Exploration note - none windows based authentication for WCF
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Exploration note - none windows based authentication for WCF

on

  • 2,893 views

Exploration note - none windows based authentication for WCF

Exploration note - none windows based authentication for WCF

Statistics

Views

Total Views
2,893
Views on SlideShare
1,595
Embed Views
1,298

Actions

Likes
0
Downloads
4
Comments
0

6 Embeds 1,298

http://softarchitect.wordpress.com 1275
http://www.slideshare.net 13
http://webcache.googleusercontent.com 5
url_unknown 3
http://hghltd.yandex.net 1
http://translate.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Exploration note - none windows based authentication for WCF Document Transcript

  • 1. Exploration NoteBy: Shahzad SarwarTo: Dev TeamDate: 7th Jan 2011SNOChangeversionAuthorDate0Initial draft covers problem definition, environment details plus.Certificate BasedCustom User Name and Password BasedHTTP Module 1.0Shahzad Sarwar21st Dec 20101.Clarification Note on point 2 of version 1.02.0ShahzadSarwar7th Jan 2011Problem definition:WCF Web services are deployed with IIS as Host. Security implementation is required with following limitations. Windows based authentication is not available.Service may be deployed on system outside the forest and client inside the forest of Active directory.Only Authentication aspect of security.Environment: .Net 3.5, WCF Services, IISSolution Points:Certificate BasedIf windows authentication is not available, Most suitable method for authentication is on Certificate (X.509 client certificate) based.I have implemented a small sample IIS hosted WCF Service and a client application using certificate based approach.Following references suggest steps by step process.http://wcfsecurity.codeplex.com/wikipage?title=How%20To%20-%20Use%20Certificate%20Authentication%20and%20Message%20Security%20in%20WCF%20calling%20from%20Windows%20Formshttp://wcfsecurity.codeplex.com/wikipage?title=How%20To%20-%20Create%20and%20Install%20Temporary%20Certificates%20in%20WCF%20for%20Message%20Security%20During%20Development&referringTitle=How%20To%20-%20Use%20Certificate%20Authentication%20and%20Message%20Security%20in%20WCF%20calling%20from%20Windows%20Formshttp://msdn.microsoft.com/en-us/library/aa717039.aspxhttp://msdn.microsoft.com/en-us/library/ff648360.aspxCustom User Name and Password Based:In WCF 3.5 you can write your own username and password validator just by deriving from UserNamePasswordValidator base class available in System.IdentityModel.Selectors and overriding its Validate method.Security wise, this is very poor solution, because any sniffer can get this password on network. That why this method is only provided with condition that Only for Self hosted service.Or wsHttpBinding with over SSL.Follow these links below for exact details.http://blogs.msdn.com/b/phenning/archive/2008/01/11/custom-usernamepassword-validators-in-net-framework-3-5.aspxhttp://msdn.microsoft.com/en-us/library/aa354513(v=VS.90).aspxHTTP Module:HTTP Module to allow HTTP Basic Authentication against non-Windows accounts in IIS.May not be safe as implemented by third party.Follow following URL for provides the exact details.http://custombasicauth.codeplex.com/Clarification Note on point 2 of version 1.0Please note that communication between client and server (WCF service) is controlled by bindings. According to MSDN basic purpose of Binding is to specify how to communicate with the endpoint. This includes:The transport protocol to use (for example, TCP or HTTP).The encoding to use for the messages (for example, text or binary).The necessary security requirements. Following are the bindings provided by .Net framework 3.5/40BasicHttpBindingWSHttpBindingWS2007HttpBindingWSDualHttpBindingWSFederationHttpBindingWS2007FederationHttpBindingNetTcpBindingNetNamedPipeBindingNetMsmqBindingNetPeerTcpBindingMsmqIntegrationBindingNone of the above binding which are related to web(HTTP), support Custom user name and password (usage of UserNamePasswordValidator base class available in System.IdentityModel.Selectors and overriding its Validate method) with out SSL or Self Hosted scenario.So WCF out of box don’t support Username based authentication over HTTP protocol. There are no exceptions. Does it means- there is no way out? Yes, there is a way to write your own bindings and do what ever you want to do with security aspect of Bindings.There are some third party bindings implementations available on net which override this restriction mentioned above.One of the binding solution is implemented by Yaron Naveh. See his solution in following urls:http://webservices20.blogspot.com/2008/11/how-to-use-clear-usernamepassword-with.htmlhttp://webservices20.blogspot.com/2008/11/introducing-wcf-clearusernamebinding.htmlhttp://www.codeproject.com/KB/WCF/ClearUsernameBinding.aspxPlease note that solution is not authentic.Such implementations are based on ideas proposed by in Nicholas Allen's blog. titled as “Faking Channel Security” at:http://blogs.msdn.com/b/drnick/archive/2007/01/17/faking-channel-security.aspxOn other hand, custom username authentication over Https that is with SSL is out of the box and with native support from WCF and its Bindings.Following are some directions for that.http://www.dotnetcurry.com/ShowArticle.aspx?ID=486&AspxAutoDetectCookieSupport=1http://www.hanselman.com/blog/BreakingAllTheRulesWithWCF.aspxHope this clarification note helps.Reference:http://msdn.microsoft.com/en-us/library/ff649233.aspx