Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to Authenticate to WCF Service Via VPN

424 views
Skip to first unread message

Uwe Schmitz

unread,
Jul 15, 2008, 12:16:01 AM7/15/08
to
My team has created WCF services; these services are hosted by IIS and use
the WSHttpBinding binding configured with message security and Windows
authentication, as follows:

<bindings>
<wsHttpBinding>
<binding name="Default">
<security mode="Message">
<message clientCredentialType="Windows"
negotiateServiceCredential="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>

A service account is assigned to the application pool identity for each
service; however, an SPN has not yet been created. The client endpoint
includes the service account identity as a user principal name. Kerberos
mutual authentication is assumed.

Service authentication works perfectly when the client is authenticated to
the same domain as the service account.

When the client is authenticated using Cisco Systems VPN Client (to the same
domain as the service account), however, service authentication works, but
only with the following code:

serviceProxy.ClientCredentials.Windows.ClientCredential =
new System.Net.NetworkCredential("userName", "password", "domain");

Authentication fails without this code.

So the problem is that, when authenticated to the domain using Cisco Systems
VPN Client, the client would need to collect the operator's domain
credentials (again) in order to assign the serviceProxy.ClientCredentials
property prior to invoking service operations.

There must be a better solution.

How can my team invoke service operations when authenticated via Cisco
Systems VPN Client?

Steven Cheng [MSFT]

unread,
Jul 15, 2008, 5:40:39 AM7/15/08
to
Hi Schmitz,

From your description, you're encountering some problem when calling a WCF
service from a client which use a VPN connection to the server's domain
environment, correct?

According to your description, the following code is required and is the
reasonable approach to make it work:

=========================


serviceProxy.ClientCredentials.Windows.ClientCredential =
new System.Net.NetworkCredential("userName", "password", "domain");

=========================

the fact is that for your VPN connected client, it is not a machine joined
in the target domain( where the service running at), and your client user's
logon account is likely not a domain user account. In that case, you need
to manually use NetworkCredential to construct a credential with the
certain domain user's username/password.

If you have already logon as a domain user account, you can try setting the
serviceProxy.ClientCredentials.Windows.ClientCredential to the following
value:

System.Net.CredentialCache.DefaultCredentials
or

System.Net.CredentialCache.DefaultNetworkCredentials

to see whether it works. This two properties represent the credentials of
your application's current security context(mostly the logon user).

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: =?Utf-8?B?VXdlIFNjaG1pdHo=?= <USch...@community.nospam>
Subject: How to Authenticate to WCF Service Via VPN
Date: Mon, 14 Jul 2008 21:16:01 -0700

Uwe Schmitz

unread,
Jul 15, 2008, 12:45:02 PM7/15/08
to
Thank you for your prompt reply, Steven.

Your assessment of the problem is correct.

However, assigning

serviceProxy.ClientCredentials.Windows.ClientCredential =
System.Net.CredentialCache.DefaultCredentials;

fails to compile with the following error: "Cannot implicitly convert type
'System.Net.ICredentials' to 'System.Net.NetworkCredential'."

and assigning

serviceProxy.ClientCredentials.Windows.ClientCredential =
System.Net.CredentialCache.DefaultNetworkCredentials;

compiles, but fails to authenticate with the following
System.ServiceModel.Security.SecurityNegotiationException: "The caller was
not authenticated by the service.". This is the same exception thrown when
invoking the service operation without assigning the
serviceProxy.ClientCredentials.Windows.ClientCredential property.

Although the solution I proposed (creating a System.Net.NetworkCredential
from the operator's domain, user name and password and assigning it to the
serviceProxy.ClientCredentials.Windows.ClientCredential property) compiles
and functions correctly, storing or prompting for the credentials seems
sub-optimal.

Perhaps I could restate the requirement in the hope of finding a better
solution:

"On his Windows XP workstation, Bob authenticates to DomainA as Bob
(DomainA\Bob). He launches Cisco Systems VPN Client and authenticates as
DomainB\BSmith. He then launches an application which contains the following
code:


System.AppDomain.CurrentDomain.SetPrincipalPolicy(System.Security.Principal.PrincipalPolicy.WindowsPrincipal);


System.Console.WriteLine(System.Threading.Thread.CurrentPrincipal.Identity.Name);

The application displays 'DomainA\Bob'. The application should display
'DomainB\BSmith', the VPN-authenticated identity. How should the application
be re-written to support this?"

Steven Cheng [MSFT]

unread,
Jul 17, 2008, 3:36:48 AM7/17/08
to
Thanks for your reply Schmitz,

So assigning the default networkCredential not work. Currently as for VPN
connected client, is it using the same user account as when you tested via
a non-VPN client? If the code work when not use VPN but fails (with
identical account) via VPN connection, we may need to focus on the VPN
part. Otherwise, I think the problem is still the client credential not
correctly be recognized by the server-side. for current security context,
you can use the following code to check it:

System.Security.Principal.WindowsIdentity.GetCurrent()

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: =?Utf-8?B?VXdlIFNjaG1pdHo=?= <USch...@community.nospam>
References: <7F04BC5E-22EA-429C...@microsoft.com>
<yR75c7l5...@TK2MSFTNGHUB02.phx.gbl>
Subject: RE: How to Authenticate to WCF Service Via VPN
Date: Tue, 15 Jul 2008 09:45:02 -0700

Steven Cheng [MSFT]

unread,
Jul 21, 2008, 5:13:13 AM7/21/08
to
Hi Schmitz,

Have you got any progress on this issue?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

henrystaples

unread,
Aug 5, 2008, 5:16:42 PM8/5/08
to
Steven,

I'm having a similar issue, but it doesn't involve a VPN.

1) User is logged into SUBDOM1.DOMAIN.GOV
2) Web server 1 is in SUBDOM1.DOMAIN.GOV
3) Web server 2 is in SUBDOM2.DOMAIN.GOV
3) On both web server apps, NTLM turned on, web.config is for Windows authentication.
4) User connects to .aspx on web server2. In the web page, HttpContext.Current.User.Identity shows NTLM authentication and subdom1\user as who authenticated. All is good.
5) In that same .aspx, trying to connect to a web service on web server 1 by setting webService.Credentials = System.Net.CredentialCache.DefaultCredentials gives a 401 error
6) Move everything on web server 2 to another web server in the SUBDOM1 domain and everything works OK.

It's like there's some sort of issues between SUBDOM1 and SUBDOM2 where it SUBDOM2 says "hey, sure, I can authenticate anyone in SUBDOM1 domain to use this code" but when it passes that authentication over to a server in SUBDOM1 it says "umm, sorry, buddy, but I don't recognize that credential, Unauthorized."

Is there any other way to set these parms or set other settings so the credentials can be passed back over to the web server in SUBDOM1?

0 new messages