this is a similar question but doesn't fit my needs: WCF - Preventing Unauthorized Clients
I have full control over both a WCF Service and a number of clients that connect to this service.
Every client is just a program that doesn't require any username or password.
I want to be totally sure that only my clients will connect and use my WCF Service, is this possible?
My WCF Service uses 2 type of endpoints: netTcpBinding and basicHttpBinding.
Since i'm totally new to this kind of problem i'm googling and finding answer about using certificates, but i don't know if this is the right answer to my problem (and don't know of to use them). If certificates are the only way i'll use all the needed time to understand how to use them :)
Thank you!
Some sort of authentication is required, which sort is very much context dependent.
If you're in a windows domain, I would suggest using those mechanisms. Either way you should probably start here: http://msdn.microsoft.com/en-us/library/ff405740.aspx
Related
I build a WCF Windows Service and I want connect to it via Internet.
So I was looking for a suitable binding. I decided to use wsDualHttpBinding.
It is working so far if I use securityMode=None in my xml and ProtectionLevel=None in my ServiceContract.
Now I have the problem that I cannot secure the connection between my Service and my Client, because I donĀ“t want anybody to see any details during my Login process.
When I use Message security and ProtectionLevel=EncryptAndSign I cannot access my Service.
Does anybody know where the problem is?
Thanks a lot in advance.
Finally done,
after days of researches I found a suitable solution for my problem.
I decided to use a certificate mechanism. Now I am creating a certificate and I can use message security.
Yes, it was quite an overhead, but it works fine.
I'm working on a client-server project implemented using WCF. The clients are deployed on different machines and communicate with services through the internet. I'm relatively new to WCF, and am a bit confused on choosing the appropriate binding for my Web services. The clients need to be authorized to perform operations, however, I'm implementing my own authentication algorithm and trying to avoid Windows authentication for various reasons, but I still need to make sure the message transferred in the channel is encrypted.
Right now I'm using wsHttpBinding with security mode set to Message. Full configuration looks like this:
I've set the authentication type in IIS to Anonymous Authentication to make sure the requests are passed through, and was expecting a service call to fail since MessageClientCredentialType in my binding is explicitly set to Windows. However, when I run the code, the service successfully gets called and returns the expected values. I have a feeling that I'm missing something - why is the call authorized? Can I make sure the message is still encrypted even though authentication type is set to Anonymous? Any help is appreciated.
Edit
To clarify on this, I tested the service with a client deployed to a machine outside the network on a different domain.
This MSDN article kind of sums up a lot of security issues relevant to WCF
http://msdn.microsoft.com/en-us/library/ms733836.aspx
regarding your specific situation,
the negotiateServiceCredential="true" means that you streamline certificate distribution to your clients for message encryption.
This option will only work with windows clients and has some performance problems.
read more here http://msdn.microsoft.com/en-us/library/ff647344.aspx
search the topic "streamline certificate distribution" in this page.
Which account do you use to make the call to the service? Allowing anonymous in IIS lets your request pass through to the service and service should authenticate if your caller has credentials that windows understands (Active directory/NTLM).
In your case, I think you are testing it in your own environment so service responds. Once you deploy it over internet, I doubt your service will allow anybody outside of your domain if you keep clientcredentialtype to windows.
Check these link for securing services on the Internet -
http://msdn.microsoft.com/en-us/library/ms734769.aspx
http://msdn.microsoft.com/en-us/library/ms732391.aspx
This might look a question where you can read the answer on MSDN, but I still want to ask about the scenario, as I want to solve the business problem.
I have a service hosted on a server, and a client makes service calls. It currently uses netTCP binding. Everything works fine when the service is available, when the server is up and running. Now, I need to handle the server down scenario. I use the local cache file on the client to serve the client requests in case of server down scenario. Now I want to cache all the requests made while server down and want to make service calls once server is up and running.
I am thinking about using the netMsmqBinding, because all I've read suggests that it works well in the disconnected scenario.
Q.1 Can I use the netMsmq to handle this scenario?
Q.2 If not then what could be another approach with which I can follow to solve this problem?
Q.3 Can I use WS-Discovery in case of server down to find that the client calls won't be able to contact the service?
EDIT : The scenario is Client-Server. But i do need to give response on every call to the client. The client is also developed and maintained by me only so i am in a good position to implement the best suitable solution.
Please guide me as I'm not too good with WCF.
Yes, you can use netMsmqBinding for this purpose. We are doing that for services running over a satellite link that can be down often.
One important limitation you need to take into account is that all calls must be one way, being a queue-based transport. If you need to get the results of a request, you'll have to provide a separate response mechanism (it can be a similar queue in the opposite direction)
Ad question 1: using MSMQ is excellent for a scenario where the service may not always be up and running. Note that the server that hosts the message queue must be up and reachable to receive the messages. However, you haven't told us anything else about your scenario, particularly why you currently have NetTCP. The reason that's important, is because there are some things you can not do with MSMQ, for example duplex communication won't work out of the box.
Ad question 2: an alternative may be to implement logic in the client (it's unclear from the question if you're the owner of the client software) to have a local queue and retry messages later if a service is (temporarily) offline. I guess you may even have a proxy MSMQ service on the client, relaying the messages to the main service once it's up.
Ad question 3: yes, you can use Discovery for this. The service will have to announce to the clients when it goes online or offline. The simplest example is using the UdpAnnouncementEndpoint. In the clients you can use the AnnouncementService class to listen to the service coming online or offline, and keep a local list of available services. Alternatively (for example when UDP broadcasts aren't feasible) you can create a discovery proxy service at a well known location that listens to announcements, which the clients can access for instant-knowledge on whether the service they need is online
Is it possible for others to connect to my defined services in my Ria application?
If yes, how can we remove this access?
A very broad question! First of all, you cannot remove access, e.g. your URL will still be there and anyone pounding around might accidentally hit it - you can restrict access to your service by checking some claims / facts about the caller.
Since a WCF RIA Service is fundamentally a WCF service, you can use any of the WCF mechanisms to secure your service (warning: I'm not familiar with Silverlight, so not all of these might be available / feasible for the limited world of Silverlight clients....):
require the user to be a valid Windows identity (in Intranet scenarios)
require a certificate with the caller
require a specific header in each message
check the caller's IP
One fairly straightforward solution is being presented here:
Restricting Access to your WCF Service to a known Silverlight Client
But again - that's just one possible solution out of a vast number of possibilities.
I have a WCF service that's hosted at a commerical hosting facility that I need to authenticate against Active Directory on my corporate network.
I should mention that there is no way to setup an AD-Trust between the two networks. Also, my corproate IT department sucks so any solution will likely need to be crafted and/or implemented by me. In the worse case scenario I can host a custom authentication service on my corporate servers that the hosted WCF service would call to do authentication but I'd prefer to use a pre-built or (at the very least!) industry standard way of accomplishing my requirements.
Any help in this regard would be greatly appreciated....
I don't think this will work out of the box - you'll have to write some code.
The issues are:
Get a connection from the hosting machine to something on your network
Get the something on your network to talk to Active Directory
I don't know enough about WCF to supply details, but I know that it's possible to completely customize authentication. You would need to have your custom authentication communicate to a service on your network (probably using WCF and some very secury configuration). This service would take the username/password from the hosting provider and pass it to Active Directory to validate.