Successfully reported this slideshow.

Exploration note - none windows based authentication for WCF


Published on

Exploration note - none windows based authentication for WCF

  • Be the first to comment

  • Be the first to like this

Exploration note - none windows based authentication for WCF

  1. 1. Exploration NoteBy: Shahzad SarwarTo: Dev TeamDate: 7th Jan 2011SNOChangeversionAuthorDate0Initial draft covers problem definition, environment details plus.Certificate BasedCustom User Name and Password BasedHTTP Module 1.0Shahzad Sarwar21st Dec 20101.Clarification Note on point 2 of version 1.02.0ShahzadSarwar7th Jan 2011Problem definition:WCF Web services are deployed with IIS as Host. Security implementation is required with following limitations. Windows based authentication is not available.Service may be deployed on system outside the forest and client inside the forest of Active directory.Only Authentication aspect of security.Environment: .Net 3.5, WCF Services, IISSolution Points:Certificate BasedIf windows authentication is not available, Most suitable method for authentication is on Certificate (X.509 client certificate) based.I have implemented a small sample IIS hosted WCF Service and a client application using certificate based approach.Following references suggest steps by step process. User Name and Password Based:In WCF 3.5 you can write your own username and password validator just by deriving from UserNamePasswordValidator base class available in System.IdentityModel.Selectors and overriding its Validate method.Security wise, this is very poor solution, because any sniffer can get this password on network. That why this method is only provided with condition that Only for Self hosted service.Or wsHttpBinding with over SSL.Follow these links below for exact details. Module:HTTP Module to allow HTTP Basic Authentication against non-Windows accounts in IIS.May not be safe as implemented by third party.Follow following URL for provides the exact details. Note on point 2 of version 1.0Please note that communication between client and server (WCF service) is controlled by bindings. According to MSDN basic purpose of Binding is to specify how to communicate with the endpoint. This includes:The transport protocol to use (for example, TCP or HTTP).The encoding to use for the messages (for example, text or binary).The necessary security requirements. Following are the bindings provided by .Net framework 3.5/40BasicHttpBindingWSHttpBindingWS2007HttpBindingWSDualHttpBindingWSFederationHttpBindingWS2007FederationHttpBindingNetTcpBindingNetNamedPipeBindingNetMsmqBindingNetPeerTcpBindingMsmqIntegrationBindingNone of the above binding which are related to web(HTTP), support Custom user name and password (usage of UserNamePasswordValidator base class available in System.IdentityModel.Selectors and overriding its Validate method) with out SSL or Self Hosted scenario.So WCF out of box don’t support Username based authentication over HTTP protocol. There are no exceptions. Does it means- there is no way out? Yes, there is a way to write your own bindings and do what ever you want to do with security aspect of Bindings.There are some third party bindings implementations available on net which override this restriction mentioned above.One of the binding solution is implemented by Yaron Naveh. See his solution in following urls: note that solution is not authentic.Such implementations are based on ideas proposed by in Nicholas Allen's blog. titled as “Faking Channel Security” at: other hand, custom username authentication over Https that is with SSL is out of the box and with native support from WCF and its Bindings.Following are some directions for that. this clarification note helps.Reference: