
There are multiple options for authentication. As you indicated you can use a SSL certificate to validate that the client is who you think they are (preferably SHA2 or above).
You can also white list by IP as you also mentioned. This could cause problems later if the there are multiple clients or their IP changes.
With WCF you can also use a Custom User Name and Password Validator where the client passes a user name and password in the request.
I think unless you have the option to use windows auth, tokens would be the other option, that is more complicated though. Using SSL or User Name Validator are probably the easiest to set up.
Scenario: We have a server located in a Windows Active Directory domain which implements a web service API, implemented with WCF and exposed via IIS 8 over HTTPS. The clients making requests to the web service are not located in the domain. However, they should be mapped to AD users via SSL client certificates. I.e., when making a HTTP request, they include a client certificate, and I want that certificate to be mapped to the corresponding AD user.
I know that IIS supports two ways of client certificate authentication, IIS Client Certificate Authentication and Client Certificate Authentication using Active Directory. I'd really like to use the AD approach in our scenario, as it makes the management of client certificates easier (we can map certificates to users in the AD rather than in the IIS configuration).
However, the docs linked above say that,
[Client Certificate Authentication using Active Directory] requires that the IIS 7 server and the client computer are members of an Active Directory domain [...]
This indicates that we cannot use this approach, since our client computers are not part of the AD domain. However, this doesn't really make sense to me. How would the server even know whether the client making an HTTPS request is in the same domain?
So, here's the question: Can we use Client Certificate Authentication using Active Directory with clients outside the AD domain or not?
We've now had the chance to implement and test our solution with a machine outside of the AD domain. Indeed, it works - the client computer does not have to be part of the domain, the documentation seems to be wrong here.
I have a server with SSL certificate and would like to implement a WCF service with username authentication. Can anyone point me to a simple current example?
I find lots that use the 509 certificate and I don't understand why that additional piece would be needed. I don't think I want to give the certificate I have for the SSL to the client either.
I think to use SSL is just setting up the web.config appropriately with wshttpbinding and using https: in the uri that calls the service.
In this case I will have only one or two users (applications at the client actually) that need to use the service so I don't see the overhead for building a database for the store for lots of login credentials or anything like that. I've read you can pass the credentials in the request header. I hope I can just have the service itself check them without tons of overhead.
I'm really struggling to get how a simple authenticate can work for a service but I know I need something in addition to the service being SSL encrypted.
Edit: Hummm having read more I get the impression that using https binding for the message circumvents any notion of username credentials without something mysterious with certificates going on. I hope I haven't wasted money on the ssl certificate for the server at this point.
Can the IP of the requestor be used to allow the service for a known client only?
If you only need a couple of users, then use the inbuilt Windows authentication - create Windows user accounts, put the right security option in your binding config and you're done. If you're using SOAP from a non-windows client you'll have to perform some tricks to make it communicate properly (typically we found using NTLM authentication from PHP client required the use of curl rather than the PHP SOAP client library, but I understand that if you use AD accounts this becomes much easier).
WCF docs have a full description of auth options for you.
I'm working on a project which requires delegation in a double-hop scenario. We have a desktop client, connecting to a WCF service using a net.tcp binding, connecting to a SQL database on another server. Our goal is to use the user's credentials to access the SQL database.
Both the WCF service and SQL database are running under the same domain user, which has delegation enabled for the SQL database. The instructions here have been followed, with no success.
Now, some details recorded in our logs:
The login used on the SQL database appears as the user the WCF service is running under, and uses Kerberos.
The login used on the WCF server appears as the client's user, but uses NTLM.
Using either [OperationBehavior(Impersonation = ImpersonationOption.Allowed)] or using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate()) results in commands being run as the client, on the WCF server. This leads me to believe impersonation is working fine.
So, what could be causing the first hop to fall back to NTLM? We suspect it's a SPN issue, but we've registered the SPNs of both the WCF service and SQL service to the shared domain user. Also, as per the instructions listed above, we've set the SQL service as trusted for delegation on the domain user.
We've used EndpointIdentity.CreateSpnIdentity on the WCF service to set the SPN, and this is the SPN we've registered to the domain user.
Any suggestions? Thanks in advance!
