How do I restrict access of a remotely-accessible WCF endpoint to a local/domain administrator?
Edit: After adding [PrincipalPermission(SecurityAction.Demand, Name = "AdminUser")] to my WCF channel method implementation, trying to call the service method from my client throws a SecurityAccessDeniedException, which is progress.
How do I let Windows prompt the user for new user details (or a security token) so I can reinitiate the WCF connection as the correct user?
You can do this with the PrincipalPermissionAttribute added to the methods declared in your WCF service.
See this link: How to: Restrict Access with the PrincipalPermissionAttribute Class
Related
I am using WCF service, which have two endpoint WsHttpBinding and NetTcpBinding and the service is using Forms Authentication. Service is hosted on IIS 7.
This works perfectly with WsHttpBinding, but fails for NetTcpBinding.
It fails on below statement:
FormsAuthentication.SetAuthCookie("COOKIENAME", false);
And the exception is :
Object reference not set to an instance of an object.
Please share your ideas on this.
Forms Authentication requires cookies/session which is not supported by protocol itself.
So, Forms authentication can not implemented on NetTcpBinding of WCF service.
Option 1:
As an Alternative:
Add references to System.IdentityModel & System.IdentityModel.Selectors as well as the WCF assemblies.
Set the security mode to Message on your binding
Set the Message.ClientCredentialType to MessageCredentialType.UserName
Create a type derived from UserNamePasswordValidator and implement the only method. You should throw a SecurityTokenException if the user name / password pair does not validate.
On your service host instance's Credentials property, set:
UserNameAuthentication.UserNamePasswordValidationMode to UserNamePasswordValidationMode.Custom
UserNameAuthentication.CustomUserNamePasswordValidator to a new instance of your UserNamePasswordValidator-derived class.
Set a service certificate with ServiceCertificate.SetCertificate()
As for the client-side credentials dialog, you can either make one yourself and on your proxy set proxy.ClientCredentials.UserName.UserName & proxy.ClientCredentials.UserName.Password before you open the proxy / use it the first time. Or you can check out how you can implement the System.ServiceModel.Dispatcher.IInteractiveChannelInitializer to create your own interactive initialization UI.
Option 2:
Another Alternative this sounds more like what you want to do ..Passing FormsAuthentication cookie to a WCF service
Why did I provide an answer to an old post - because someone might be looking for an answer. Hope this helps.
I have such structure on my client.
WindowsIdentity wi = WindowsIdentity.GetCurrent();
IntPtr token = wi.Token;
Next step is send authentication token to server through WCF and impersonate user there.
api.SendToken(token);
...
...
...
But as soon I receive token on server side and trying to build WindowsIdentity it throws me an error:
WindowsIdentity newId = new WindowsIdentity(token);
Invalid token for impersonation - it cannot be duplicated.
Could you guys please help me to figure out what I am doing wrong and share your ideas how do I pass token from client to server.
Thanks!
WCF already has built-in plumbing to support Windows impersonation. Is there is a reason you're trying to roll your own?
UPDATE to avoid link-only answers (ahhh, errors of my youth...)
Here are the basic steps needed to configure the built in WCF impersonation
Only some bindings support Windows authentication. The WSHttpBinding is the most common one to support it but others may support it too.
On the service contract, use the OperationBehavior attribute on the method that requires impersonation:
[OperationBehavior(Impersonation=ImpersonationOption.Required)]
public string SomeMethod(string aParameter) { ... }
For the client, it is simplest to create a custom class inheriting from the ClientBase class. All service reference types inherit from this class. Here is an example of the client code:
var client = new SomeClientBaseDerivedType("TheServiceEndpoint");
client.ClientCredentials.Windows.AllowedImpersonationLevel =
System.Security.Principal.TokenImpersonationLevel.Impersonation;
I am new to authentication and authorization concepts. I wrote an authenticate method in my wcf servcice. Methods in wcf service will get called only by authenticated users with specific roles. How does the security context automatically get loaded before each request to wcf service?
Since you are looking to reach the authenticated identity, then the following link should be helpful:
http://msdn.microsoft.com/en-us/library/aa347790.aspx
EDIT: If you want to automate this, you should write a wrapper for your service host (i.e: a class that inherits from ServiceHost) to encapsulate that inside your service host rather than having to write it over and over again.
I have created a WCF service which is hosted on a windows service over NetNamedPipeBinding protocol.Now I want to provide security to this service, as in users with username and passwords known only should access this service.So how do I provide a method level authentication to users to access this service?
NetNamedPipe binding doesn't support message level security out of the box. That would require custom binding. NetNamedPipe binding works only when both service and client are running on the same machine so there is assumption that if user has permissions to log in and the service is running she have also permission to call it. If you need to restrict users who can call the service you can always use custom authorization manager or role based security.
I am writing WCF service that uses wsHttpBinding binding, which is not hosted in IIS but in Windows Service. I want to have a Login(user,pass) method in service, which will give a ticket to the client if the user is valid.
Can anyone help me to understand how to implement ticket base authentication in WCF? Is there any standard mechanism or I have to implement my own? I also want to store other data for each user in the in the service as well.
I found the solution, I don't know are there any standard mechanisms or not, but the post here helps me to solve the problem...
http://blogs.microsoft.co.il/blogs/bursteg/archive/2006/04/23/141.aspx
I just return ticket from login method if the user is valied, and send that token with the message header in every call, which can be checked in other service call