In a WSE3.0 web service, in order for me to call any methods of the web service I needed to set the client credentials to a UsernameToken object. How is this done from the client application for a WCF service?
This totally depends on the security settings on your WCF service:
if you use Windows client credentials, you don't have to do anything; your Windows credentials will be passed to and checked by the WCF service automagically
if you use Certificates to secure your callers, you need to make sure the certificate is installed in the right place and the client is configured properly to send that certificate
if you use Username client credentials, then you need to set the user name and password in your WCF client code - and you can only set it in code, there's currently no way to configure this in config:
YourWCFClient.ClientCredentials.UserName.UserName = "Your-User-Name-Here";
YourWCFClient.ClientCredentials.UserName.Password = "top$secret";
Related
I'm doing my school project and in my case, I have a client and 2 WCF cloud service in Azure cloud and the first service then needs to call another service. The client (caller) need to call the WCF service and verify the caller identity without Login, and what way can I use in this case, My idea is to use SSL Authentication or IP to verify the caller identity and is this method is correct or any suggestion method to this case?
There are multiple options for authentication. As you indicated you can use a SSL certificate to validate that the client is who you think they are (preferably SHA2 or above).
You can also white list by IP as you also mentioned. This could cause problems later if the there are multiple clients or their IP changes.
With WCF you can also use a Custom User Name and Password Validator where the client passes a user name and password in the request.
I think unless you have the option to use windows auth, tokens would be the other option, that is more complicated though. Using SSL or User Name Validator are probably the easiest to set up.
Configuration:
Iis web app with require ssl and accept client certificates.
Web app contains wcf service.
Requesting a page from web app works as wel as requesting the wcf svc
Calling wcf from wcf client give 406.13 with same client certificate send.
Same setup works on development and several other production servers.
Checked cert store trusted root for illegal certificates. ( issued by <> issued to )
Applied reg setting schannel (from MS solutions).
How is this possible that browser requests do not fail but wcf requests do?
Must be something iis or windows related as same code works on other machines.
Any way to get more info why it thinks the client certificate is not trusted.
P.s. the wcf service method is never entered ( as my own tracing shows nothing)
Maybe this SO answer might be of some help. CAPI2 event log is the place where you should find more information why WCF considers the client certificate not trusted. Enable it both on the client side and also on the server side.
We have a wcf service hosted in IIS. We like to restrict the client callers to known clients so we implemented a custom X509CertificateValidator. The service is configured with WSHttpBinding binding and IIS set to SSL and require client certificate. Everything is working as expected.
However, we found that we have other aspx pages hosted within the same site that should not require client certificate. It breaks our usage pattern.
I read that turning the IIS setting from Required Client Certificate to Accept Client certificate does not work. I tried this out, while still passing in the client cert from client and it seems to invoke my custom validator. However, using wcf proxy library, I'm unable to call it without a client cert to verify not passing one in.
If "accept client certificate" is not an option, what is the best alternative? Adding some type of message inspector?
Thanks very much in advance.
I have successfully configured a WCF service that uses mutual certificate authentication with a WCF client over SSL.
For the mutual authentication over HTTPS the client and server both have certificates, and have exchanged their public keys out of band, so WCF is explicitly checking the client or server respectively to make sure the right certificate is used.
Problem:
I now need to expose an HTTP endpoint for a PHP client where the message will be encrypted manually at the client and decrypted manually at the WCF service.
Initially I had the 'Require SSL' setting set to 'Require' in IIS 7, but now I tried to change that to 'Accept' so that IIS would accept the non-https traffic and configured another wsHttpBinding endpoint with no security on the service. Both endpoints have relative addresses.
I am getting the following error:
The SSL settings for the service 'SslRequireCert' does not match those of the IIS 'SslNegotiateCert'.
Is what I am attempting to do possible with WCF and IIS? I thought it would be relatively simple to set up an additional endpoint with a different binding.
I have two WCF Services using WsHttpBinding with transport security mutual certificate authentication that are being hosted on the same windows server. Clients that can access one WCF service should not have access to the other WCF service. I need some help on configuring the client certificates on the windows host. The client certificates are signed by trusted CAs and the intermediate and root certificate chain is already installed on the the server. It seems like the service automatically relies on chain of trust and does not require the actual client certificates installed on the server at all before letting the client access the service - this is not the behavior I want. Can someone please tell me how I should be configuring these client certificates in order explicitly allow access to one service and not the other?
Thanks.
That has nothing to do with certificates themselves. When using mutual SSL authentication certificates are used only to authenticate client and the authentication is done outside of your application (this is difference to message security where you can create custom certificate validator). Once certificate is trusted client is automatically authenticated to anything on the server using certificates for authentication.
You are looking for authorization - the step where you define what can authenticated client do with your service. You can either hardcode your authorization logic into your service by using role based security or you can implement two custom ServiceAuthorizationManagers and assign each to single service.