We have an existing web service (SOAP/XML) which is windows authenticated. We are adding a new WCF service which has anonymous authentication. When calling a function from the existing web service from the WCF service I get the following error
The request failed with HTTP status 401: Unauthorized.
We do have other console and web applications calling the existing service with no issues.
I tried setting the UseDefautlCredentials to True and does not make a difference (WS.UseDefaultCredentials = True).
Also tried adding the existing service as a service reference as opposed to a web reference and I get a different error
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.
I really do not want to change the authentication to anonymous on the existing web service since it is AD authenticated.
Would really appreciate any kind of help. Thanks a lot.
Your problem it's something called double hop.
You have some options, use kerberos, pass in your code a valid credentials when your are calling a soap service or impersonate your wcf service, but you have to test it.
<serviceAuthorization impersonateCallerForAllOperations="true" />
Related
I have a server-client project written in c#.
I want to change the client side to a web client so we can open it with the browser. So I decided to make a WCF rest service that will replace the server side. The binding that I am using for the service is webHttpBinding.
My problem is with the behavior of the service. The service data (vars etc..) is initialize after every call. If i add the [ServiceBehavior(InstanceContextMode = InstanceContextMode.PerSession)]
it doesn't change anything. If I use [ServiceBehavior(InstanceContextMode = InstanceContextMode.Single)], it works but I guess that the service instance will be the same for every client.
I have a simple html web page that get a username and password from the client and post it to the service. The service check the Login info with the user database and response. My problem is that i can't save the user status as logged in or not because after every post/get method the service is reset.
what should I do?
This is a pretty standard issue you have to deal with when trying to maintain a session over HTTP, which is what webHttpBinding is using. Even if you try to force it to have a session, it won't. RESTful services don't work that way.
A high level overview of what you have to do is have the service create a token it gives the client upon initial authentication (probably to be stored in a cookie), which the client will then send back with each request. The service can then use that token to check if the client is logged into a particular account with each request. You probably want to make tokens expire after a certain duration (might be 1 month, 1 week, 1 day, 10 minutes, depending on your application).
You can find some more information here:
RESTful Authentication
SPA best practices for authentication and session management
Authentication, Authorization and Session Management in Traditional Web Apps and APIs
I have two deployments (webroles) of the same WCF service hosted as Azure Cloud services: http://myservice1.cloudapp.net, http://myservice2.cloudapp.net.
Each of those is configured to use ACS authentication.
I've configured WATM (Traffic Manager) to load-balance between those two webroles. When calling each of those services directly, everything works just fine. However, when the client calls through the WATM endpoint, it gets the following error message:
ID3242: The security token could not be authenticated or authorized.
The ACS namespace has all three URLs configured as realms.
Thanks in advance.
It turned out that the only bit missing was to add the WATM URL in the Allowed AudienceUris list. Note, the list should actually contain all the endpoints the service will be accessible through, including the one it's exposed under.
Details on how to add AudienceUris can be found here: https://msdn.microsoft.com/en-us/magazine/ee335707.aspx
I've got two MVC sites that use the same STS for authentication. I need to create a WCF service as part of one of the sites that allows the other site to retrieve data.
These sites could be on different machines accessible over the internet (although currently they're on the same machine) and the WCF service should only be able to be accessed from the client site. The authentication token used to log into the client site should be passed through to the WCF service.
I've been looking at the different WS-Security options available (Transport, Message etc) and it's not quite sinking in 100%, and I feel like I'd end up implementing something that seemed secure but wasn't actually secure due to a lack of understanding. Any help much appreciated.
Edit:
My first attempt was with transport layer security and setting the WCF service virtual directory with require SSL in IIS. However that left me with an error of:
"The remote certificate is invalid according to the validation procedure."
And I had no way of ensuring that a specific client was connecting to the service, only that a client had a certificate from a trusted CA. At least as far as I know. I'm probably missing something vital here.
The authentication token used to log into the client site should be
passed through to the WCF service.
In this case you should be requesting an "ActAs" token from the STS:
The WCF service should be configured as a Relying Party of the STS.
The MVC site should call back to the STS and request an ActAs token specific to the WCF service.
The MVC site uses the ActAs token to call the service.
The motivation for the complexity: Delegation, or traversing multilayer architectures
Since you mentioned WS standards:
Requesting Delegation (ActAs) Tokens using WSTrustChannel (as opposed to Configuration Madness)
Not knowing your STS its hard to say more, but Googling "ActAs token" will probably give you what you need.
I have a wcf service that run on a server. I have two clients that connecs to the service. We use username and password to authenticate the client.But I recreated the certificate in the same location as previous using PluralSight Software
But after configuring the client to connect to the service I have got following error.
The identity check failed for the outgoing message. The expected identity is 'identity(http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint)' for the target endpoint
I got the above error when I tried to login to the service. I have shared my configuration details here.. any help would be appreciated.
CLIENT APP.CONFIG VIA WCF CONFIGURATION EDITOR
SERVICE WEB.CONFIG VIA WCF CONFIGURATION EDITOR
I found the answer. This happens because if you create a new certificate on server which wcf service host then you need to update the service reference in client application. so it will update the app.config file of the client application with latest identity value.
A system I'm working on has a web service which calls a WCF service. The request to the web service is received with the user's Kerberos credentials and we want to call the WCF service using these credentials.
Is it possible? if yes, how?
Yes. It is possible. You may have to use the WCF delegation. Delegation is perfect fit for backend service calls with the authentication done on front end.
Please refer to Delegates and Impersonation. The impersonation level set to Delegate would enable you to authenticate a service running in a different machine from the caller server.