I have a WCF service that I only want my applications to have access to. My applications consist of a traditional web interface that uses JQuery and a Silverlight interface. Neither of these interfaces require the user to login.
Is there a way that I can tell a WCF service to only allow clients that originated from my domain? If so, how?
Thank you!
Yes, of course you can - just require Windows credentials (i.e. an Active Directory account in your domain) from your callers.
Anyone not authenticated against your domain will be rejected.
You can do this by specifying either netTcpBinding with transport security (if everything is behind a corporate firewall), or wsHttpBinding with message security:
<bindings>
<netTcpBinding>
<binding name="DomainUsersOnly">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
<wsHttpBinding>
<binding name="HttpDomainUsersOnly">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
Now, all you need to do is reference one of those binding configurations in your endpoints:
<endpoint name="whatever"
address="......"
binding="netTcpBinding"
bindingConfiguration="DomainUsersOnly"
contract="IYourservice" />
and you should be good to go.
If all of your legitimate users are supposed to be on your internal corporate LAN (on the same subnet), then you could lock it down by IP address using an approach like this. You could also clamp it down to several specific IP masks that way if you wanted to.
But if you want to allow legitimate users to hit it from anywhere, then this is not a good approach. Authentication would be better in that case.
You could add a security restriction in IIS to only allow calls from the domain to the webservice.
Unless you consider windows auth (since requests are coming from your domain), the preferred way to do this would be at a different level, via firewalls. At that level, you can restrict incoming traffic to a known set of IP addresses. This will only go so far, since IPs can be spoofed, but this is an open service, so there you go. A better alternative would be both firewalls and windows auth.
Alternatively, you could check client IP addresses in WCF by querying OperationContext.Current.IncomingMessageProperties.
Related
I'm very new to WCF, but I've searched this topic pretty thoroughly and haven't come up with a satisfactory answer, so here goes my question:
While within my WCF service, I need to access the user's username. From everything I've read, I should be able to get that from ServiceSecurityContext.Current.PrimaryIdentity.Name. However, instead of returning Domain\Username as I had hoped, it always returns NT AUTHORITY\NETWORK SERVICE . How can I get the actual Domain and Username of the individual that is logged in to the machine accessing my service?
Thanks.
Have you looked at the ServiceSecurityContext Class?
Represents the security context of a remote party. On the client,
represents the service identity and, on the service, represents the
client identity.
e.g.
ServiceSecurityContext.Current.WindowsIdentity.Name
...ensuring that you have your service set up to authenticate via Windows security.
To Use Windows credentials , set the clientCredentialType to "Windows". use wsHttpBinding, or netTcpBinding if its within LAN
<bindings>
<netTcpBinding>
<binding name="WindowsCredentials">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
I'm reading a book on Wcf. I always get confused when there is topic on binding configuration. Eg. In one chapter for securing service in internet environment, author used the following code in the config file.
<bindings>
<wsHttpBinding>
<binding name="ProductsServiceWSHttpBindingConfig">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None"/>
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
Everything works fine as described in the book. But I don't see any description in book, why TransportWithMessageCredential is used in place of Transport. Similarly why the <transport ... is None and <message ... is not None. Is there any matrix (or any other way to figure out) about which options to use with which binding (and in which environment)? My hunch is that certain options will go with certain binding. Thanks in advance.
Yep, here's a few:
http://msdn.microsoft.com/en-us/library/ms730879.aspx
http://mkdot.net/blogs/dejan/archive/2008/03/31/wcf-binding-decision.aspx
http://architectopia.blogspot.com/2008/01/wcf-binding-decision-chart.html
I know this question is already been answered however heres are some thoughts for those who are looking for quick answer.
TransportWithMessageCredential is basically saying that the transmission is over https (secure) and the username and password will be in security header.
"Client authentication is performed by putting the client credential directly in the message. This allows you to use any credential type that is supported by the message security mode for the client authentication while keeping the performance benefit of transport security mode."
http://msdn.microsoft.com/en-us/library/aa354508.aspx
We have a system where the users access a web server, the web server then calls a WCF service.
We would like the call to the WCF service to be made in the security context of the windows identity of the application pool on the web server.
What is the best way to do this? Can it be done purely through configuration in the web.config file.
Thanks
Shiraz
Yes, you should be able to do this, all in config:
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="WinAuth" mode="Transport">
<transport clientCredentialType="Windows" />
<bindings>
</netTcpBinding>
</bindings>
</system.serviceModel>
Of course, depending on your binding, you'd have to use a different tag under the <bindings> parent node - and of course, not all bindings support all security modes.....
In your endpoint, use the appropriate binding and then just reference this config:
<endpoint name="WCFService" address="......."
binding="netTcpBinding"
bindingConfiguration="WinAuth"
contract="......" />
That should do it! And of course, if you need message security instead of transport security, you can do that, too.
In your WCF service method, you can check to see whether or not the Windows credentials have been sent over, and what they are, by checking:
ServiceSecurityContext.Current.WindowsIdentity
This will be NULL if you don't have a Windows caller, otherwise it will show who called you.
Marc
I want to use SSL using security mode = transport.
Can I use it with following settings in my web config
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
I am installing root certificate on server side and temp ceritficate on the client side. Should this work by current web settings??
Yes, if that's what you want to do:
you'll have SSL-enabled HTTPS transport
you're using the wsHttp binding
your users will be authenticated against the Windows domain (Active Directory)
This requires that your client and server are in the same common Windows domain, or at least in two Windows domains that are in a mutual trust relationship with one another (so that the service can authenticate the calling user against Active Directory).
This will not support anonymous callers, or callers from outside your Windows domain.
The question is: if it's really within your Windows domain and thus behind your corporate firewall, why are you using wsHttpBinding? NetTcpBinding would be much faster and more efficient in this scenario....
Marc
Does anyone know how exactly NTLM authentication works in WCF/basicHttp? I wonder if user credentials are passed for every single service method call, or if some kind of security token is being used for subsequent service method calls.
The exact binding configuration that I am using:
<bindings>
<basicHttpBinding>
<binding name="winAuthBasicHttpBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" />
</security>
</binding>
</basicHttpBinding>
</bindings>
I found this type of configuration on the MSDN reference. But I am not sure if this a good idea performance wise. An alternative would be providing a custom GetAuthenticationToken() kind of method to provide a security token for all subsequent requests of the client. This could be done via the Enterprise Library - Security Application Block.
Further details: The service is being consumed by Browsers/Silverlight Clients.
In this case here, every single method call will be authenticated.
What you're talking about would be what is called "secure sessions", where the client authenticates once against the server and then a common token is used for subsequent exchanges. That secure sessions features however is only available with wsHttpBinding - not with basicHttpBinding.
Marc