I have several WCF services in an ASP.NET application. I want to prevent applications from outside of my domain from accessing these services. Is there a configuration setting that allows me to block requests from outside of my domain?
Thank you!
What you want is authentication. Limiting access based on domain is not a secure manner of authentication.
If you don't want expose services to Internet you should not host them on public server. If you really need this you should first start to look for way to secure your services on network level. For example I guess ISA server should be able to block requests to your services.
EDIT: This will prevent all non-authenticated users from getting to your services. If you need users in your domain who aren't authenticated to access the services, let me know and I'll update accordingly.
Are you using authentication in your ASP.NET application?
<system.web>
...
<authentication mode="Forms">
<forms protection="All" defaultUrl="login.aspx" ... />
</authentication>
...
</system.web>
If so, your .svc files will be inaccessible until your users authenticate. If a non-authenticated user tries to access a .svc file, they will be redirected to your login page.
EDIT(2):
Since you need non-authenticated access to the services within your site, one thing you can consider is having a cookie that's sent to the user's machine upon the first visit to the site. The cookie could use a create date and some secret key to create a hash, and you can validate the hash on the server for each request. Requests from other sites wouldn't pass the cookie and your service would manually check to see if that cookie is there or not -- if it's not there, then the request is denied.
If your WCF services has ASP.NET compatibility enabled (true) and AspNetCompatibilityRequirementsMode set to Allowed or Required, you should have access to HttpContext and cookies. Here's more information about ASP.NET compatibility mode.
This may not be the most appropriate solution as I don't know your scenario and requirements. But hopefully this helps.
Related
After migrating from IIS6 to IIS7, all sites using a WCF oData service would prompt for credentials when attempting to make Post/Put/Patch/Delete request. The user would be continually prompted for credentials until the cancelled the request. After cancelling the request, they would receive a 401.3 response from the server.
If a user is granted modify permission on the folder containing the *.svc file for the WCF oData service they are then authorized to make requests with those verbs. Asp.Net impersonation is not turned on.
The AppPool is running Integrated .Net 4 under a service account with modify permissions to the site's folders/files.
Update:
It seems this is as designed. GrantingServerName\Users modify access to the *.svc, does resolve the issue. Addendum: Specifically, it looks like Domain Users or Authenticated Users needs modify rights to the *.svc.
Final update: changed the wording to make the question more general/easy to find for others
This is by design. If you disable impersonation, then NTFS ACLs are used to secure the resource. I know it seems odd at first, but some thought will lead you to an understanding that it is a reasonable approach given the constraints of this particular configuration. This behaviour is documented on MSDN.
I have this webpage I need to secure on Azure. I want to be the only person who can access it. I don't need a fancy login or error page process. The page/site was formerly running on my home web server and so windows authentication via the web.config authentication tag was "really easy" to implement.
I'm looking at Azure Authentication models with STS, ACS, SAML, Federated... and truthfully am somewhat confused about what I need to do. Also, I'm wondering why MS did not offer a simple control panel interface to secure and maintain access to websites so we don't have to create services and custom web site code to manage all of this.
At a high level, what are the minimum steps I need to perform to accomplish this?
If you are the only one going to use the site, then I'm not sure you need to go through all that trouble.
But, on the other hand, doing what you want is not that complicated:
Get an ACS namespace
Install WIF in your machine
Run "Add STS Reference" in your web project and point to your ACS namespace
(look for Federation metadata endpoint)
Configure LiveID trust in ACS (or any other of the pre-provisioned IdPs)
Configure ACS to issue a token for your app
Since your needs are very simple, the default rules will probably work for you.
Here's an article that explains everything step-by-step.
You could use Forms Authentication which should be pretty straightforward to implement.
Set your application to use forms authentication in your web.config.
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="/myadminlogin.aspx" protection="All" path="/" timeout="120" />
</authentication>
Define the protected folders in your web.config.
<location path="secure">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Within your login area check a condition and set the auth cookie:
'SET AUTH COOKIE
FormsAuthentication.SetAuthCookie(sessionID, False)
Check the session on your protected page:
If User.Identity.Name.ToString = "sessionID" then
'Permit access
End if
I am working on an Asp.Net application which will interact with WCF services that will be hosted on local machines on IIS.
In order to make these wcf services be hosted, what rights does user have to have when they log in? Do they have to have Admin rights on the machine?
P.S.: I know that WCF services should not be hosted on individual local machines so please do not start the discussion on that. All i want to know is what rights logged in user needs to have in order to make WCF services available to the application.
It really depends on how you set up the service. You can configure the website to allow anonymous access and set up your WCF binding to basicHttp binding with a security mode of None. That should allow any logged in user to run the site. This would NOT restrict users to only the one(s) logged in to the local machine, if that is what you are looking for.
You are dealing with two levels of security here. You will define your access in IIS to allow users to use the site. Then you will set up WCF service to allow the IIS site to access it. If you are using pass through authentication then you will need to authorize the individual users, perhaps with a local group?? Otherwise you need to authorize the identity that IIS is running the site under. So users do not need to be administrators, unless you specifically demand that role in IIS or WCF.
please help. Half of the kingdom for a correct answer!!!
Is it possible to use WCF Windows authentication with the anonymous access option? My WCF service deployed in the AD domain, and there are some clients outside of the domain. Can I use windows authentication to get client credentials for users that are in the AD and the same time allow access to the users they are not in the domain? Thanks.
P.S. Sorry for poor English.
To do this you need to create a service configuration that exposes two different endpoints. One endpoint would use your current config. The new endpoint would be for the non-AD clients and you would configure it using the options listed here. For anonymous access, you could pick an unsecured client configuration. If your service host is IIS, you may need to have two different sites/applications because I believe enabling Windows authentication will disable anonymous access.
i've got a stock standard ASP.NET web site, deployed to our development machine (internal machine in our server room).
Now, this dev site can be accessed by both INTERNAL and EXTERNAL users. Now, in IIS6 we used to have it so that Anonymous Authentication was turned off and something else was turned on .. giving the users a popup model box for username and password. I think they had to type some username or password that was defined in a web.config file? (not their website account username/password)/
Now, with IIS7, when i turn Anon Auth off, and turn on Basic or Windows Auth, i get access to the site BUT it's trying to log me in with those credentials .. and not the account the user signed up with (using some stock standard asp.net webform page).
So ... is it possible to 'lock' the entire site and get the testers to get general access to the site .. which is different to their website username and password. Those usernames and passwords are for use in the site instead.
does that make sense?
cheers!
<authentication mode="Forms">
<forms loginUrl="~/Pages/Login.aspx" protection="Validation" timeout="1000000000" requireSSL="false" slidingExpiration="true" defaultUrl="Default.aspx">
</forms>
</authentication>
there is no authorization section.
also, when i add 'Digest Auth' to iis7 and enable that (and disable everythign else), i get the pop up window (kewl!) but i'm not sure what credentials i need to pass in. Where can i define those credentials manually (so they are seperate from the website's users) ??
IIS7 integrated mode does not support the two phase authentication that IIS6 does. Basically, IIS6 would perform its authentication (windows), followed by asp.net performing its authentication (forms). But with IIS7, everything is equal in integrated mode, so you can only have one or the other authentication methods.
You can either convert the app pool to use classic mode or follow this workaround to get it working with Integrated mode.