Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IIS & Windows Integrated Security for WCF webservices

379 views
Skip to first unread message

DevMountain

unread,
Mar 12, 2008, 9:27:01 AM3/12/08
to
Hi all,

I have searched everywhere to get a straight forward answer to my question
but to no avail. I hope someone where can help.

I have a windows application that needs to talk to some WCF web services
hosted in IIS. I want to be able to identify the user in the webservice who
initiated the call. All client requests to the service will be made by
computers authenticated by our AD. I don't use SSL on the server as all
requests are internal.

This was easy in the case of an ASP.Net page - just disable anonymous access
and enable Windows Integrated Security and all works.

But for WCF I can't get it to work :-( , so my questions are:
- what do I have to put in the client and server configs for AD security
credentials to work?
- how can I find out the credentials of the user making the call?

Thanks in advance.

Tiago Halm

unread,
Mar 12, 2008, 6:37:10 PM3/12/08
to
The WCF service must be secure, so depending on the type of binding you
choose you need to specify where the credentials travel and which
credentials you want the client to present.

After you choose the binding, you define if the credentials travel in
Transport or/and Message. Next, you define the type of client credentials
you expect.

There is a myriad of choices, and it all depends of the security
requirements of your organization. I'll assume you need to use IIS6 for the
hosting environment and you use AD/Kerberos.

If you simply need the users to auth themselves and not worry about
protecting the data in transit, you can choose:
basicHttpBinding + TransportCredentialOnly + Windows for client credential
VDir is "Integrated Windows Authentication" because creds travel in HTTP

If you need the users to auth themselves and protect the data in transit,
you can choose:
wsHttpBinding + Message + Windows for client credential
VDir is "Anonymous" because creds travel in SOAP

If you have IIS7 + WAS, then its a whole different ballgame because then you
can, not only keep yourself secure as in wsHttpBinding but you also can take
adavantage of faster transports like netTcp.

It would be useful to read a bit on some of the terms I've put here to get a
sense of what WCF and Web Services are and what they bring in terms of
security, authentication, authorization, atomic transactions, message
ordering, policies, schema, and lots other ...

Take a peek here for some security scenarios. Other MSDN pages should be
able to guide you through all the terms here and much more.
http://msdn2.microsoft.com/en-us/library/ms730301.aspx

Tiago Halm

"DevMountain" <DevMo...@discussions.microsoft.com> wrote in message
news:E7EC6393-7D99-4487...@microsoft.com...

DevMountain

unread,
Mar 13, 2008, 4:20:01 AM3/13/08
to
Tiago,

Thanks - you provided me with 95% of the required information and I managed
the last 5%. Your explanation is the clearest I have found so far.

For others, here is the info:

My web.config is now:
<system.serviceModel>
<services>
<service behaviorConfiguration="programServiceBehaviour"
name="XXX.YYY.Web.Service.Program">
<endpoint bindingConfiguration="basicBinding" binding="basicHttpBinding"
name="Program" contract="XXX.YYY.Web.Service.IProgram"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="programServiceBehaviour">
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceMetadata httpGetEnabled="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="basicBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
</system.serviceModel>


My client app.config is...

<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="Program" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://mypc/XXX.YYY.Web/Program.svc"
binding="basicHttpBinding" bindingConfiguration="Program"
contract="XXX.YYY.Web.Test.ServiceProxy.IProgram"
name="Program" />
</client>
</system.serviceModel>


One thing I missed first (that gave me the error "Security settings for this
service require 'Anonymous' Authentication but it is not enabled for the IIS
application that hosts this service.") was to set the bindingconfiguration in
my web.config for the endpoints.


Finally to get to the user name you can use
System.ServiceModel.OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name

Thanks again Tiago.


:-D

0 new messages