rickgaribay.net

Space shuttles aren't built for rocket scientists, they're built for astronauts. The goal isn't the ship, its the moon.
posts - 299, comments - 169, trackbacks - 33

My Links

News

Archives

Post Categories

Published Works

Recipe: WCF basicHttpBinding with Windows Authentication

With ASMX web services, a popular way to secure the service within an intranet scenario such that it authenticates and authorizes callers is to configure the cient with a fixed identity. The fixed identity would then flow to the service and the service would authenticate using Windows authentication. Within the service, you can then authorize the caller in the web.config and/or using PrincipalPermissions and Principal.IsInRole checks.

This is an elegantly simply approach for doing the right thing from a security perspective, so how is this accomplished in WCF?

In Juval Lowy's excellent book "Programming WCF Services", he asserts, and I agree that security is one of the most granular and complex aspects of WCF. There are several reasons for this, but primarily I believe it is due to the fact that various aspects and scenarios can be addressed that either fell beyond the reach of traditional ASMX services (WSE not withstanding) as well as the fact that there really isn't a least common denominator when it comes to transport. This means that a service can be deployed to an IIS environment for invocation strictly over HTTP/HTTPS or as a WAS or self-hosted application using TCPIP or MSMQ.

Although your searches on Google and the MSDN groups may not prove fruitful, it turns out it is quite simple to implement the basicHttpBinding with Windows Authentication, or, more academically known as the trusted subsystem model. Be warned that MSDN and othe resources regard the basicHttpBinding as a red-headed-step-child and this is obvious by the sheer lack of attention this still very relevant configuration gets in various literature. How soon we forget that just a year or so ago, unless you rolled WSE, you were doing the equivelent of basicHttpBinding!

Don't get me wrong, if your deployment scenario allows for it, I strongly encourage you to explore the more robust bindings, but if you are supporting non-WCF clients in an intranet IIS scenario, then this recipe is for you. 

In the web.config for the service:

1. Set the SecurityMode to TransportCredentialsOnly:

 

<bindings>

      <basicHttpBinding>

          <binding name="MyBinding">

              <security mode="TransportCredentialOnly">

                  <transport clientCredentialType="Windows" />

              </security>

          </binding>

      </basicHttpBinding>

  </bindings>

2. In the Transport element, set the ClientCredentialType to Windows:

 

<bindings>

      <basicHttpBinding>

          <binding name="MyBinding">

              <security mode="TransportCredentialOnly">

                  <transport clientCredentialType="Windows" />

              </security>

          </binding>

      </basicHttpBinding>

  </bindings>

3. The Bindings element should resemble the following:

 

<bindings>

      <basicHttpBinding>

          <binding name="MyBinding">

              <security mode="TransportCredentialOnly">

                  <transport clientCredentialType="Windows" />

              </security>

          </binding>

      </basicHttpBinding>

  </bindings>

4. Be sure to set the BindingConfiguration for each Endpoint in the Service element to the name of the BindingConfiguration.

5. I'm getting lazy, so I won't go into PrincipalPermission code in this initial version. I'll instead demonstrate the brute force apporach which if nothing else will ensure that not just any client can call your service. Add the allow/deny elements to the Authorization element in the system.web element section:

  

      <system.web>

            <authentication mode="Windows"/>

            <authorization>

                  <allow roles=".\Developers"/>

                  <allow users="DOMAIN\ServiceAccount"/>

                  <deny users="*"/>

            </authorization>

      </system.web>

6. Naturally, these bidnings need to jive with IIS. What this essentially means is that the virtual application hosting your WCF service will need to be configured to use Windows Integrated authentication. Be sure to remove Anonymous Access.

On the client side, svcutil will generate the corresponding client elements to match that of the service. The assumption here, of course is that if the client is an ASP.NET application, it must be configured to run as a fixed identity. This is accomplished by changing the processModel element in the machine.config (IIS 5) or creating an application pool and assigning a fixed identity (not NETWORK SERVICE). If using a Windows client, the credentials of the actual user will be passed downstream.

