I've looked up and down and I can't seem to find a way to have a simple WCF service (with either basicHttpBinding or wsHttpBinding) authenticate against this sort of config:
<authentication mode="Forms">
<forms cookieless="UseCookies">
<credentials passwordFormat="Clear">
<user name="test" password="pass"/>
</credentials>
</forms>
</authentication>
Basically, I want to hardcode a simple user/pass (don't ask why) and make sure my WCF service uses this.
On the client side I have this:
client.ClientCredentials.UserName.UserName = "test";
client.ClientCredentials.UserName.Password = "pass";
But the credentials do not seem to get passed on. The HttpContext.Current.User.Identity is never authenticated on the WCF side.
I've tried playing with the settings below trying to use everything from None, Transport, Message... but only None seems to let the service run (but no credentials are being sent/used). Other settings seem to require a X509 certificate (as I've found out in this great example).
<wsHttpBinding>
<binding name="userHttp">
<security mode="None">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
So, all in all... I want to create a very simple WCF service (that runs over HTTP - not HTTPS) with even simpler plain text username/password authentication. Should be possible but I am already lost. The best solution involves honoring <user /> entries but I'd be happy with any other simple implementation. It doesn't need to use cookies. As far as I am concerned it may as well send username/password on each service method call.
If you want to send user/pass in the message level without ssl then use ClearUsernameBinding. If you want the same in the transport level then use TransportCredentialOnly.
<binding name="BasicHttpEndpointBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
Related
We have a WCF service that uses Windows authentication (also with option AllowNtlm=true). The documentation says that Windows authentication uses Active Directory to authenticate the user but doesn't describe how, which I need to figure out. How does WCF uses Active Directory?
Here's the binding configuration we're using:
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="Windows" establishSecurityContext="false" />
</security>
If anyone interested, this is what I've found.
If you set your client credentials type to Windows, WCF uses something called Windows SSPI for Windows authentication.
Windows SSPI makes either Kerberos or CLDAP requests to domain controller. Example:
Kerberos: AS-REQ request
CLDAP:
searchRequest(..) "<ROOT>"
(&(&(&(&(&(&(DnsDomain=...)(Host=...))(User=...))(AAC=...))(DomainGuid=...))(NtVer=...))(DnsHostName=...))
Both can be observed using Wireshark (look for Kerberos5 or CLDAP protocol requests)
I have just put my webservice onto IIS 7 and I need to use basic authentication, I have set this up in IIS 7 by enabling it, however I am getting the common error:
the http request is unauthorized with client authentication scheme
'basic' the authentcation header received from the server was 'basic
realm' = "server address"
In my client I am using
binding.Security.Mode = ServiceModel.BasicHttpSecurityMode.TransportCredentialOnly
binding.Security.Transport.ClientCredentialType = ServiceModel.HttpClientCredentialType.Basic
With the same settings in the service
<basicHttpBinding>
<binding name="binding1">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic" />
</security>
/binding>
</basicHttpBinding>
I see that a lot of solutions to this is to use a different security mode like transport which uses HTTPS and a certificate instead of HTTP. I dont want this, so is there anyway of solving this without HTTPS?
Thanks
I have a WCF service which must be secured with Windows and Certificate authentication.
I know that wsHttpBinding does no support Streaming but according to msdn it can be done using transport security with a customBinding but I am not able to do it...
<customBinding>
<binding name="AuthBinding">
<mtomMessageEncoding maxBufferSize="65535" />
<windowsStreamSecurity protectionLevel="Sign"/>
<httpTransport transferMode="Streamed" maxReceivedMessageSize="2147483647" />
</binding>
</customBinding>
I am going from one exception to another :
The security capabilities of binding 'System.ServiceModel.Channels.CustomBinding' do not match those of the generated runtime object. Most likely this means the binding contains a StreamSecurityBindingElement, but lacks a TransportBindingElement that supports Stream Security
Or
The request message must be protected. This is required by an operation of the contract ('IEntity','WebService.Entity'). The protection must be provided by the binding ('CustomBinding','WebService.Entity')
Rather than being done in a single step, this is two step process.
Enable Transport Security with Certificate Authentication.
Enable Transport Security with Windows Authentication.
Also I am not sure both works together.
But MSDN Article found seems to direct in a correct direction:
How to: Secure a Service with Windows Credentials with wsHttpBinding
Please refer these links from MSDN for further learning (not much help if you are in hurry to deliver some milestone):
Transport Security with Windows Authentication
Transport Security with Certificate Authentication
Update
You have to use custom binding having Mixed (transport with message credentials) security mode.
Three binding elements relate to message level security, all of which derive from the SecurityBindingElement class.
The three are TransportSecurityBindingElement, SymmetricSecurityBindingElement, and AsymmetricSecurityBindingElement. The TransportSecurityBindingElement is used to provide Mixed mode security. The other two elements are used when the message layer provides security.
Additional classes are used when transport level security is provided:
HttpsTransportBindingElement
SslStreamSecurityBindingElement
WindowsStreamSecurityBindingElement
You can get help on:
How to: Create a Custom Binding Using the SecurityBindingElement
and
Security Capabilities with Custom Bindings
This works for me:
<basicHttpBinding>
<binding name="basic" transferMode="Streamed" messageEncoding="Mtom">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</basicHttpBinding>
I'm currently developing an application that needs to communicate with a webservice on the internet. Internet explorer is until know the only application that is connecting to the internet through a proxy server.
The proxy settings are setup to "Use automatic configuration script".
I have kept the default setting
<binding useDefaultWebProxy="true" />
And additionally set
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="Basic"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
But no luck. I keep getting "(407) Proxy Authentication Required."
I have done some Google-ing, but the solutions do not seem to fit my situation.
Short update:
The application should run with the default user credentials, and use those credentials
through NTLM to authenticate with the proxy. But even when I set the client to do that it doesn't seem to help.
Keep the <binding useDefaultWebProxy="true" /> setting, and make sure useDefaultCredentials is set to true in your app.config file (this setting is false by default):
<system.net>
<defaultProxy useDefaultCredentials="true"/>
</system.net>
For more information, see my blog post "Using HTTP Proxy Servers".
I can't give you any background on why but setting:
<binding useDefaultWebProxy="false" />
Works for me in my current environment when getting your exact error.
Everyting in Windows seems to use the IE-configurable internet settings which include the default proxy. Internet explorer fixes this up for you neatly when running but if you try to retrieve the service wsdl or so using Firefox I´m guessing you would end up having a user login prompt.
In any case, try to false the default proxy.
Remember that kerberos authentication does not work very well across different firewalls. Many organizations have setup up their proxy to use AD for authentication and will only allow the proxy to access internet sites. This setup does not work well for web services and I suspect this is your problem.
I'm trying to make a self hosted WCF app that uses nettcpbinding but works in an environment without a domain.
It's just two regular windows pc's, one is the server and the other one will be the client. The problem with this is that when I try to get the client to connect it's rejected because of the security settings.
Can you please point me in the right direction as to how I can get this scenario to work?
Should I (if possible) disable security?
Is there another (hopefully simple) way to accomplish this?
Regards,
Daniel
If you'd like to disable security for testing purposes, in the App.config of the WCF project, change the security element to <security mode="None" />, e.g.:
<bindings>
<netTcpBinding>
<binding name="netTcpBindingConfig" transferMode="Buffered" maxReceivedMessageSize="5242880">
<readerQuotas maxArrayLength="5242880" />
<security mode="None" />
</binding>
</netTcpBinding>
</bindings>
If you have a client, update the service reference to sync the security settings. Keep in mind that you should use some level of security in production environments.