Authentication in WCF service

StackOverflow https://stackoverflow.com/questions/1356049

  •  20-09-2019
  •  | 
  •  

Question

I have a WCF service deployed on another machine and I want to authenticate the client against the WCF service.

I have done the following things :

1) In IIS I have unchecked the Anonymous access and checked the "Integrated Windows Authenfication" check box.

2) My Web config

 <authentication mode="Windows" />
 <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpBind">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Ntlm" proxyCredentialType="Ntlm" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>

3) On the client side I am passing the user credential as below:

MyServiceClient _client;

_client = new MyServiceClient();

_client.ClientCredentials.Windows.ClientCredential.UserName = "username";
_client.ClientCredentials.Windows.ClientCredential.Password = "password";
_client.ClientCredentials.Windows.ClientCredential.Domain = "mydomain";

My question is how can I trap the user name and password on the server side (where the service is deployed)?

How can I authenticate user against the credential passed?

Currently I am using basichttp binding .. is this binding good enough to support security model?

Was it helpful?

Solution

On the server side, you can either authenticate against Active Directory using Windows credentials being passed in, or then you'll need to use an alternate store to handle user authentication.

You can access the caller's identity in your server side code using:

IIdentity caller = ServiceSecurityContext.Current.PrimaryIdentity;

You can also check whether a Windows user called with its Windows credentials (as in your sample) by checking the 

ServiceSecurityContext.Current.WindowsIdentity

If it's NULL, then no Windows credentials have been passed - otherwise you can use this Windows identity to check who is calling (name etc.) - you won't be able to read the user's password, though! You can check his name, what groups he belongs to, and more.

To use Windows/Active Directory validation, set the clientCredentialType to "Windows". You might have to switch to wsHttpBinding, or even better: netTcpBinding (if you're on a Windows LAN behind a firewall).

<bindings>
  <netTcpBinding>
    <binding name="WindowsSecured">
      <security mode="Transport">
        <transport clientCredentialType="Windows" />
      </security>
    </binding>
  </netTcpBinding>
</bindings>

With this, only users who are registered in your Windows domain can even call the service. Any other users will be refused without any additional work on your side.

Once you have the Windows user calling, you can check out the ServiceSecurityContext.Current.WindowsIdentity for information about who's calling.

Check the MSDN docs for details on what's available on the service security context, or the Windows identity.

Marc

OTHER TIPS

It looks like you need a custom user name and password validator. There is an MSDN article that covers all the steps: How to: Use a Custom User Name and Password Validator.

BasicHttpBinding supports a variety of security modes. If you use the overloaded constructor, you can pass in the value of your choice for the BasicHttpSecurityMode.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top