As I get more time, I'll update this recipe with more detail, including the role-based Principal code so that the operations/methods themselves can be secured at a more granular level. For now, this should get most of you on the right track and hopefully save you some time.

 

Print | posted on Wednesday, April 04, 2007 4:20 PM | Filed Under [ Security ]

Feedback

Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

I have made the changes that you suggested, turned of anonymous access and am using Windows Integrated Authentication. In my web.config I have added the following...

<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="basicHttpBinding_Windows">
<security mode ="TransportCredentialOnly">
<transport clientCredentialType ="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
....

as well as...
<system.web>
<authentication mode="Windows"/>
<authorization>
<allow roles=".\Developers"/>
<allow users="DOMAIN\ServiceAccount"/>
<deny users="*"/>
</authorization>
.....

But I keep getting the error...
Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

Could you please let me know what I am missing?

4/27/2007 10:59 AM | Shibani
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

Hi Shibani,

Have you made sure to associate the binding with your endpoint?
4/27/2007 12:55 PM | Rick G. Garibay
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

Rick,

That was what was missing! Thanks for you feedback.

Shibani
5/7/2007 12:19 PM | Shibani
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

Hi,

I've implemented this recipe, and have the following config on the server-side as a result:

<system.serviceModel>

<bindings>
<basicHttpBinding>
<binding name="BasicHttpWindowsBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
<readerQuotas
maxDepth="2147483647"
maxStringContentLength="2147483647"
maxArrayLength="2147483647"
maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />
</binding>
</basicHttpBinding>
</bindings>

<services>
<service behaviorConfiguration="WindowsAuthenticationBehavior" name="MyServer.Services.TaxService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="BasicHttpWindowsBinding" contract="MyServer.Services.ITaxService"/>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>

<behaviors>
<serviceBehaviors>
<behavior name="WindowsAuthenticationBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<windowsAuthentication includeWindowsGroups="true" allowAnonymousLogons="false"/>
</serviceCredentials>
<serviceAuthorization principalPermissionMode="UseWindowsGroups" />
</behavior>
</serviceBehaviors>
</behaviors>

</system.serviceModel>


I also have this authorization setup in the web.config:

<authentication mode="Windows"/>

<authorization>
<deny users="*"/>
</authorization>

Now I can't view any .aspx web pages on the site (as expected, I get access denied) - but I _CAN_ still call the methods on the WCF service... how can I get the asp.net authorization to be obeyed by the WCF service??
5/22/2007 10:57 PM | Alex
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

Great thanks. I spent several hours today looking for it.
It works also in self-hosting application with programmatic configuration like this:

BasicHttpBinding basicHttpBinding = new BasicHttpBinding();
basicHttpBinding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
basicHttpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;

serviceHost.AddServiceEndpoint(
typeof(IService),
basicHttpBinding,
"WebService"
);

And all a non-WCF client has to do to get authorization to work is:
proxy.UseDefaultCredentials = true;
8/24/2007 4:18 PM | Piotrek
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

Great thanks. I spent several hours today looking for it.
It works also in self-hosting application with programmatic configuration like this:

BasicHttpBinding basicHttpBinding = new BasicHttpBinding();
basicHttpBinding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
basicHttpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;

serviceHost.AddServiceEndpoint(
typeof(IService),
basicHttpBinding,
"WebService"
);

And all a non-WCF client has to do to get authorization to work is:
proxy.UseDefaultCredentials = true;
8/24/2007 4:18 PM | Piotrek
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

I'm having the same issue as Alex. I have my config setup just as he does and have added <deny users="*" /> and it still allows methods to be called. Did you guys solve this?
10/10/2007 6:58 AM | Stacy
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

I am also having the same issue where if i turn off anonymous access for the svc i get "Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service." If i turn it back on any call gets through, my configuration matches the above.
10/24/2007 11:48 PM | Greg
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

if you have another end point with mex binding.. try removing it...

