Will WCF trust credential from an untrusted domain?
https://stackoverflow.com/questions/7086979
-
22-12-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPregunta
We have a webserver in a DMZ hosting an IIS website. The website talks to a middleware machine in a private domain, which is hosting WCF services.
When the webserver tries to communicate with the middleware machine via a TCP binding, we get the following error message,
The server has rejected the client credentials. The logon attempt failed.
The website uses an AppPool account from the private domain (DMZ trusts private domain). Forms and Anonymous authentication are enabled.
My question is, would the middleware server be able to authenticate valid credentials (hopefully the appPool credentials), even through they originated from an untrusted domain (dmz)??
Solución
@marc_s is right in his comment. It's not just a WCF thing though. it's security in general.
Just look at it from a conceptual point: "authenticate valid credentials" is not what is happening. The middleware service gets credentials. The question is then if those credentials are valid or not. In order to determine validity it needs to known it or ask something that it trust to validate it for him. Asking an untrusted party doesn't work since you can't determine if the answer you get is a valid answer or not. In your case there is no place to determine if passed credentials are valid or just a random token.
If you want to allow unvalidated credentials to pass you should really remove the authentication/authorisation all together.
