A system I'm working on has a web service which calls a WCF service. The request to the web service is received with the user's Kerberos credentials and we want to call the WCF service using these credentials.
Is it possible? if yes, how?
Yes. It is possible. You may have to use the WCF delegation. Delegation is perfect fit for backend service calls with the authentication done on front end.
Please refer to Delegates and Impersonation. The impersonation level set to Delegate would enable you to authenticate a service running in a different machine from the caller server.
Related
I have a WebAPI based master web service which provides a list of Azure Service Bus Relay endpoints for on-premises WCF services based on the client who logged onto the Master Service via a WPF desktop App using ADAL Azure Active Directory logon. This works fine, and the master service returns a Service Bus endpoint for the client who logged in.
The client can then connect to the WCF on-premises service via the returned Service Bus endpoint no problem.
However there are certain methods in the on-premises WCF service which need to impersonate the calling client-user and this is where I am stuck. Does anyone know of a way to be able to impersonate a client who has called a WCF service via the Azure Service Bus relay?? I can't "log the user on" in order to impersonate them because I don't know their domain password, I only have available their logon UPN.
You can potentially solve this problem in the same way I did when writing a paper about flowing an identity through azure service bus queues. You would need to have elevated priveledges for your service account running the on premise service which may introduce a vulnerability depending on how your solution works but if you can mitigate that then this approach would work.
The paper is on the following link:
Flowing a Windows Identity through Azure Service Bus Queues
http://microsoftintegration.guru/publications/whitepapers/
Hope this helps
Mike
I have Active Directory Federation Services 2.0 all setup and ready to work, but I have a scenario that falls outside pretty much everything I've read on enabling a relying party application. The 2 scenarios that are well documented involve A) Passive authentication for a web site or B) Using a thick client that's authenticated for calling web services.
My scenario is as follows: I have a web application that calls WCF services via Net.TCP for data access. I need to use ADFS 2.0 to secure each WCF call with a secure token.
I also can't use use the passive method of authenticating with ADFS from the web site (security restrictions outside my control).
So my question is, is it possible to manually request a secure token from ADFS via a web site, then use that same token to call my WFC service methods?
Have a look at http://travisspencer.com/blog/2009/03/caching-tokens-to-avoid-calls.html.
In this blog post it is described how to cache security tokens for wcf service calls.
I think it should also be possible to "inject" an already fetched token in the described "CacheSecurityTokenProvider".
I have issue "The caller was not authenticated by the service." when calling service method from IIS7 in client side. The client and service are in different machines. But when I am giving credentials its work fine. So, is any way to call service method without credentials and without this issue?
thanks
No, the service sounds like it has been configured to demand credentials. This service has been designed to not only require that you pass credentials but also to prevent you from circumventing the security measures.
The bottom line is that if the service requires credentials, you must provide them. Is there a specific reason that you cannot or will not provide credentials to the service?
Is it possible to use Brokered Kerberos Authentication for web services over the Internet? I'm looking at web services security for an environment which already has Active Directory. Due to the existing architecture the web services will be quite chatty and I have no control over this architecture. It may take up to 6 web service calls to perform one business process .
There is concern over authenticating multiple times and the overhead this will incur. From my initial reading of brokered kerberos authentication, once the user credentials are provided then a Kerberos security token will be returned and authentication is not required for each web service call.
I'm envisaging a system where the user credentials are passed to Active Directory via a web service call and the Kerberos token is returned. This token is then used for all subsequent web service calls.
Is this possible or am I heading off on a tangent? If I am heading off on a tangent is there a preferred approach for this? I've finished reading the Microsoft Web Service Security: Scenarios, Patterns and Implementation Guidance for WSE 3.0 and still a little unclear.
Consider leveraging the SAML protocol as a way to exchange assertions via WS-Security.
This is what I wish to achieve:
My ASP.NET web service is hosted on a server called //service. I want to control access to the web service by server and by application as well. What I mean here is if I have two ASP.NET web applications (app1 and app2) hosted on a server called //web1 and I only want //web1/app1 to be able to call the web service. I know that I can grant access to the IP address of //web1 but that would allow both //web1/app1 and //web1/app2 access to the web service.
I am thinking about using an SSL certificate as I don't want the web application to handle the login/password. on //service, I will grant access to the ip of //web1 and map a client certificate from //web1 to a windows account and this will allow only applications from //web1 to access. But then how do I further control the access to only //web1/app1?
You can use standard HTTP Authentication to control which applications have access to your web service.
Credentials are passed in the Authorization header with each request. Every web service client (i.e. //web1/app1) should have its own credentials, so if //web1/app2 tried to connect to the web service without providing recognized credentials, it would be denied access.
I recommend using SSL to encrypt all traffic, so that authentication information and other sensitive data is secure.
Here are a few articles that may be helpful:
HTTP Security and ASP.NET Web Services (see Authentication section)
Authentication in ASP.NET Web Services
Good luck!
Not really.
A certificate secures the transmission between the client and server domain. It doesn't really work to have multiple certificates for multiple subdirectories.
What you'd want to do is to create a login service that returns a token. You then use that token to manage the session on the server side and the client uses it along with every subsequent request to access and execute the available services. (can this token access this webservice? t/f)
You're going to have to give the client access to some sort of credentials. Whether that is a certificate exchange or a user/pass you're going to have to figure out who the client actually is.