I was having the same issue for 2 days and resolved it by removing

<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />

from my web.config


WeSam Abdallah
IT Consultant
2/11/2008 9:47 AM | WeSam Abdallah
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

As soon as I turn off Anonymous access I can't even add the reference in my client project. It prompts me to login and won't take anything I log in with.
5/5/2008 12:30 PM | Marc S
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication


I had the same problem,

all the endpoints need to be linked to a binding that use windows authentication.. I had a custom binding that didn't used it and that was causing the problem, as well as the mexHttpBinding. So i removed both

7/23/2008 11:24 AM | Damian S
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication




<system.web>

<authentication mode="Windows"/>

<authorization>

<allow roles=".\Developers"/>

<allow users="DOMAIN\ServiceAccount"/>

<deny users="*"/>

</authorization>

</system.web>


This part of the configuration is not working for me

10/5/2008 10:37 PM | Vijay Mohan
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

I'm having the same problem. I have the same configuration settings for my wcf service as shown above and when I set the bindingConfiguration to MyBinding I start getting the mentioned error message even when trying to generate the client on same solution. Has anyone reached any solution on this?
11/6/2008 9:49 AM | Rodrigo
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

Re : <authentication mode="Windows"/>

right click on : WCFserviceProject -> properties ->UseIIswebService ->projectURL:"Create Virtual Directory For your Service here".By providing the path .
11/10/2008 3:07 AM | Dips
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

Hi,

Can you please give me a sample code on the client side?
Neither Service references nor web references work for me.

The error was that the request failed with HTTP status 401: Access Denied.

Thanks
11/24/2008 10:31 PM | Susanto
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

Hello

Great post! I am in the similar situation and find WCF security a lot to get your head around. Just a quick question, IIS I configure who I want to have access using the WEB.CONFIG. But how do you do this when you are using a Self-Hosted WCF Application?

2/17/2009 7:29 PM | Carsten
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

Hi,
I am trying to restrict access to svc files using <allow users > authorization elements as shown in step 5 but does not seem to be working for svc files. It works for regular asmx files but not for svc file extentions. I am using forms authentication. Is it possible to redirect to login page when an anonymous client makes a call to WCF service? Any help is highly appreciated.
Thanks in advance.
DS.
3/17/2009 9:14 AM | DS
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

In reply to Alex and Stacy's problem:


Where WCF is not using the IIS authorization rules, You need to set aspnet compatability.

Added to your config
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"></serviceHostingEnvironment>
</system.serviceModel>

Add this attribute to your class.
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
10/13/2009 7:20 PM | Rodney
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

Thanks for all your great posts regarding WCF, jQuery, and JSON. I've been messing with using jQuery to call WCF services for a while now, and have encountered a strange problem that I'd like your insight on. I copied the example in this post, except my service only has these two methods
12/16/2009 3:22 AM | jeux de casino gratuits
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

Are you sure this works? I found this in some MSDN documentation.

Hosting WCF Side-by-Side with ASP.NET
http://msdn.microsoft.com/en-us/library/aa702682.aspx

Configuration-based URL Authorization: Similarly, the WCF security model does not adhere to any URL-based authorization rules specified in System.Web’s <authorization> configuration element. These settings are ignored for WCF requests if a service resides in a URL space secured by ASP.NET’s URL authorization rules.
1/12/2010 12:50 PM | Bebo
Gravatar

# re: Recipe: CF basicHttpBinding with Windows Authentication

Well done!!! Thanks a lot!! saved me hrs
4/4/2011 6:51 PM | AoZei
Gravatar

# re: Recipe: WCF basicHttpBinding with Windows Authentication

very good one!
5/5/2011 8:34 PM | Vedigoundan Gurunathan
Gravatar

# Windows Authentication with WCF basicHttpBinding

This is a short note to myself because it took me some time to get this to work. There are several resources
1/15/2013 3:07 PM | Jean-Paul Smit
Comments have been closed on this topic.

Powered by: