I'm working with a SignalR server application that is available via the Internet. It implements a regular authentication based on credentials. I'm now working on another service that I'd like to hook up to this server with access to a different set of functions as opposed to my regular users. I could create a special internal user with a different role and hardcode it (its login and password) in my internal app as by definition the binary wouldn't even be available anywhere, but for some reason it seems fishy to me.
I've also thought about creating a secondary SignalR server that would listen on a different port but only internally in my VPN, behind a firewall (the service will be hosted with Amazon VPC). The issue with that solution is the obvious need to create a second server application.
What should I do? How do you handle internal APIs and their authentication?
Use ASP.NET Identity
Details see:
https://www.asp.net/identity
How to use with signalr:
https://learn.microsoft.com/en-us/aspnet/signalr/overview/security/hub-authorization
Related
I have an API running on a Function App in Azure.
I want this API to only accept communications from two parties:
A blazor website
All copies of a piece of packaged software (a WPF application which will run on customer computers)
I want all other traffic to be rejected.
What is the best way to configure this networking scenario?
The ideal setup:
API should only be able to talk to the Blazor App as well as the client programs, not outside connections. The API can talk to the database which lays behind a virtual network. This Database VNET is already set up.
Any help is appreciated.
Use API Management in front of the API and require Ocp-Apim-Subscription-Key in the requests.
Also, add ip restrictions to avoid unauthorized access
I'm writing a windows desktop service that is supposed to download content from a file server on a weekly basis, but it requires users login information to function.
I need the service to be able to "talk back" to the simple tray application I've developed to inform it when things have happened. Things like
Is the users login info good?
Did the content start downloading?
Did the content finish downloading?
I've seen posts on WCF, but, at a glance, WCF feels to me like it's just designed to go around web services. This is going to be a desktop service, not a web service, so unless I'm mistaken in my interpretation, I do not think that WCF is going to work for me? What's my alternative? (or, if I'm mistaken about WCF, can someone point me to a simple tutorial?)
You need to use either a Socket or a NamedPipe. Typically NamedPipe is preferred because it won't trigger some restrictive firewalls that monitor loopback interface as well.
Example of Named Pipes
Write a WCF service and configure a key in the web config(which specifies the user name and password" of the WCF service. Pass the same key from the windows service and authenticate it, once authentication is success, Download the files
eg:
http://www.codeproject.com/Articles/166763/WCF-Streaming-Upload-Download-Files-Over-HTTP
I'm working on a client-server project implemented using WCF. The clients are deployed on different machines and communicate with services through the internet. I'm relatively new to WCF, and am a bit confused on choosing the appropriate binding for my Web services. The clients need to be authorized to perform operations, however, I'm implementing my own authentication algorithm and trying to avoid Windows authentication for various reasons, but I still need to make sure the message transferred in the channel is encrypted.
Right now I'm using wsHttpBinding with security mode set to Message. Full configuration looks like this:
I've set the authentication type in IIS to Anonymous Authentication to make sure the requests are passed through, and was expecting a service call to fail since MessageClientCredentialType in my binding is explicitly set to Windows. However, when I run the code, the service successfully gets called and returns the expected values. I have a feeling that I'm missing something - why is the call authorized? Can I make sure the message is still encrypted even though authentication type is set to Anonymous? Any help is appreciated.
Edit
To clarify on this, I tested the service with a client deployed to a machine outside the network on a different domain.
This MSDN article kind of sums up a lot of security issues relevant to WCF
http://msdn.microsoft.com/en-us/library/ms733836.aspx
regarding your specific situation,
the negotiateServiceCredential="true" means that you streamline certificate distribution to your clients for message encryption.
This option will only work with windows clients and has some performance problems.
read more here http://msdn.microsoft.com/en-us/library/ff647344.aspx
search the topic "streamline certificate distribution" in this page.
Which account do you use to make the call to the service? Allowing anonymous in IIS lets your request pass through to the service and service should authenticate if your caller has credentials that windows understands (Active directory/NTLM).
In your case, I think you are testing it in your own environment so service responds. Once you deploy it over internet, I doubt your service will allow anybody outside of your domain if you keep clientcredentialtype to windows.
Check these link for securing services on the Internet -
http://msdn.microsoft.com/en-us/library/ms734769.aspx
http://msdn.microsoft.com/en-us/library/ms732391.aspx
I have an existing c# service running on a Windows client or server. To handle these I have added a simple http based management code, in order to install, remove, start and stop child processes (as services) remotely.
It works, however this management access needs some sort of authentication, else anyone knowing the system can screw it up pretty badly. As it is C#, I was thinking of using NTLM, hoping it was a built in set of libraries in the C#/.NET framework.
I can find plenty of examples on how to connect to an NTLM authenticated page/site, but not how to implement this myself on the server side.
Personally I would use WCF with a net.tcp binding to expose a management API from a Windows Service to Windows clients. net.tcp uses Windows authentication and encrypts the message out of the box.
I have a WCF service that's hosted at a commerical hosting facility that I need to authenticate against Active Directory on my corporate network.
I should mention that there is no way to setup an AD-Trust between the two networks. Also, my corproate IT department sucks so any solution will likely need to be crafted and/or implemented by me. In the worse case scenario I can host a custom authentication service on my corporate servers that the hosted WCF service would call to do authentication but I'd prefer to use a pre-built or (at the very least!) industry standard way of accomplishing my requirements.
Any help in this regard would be greatly appreciated....
I don't think this will work out of the box - you'll have to write some code.
The issues are:
Get a connection from the hosting machine to something on your network
Get the something on your network to talk to Active Directory
I don't know enough about WCF to supply details, but I know that it's possible to completely customize authentication. You would need to have your custom authentication communicate to a service on your network (probably using WCF and some very secury configuration). This service would take the username/password from the hosting provider and pass it to Active Directory to validate.