Edit:
We've found something that may have been an issue - We had not used EndpointIdentity.CreateSpnIdentity on the client. After setting this we receive the error
“call to SSPI failed” with an inner exception of “target principle name is incorrect”. But the SPN we've set in the client and the server match, and both match the hostname of the service. If we set both the client and the server SPN to something completely different, or if the client's specified SPN does not match the server's SPN, authentication falls back to NTLM as it did before. We've done research into the error, but cannot find its cause. Any suggestions?
We've also performed packet captures of both cases - falling back to NTLM and when we receive the "call to SSPI failed" error. In both cases, similar packets are sent and received until, on one, NTLM is mentioned. On the other, a "TURN CHANNEL" packet is sent from the client to the server. The packets contain nothing human readable except the IP address of the server until either NTLM is mentioned, and the username and computer names are sent, or the "TURN CHANNEL" packet is sent, which contains what appears to be the SPN, and possibly the hostname. There doesn't appear to be any human readable error codes or error messages. Any suggestions on what to look for in the packets?
We found our error - the client was creating the connection using the IP address of the server. After switching the IP to a fully qualified domain name, the first hop consistently authenticates using Kerberos.
The IP address resolves to the same string we used in both SPNs, but I suppose the client checks if the connection string matches the portion of the SPN following the slash before performing any other checks.
We tested our results using both Network Service and our domain user, and as long as the SPN was registered to the computer or user respectively, there were no issues.
Hopefully this answer will save others some time and hassle!
Additional Note: While this enabled Kerberos authentication for all connections, we later discovered that this was unnecessary in our situation. Part of our connection to the database was not inside the impersonation using block, which was causing the table read to fail. We have since removed all delegation and SPN related code, and the database connection continued to work correctly. Our first hop is using NTLM. We're not exactly sure how the credentials are being used at the SQL server, as our connection appears to be exactly what is described as the double hop scenario, which should require Kerberos and delegation, but it's hard to argue with what's working. I suspect it may have something to do with the note located under delegation in this document:
When a client authenticates to the front-end service using a user name and password that correspond to a Windows account on the back-end service, the front-end service can authenticate to the back-end service by reusing the client’s user name and password. This is a particularly powerful form of identity flow, because passing user name and password to the back-end service enables the back-end service to perform impersonation, but it does not constitute delegation because Kerberos is not used. Active Directory controls on delegation do not apply to user name and password authentication.
If anyone has any other suggestions for the reason it's working, I'd love to hear them. However, I don't feel it's worth opening another question for.
First of all sorry for my English, its not my native language. I will try to describe my problem as much as I can.
I searched for a long time on the Internet for a solution where I can create a wcf service that can respond to requests of my clients with username and password required but without creating a certificate, using https or anything else that require a special configuration on the machine where my windows service will be installed.
Here is my point: I want to deploy an application to a lot of my customers. This application will have mobile devices and a server which will give some information to mobile device with the help of wcf. Each customer will have a server and many devices. I don't want that anyone on the web can have access to these information and for this reason, I must implement an authentication procedure with username and password for each request but I don't want to be forced to install a certificate, activate some https port on each machine when I sell a new copy of my application.
I've read that with wcf 4.0, there is a built-in system that can encrypt data and for this reason, I don't want the overhead of implementing anything else if possible.
My question is: Is that possible to have a secure solution considering my requirements and if yes, how can I do that?
If I really must create a certificate and use IIS, https or any other secure solution, it is possible to automate these things in a package that will be installed in a single click wizard into each server machine of my customers?
Thank you in advance for your time.
By default WCF doesnt allow transport of username credentials over http and hence have to use certificates to secure your transport layer. But if you are sure that you are fine with sending username credentials over the http channel then you can have a look at ClearUsernameBinding which gives you the flexibility of sending username credentials over http channel (consider the fact that someone can intercept your transport channel to get access to the credentials)
Also if you want to use certificates that have to be installed you can achieve that writing some code in c# and include that as part of your installation from your package. You can also configure everything from an msi like creating a virtual directory, deploying the application,etc..
what you are probably looking for is one of the wcf bindings that has message level security. You can put the user name and password into this message and not worry about them going across an http wire unencrypted(ie custom authentication). The defaults for WCF send user name and password as part of the http request in the header this is why it wants https.