using ssl in wcf service - wcf

I want to use SSL using security mode = transport.
Can I use it with following settings in my web config
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
I am installing root certificate on server side and temp ceritficate on the client side. Should this work by current web settings??

Yes, if that's what you want to do:
you'll have SSL-enabled HTTPS transport
you're using the wsHttp binding
your users will be authenticated against the Windows domain (Active Directory)
This requires that your client and server are in the same common Windows domain, or at least in two Windows domains that are in a mutual trust relationship with one another (so that the service can authenticate the calling user against Active Directory).
This will not support anonymous callers, or callers from outside your Windows domain.
The question is: if it's really within your Windows domain and thus behind your corporate firewall, why are you using wsHttpBinding? NetTcpBinding would be much faster and more efficient in this scenario....
Marc

Related

Configuring a local network for WCF Security modes

I have several machines connected through a wireless router.
When I build a WCF Service in one of the machines with "Security mode = 'None'", then I don't have any problem building client applications that access and use that service from other machines.
But when I try to use a security mode, say "Security mode='Message'", then I start having problems, I get a SecurityNegotiationException: The caller was not authenticated by the service.
Each machine has it's machine name, windows user name and password. I allow peer to peer file access between them.
I'm using netTcpBinding this time.
Please, I need help here...
Have you set 'clientCredentialType' to 'Windows'? The configuration below assumes your sevice pc and client pc are in the same Windows domain.
<bindings>
<netTcpBinding>
<binding name = "mybinding">
<security mode="Message">
<message clientCredentialType="Windows"/>
</security>
</binding>
</netTcpBinding>
</bindings>

Accessing ServiceSecurityContext.Current.PrimaryIdentity.Name from within a WCF service

I'm very new to WCF, but I've searched this topic pretty thoroughly and haven't come up with a satisfactory answer, so here goes my question:
While within my WCF service, I need to access the user's username. From everything I've read, I should be able to get that from ServiceSecurityContext.Current.PrimaryIdentity.Name. However, instead of returning Domain\Username as I had hoped, it always returns NT AUTHORITY\NETWORK SERVICE . How can I get the actual Domain and Username of the individual that is logged in to the machine accessing my service?
Thanks.
Have you looked at the ServiceSecurityContext Class?
Represents the security context of a remote party. On the client,
represents the service identity and, on the service, represents the
client identity.
e.g.
ServiceSecurityContext.Current.WindowsIdentity.Name
...ensuring that you have your service set up to authenticate via Windows security.
To Use Windows credentials , set the clientCredentialType to "Windows". use wsHttpBinding, or netTcpBinding if its within LAN
<bindings>
<netTcpBinding>
<binding name="WindowsCredentials">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>

WCF security in an internet scenario

I have a WCF service hosted in a Windows Service. Clients from various platforms will access the service. Now I would like to add a basic security mechanism. Ideally, the clients should use username/password for authentication.
Which binding settings do I have to use in this scenario and how can I authenticate the client? Interoperability is more important than a very secure solutions. If possible the client should not be forced to use a certificate or something the like. Additionally, authentication should not be strongly coupled with a SQL Server database. I would like to manually inspect the client credentials.
Thanks for your help
The best for your case can be BasicHttpBinding with security set to TransportWithMessageCredentials and credential type set to UserName. In this case your service will be secured with HTTPS (requires server certificate for SSL which has to be trusted on clients) and authentication will be provided on message level with UserName Token Profile (SOAP header). You can implement your own password validator.
BasicHttpBinding configuration skeleton:
<bindings>
<basicHttpBinding>
<binding name="Secured">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</basicHttpBinding>
</bindings>
If you don't want to use HTTPS you can create custom binding with HttpTransport, TextMessageEncoding and with security mode set to UserNameOverTransport. But you have to set allowInsecureTransport to true (be aware that there is some bug with WSDL generation in this setting).
Custom binding configuration skeleton:
<bindings>
<customBinding>
<binding name="Secured">
<security authenticationMode="UserNameOverTransport" allowInsecureTransport="true" />
<textMessageEncoding messageVersion="Soap11" />
<httpTransport />
</binding>
</cutomBinding>
</bindings>
See the Internet section of the Application Scenarios for guides on how to achieve this:CodePlex Application Scenarios

WCF - Preventing Unauthorized Clients

I have a WCF service that I only want my applications to have access to. My applications consist of a traditional web interface that uses JQuery and a Silverlight interface. Neither of these interfaces require the user to login.
Is there a way that I can tell a WCF service to only allow clients that originated from my domain? If so, how?
Thank you!
Yes, of course you can - just require Windows credentials (i.e. an Active Directory account in your domain) from your callers.
Anyone not authenticated against your domain will be rejected.
You can do this by specifying either netTcpBinding with transport security (if everything is behind a corporate firewall), or wsHttpBinding with message security:
<bindings>
<netTcpBinding>
<binding name="DomainUsersOnly">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
<wsHttpBinding>
<binding name="HttpDomainUsersOnly">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
Now, all you need to do is reference one of those binding configurations in your endpoints:
<endpoint name="whatever"
address="......"
binding="netTcpBinding"
bindingConfiguration="DomainUsersOnly"
contract="IYourservice" />
and you should be good to go.
If all of your legitimate users are supposed to be on your internal corporate LAN (on the same subnet), then you could lock it down by IP address using an approach like this. You could also clamp it down to several specific IP masks that way if you wanted to.
But if you want to allow legitimate users to hit it from anywhere, then this is not a good approach. Authentication would be better in that case.
You could add a security restriction in IIS to only allow calls from the domain to the webservice.
Unless you consider windows auth (since requests are coming from your domain), the preferred way to do this would be at a different level, via firewalls. At that level, you can restrict incoming traffic to a known set of IP addresses. This will only go so far, since IPs can be spoofed, but this is an open service, so there you go. A better alternative would be both firewalls and windows auth.
Alternatively, you could check client IP addresses in WCF by querying OperationContext.Current.IncomingMessageProperties.

WCF Authentication With SSL

I am very new to WCF and I have created a service to be consumed via a windows mobile app using the basicHttpBinding. I am now looking at how to implement encrpytion and authenticaion and I am not getting very far.
I have added the following to my server side service configuration (which I believe is correct):
<basicHttpBinding>
<binding name="SecurityByTransport">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
<transport clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
Now after installing a temporary certificate on my IIS instance I can navigate to my service via https.
At this point I used visual studios built in tool for running svcutil.exe and generated my proxy, which connects just fine.
The issue I have is in the client config, in that the endpoint reference is using http and not https. If I change this I get the following error:
The provided URI scheme 'https' is invalid; expected 'http'.
Which obviously I do not want.
Also in my client config the security specified seems to be "None", is this right?