I have a webservice that's behind form's authentication. The site that hosts the service also serves as a site that requires a user to log in via the login page.
I have a second site that needs to be able to access the service that the first site hosts. However, when attempting to access the service, it fails because the service requires that the user is logged in.
The first site is on a seperate server than the second site, but both sites are on the same subnet. Thus far the only way I have found to have the second site access the first sites service is to allow all users via a web.config setting specific to the directory that hosts the services .ASMX file. This is not acceptable because it leaves the door wide open to anyone who knows the .ASMX file directory.
I have attempted to mix and match windows authentication and use impersonation to access the web service, but according to microsoft, you cannot mix and match authentication types, and through personal trial, you can indeed not.
I'm looking for any helpful tips to help me accomplish this goal at a minimal reconfiguration of my two sites.
Thanks,
George
I implemented the solution by adding custom security to the headers on the SOAP packets. This allowed me to mix and match my security at a minimal reconfiguration to the service.
Related
There is a requirement to have a common web api application to service 3 different MVC web applications. These client web applications have their own databases and own authentication implementations. How do we configure the web api application to provide access to a set of APIs to web app 1 alone and deny to all other web apps, similarly for web app 2 and so on? In other words, is there a way to 'register' each web app with the web api service and also build in a mechanism through which the web app is only allowed access to a set of endpoints? Thanks for all the help..
There are a handful of ways of solving this
Host multiple WebAPI servers in a single process to effectively meet your requirement while making your project easier to organize
Use Authentication and Authorization filters to customize how requests are accepted, denied, and routed
Using a router and/or switch at the hardware level, create a blacklist/whitelist combined with a reverse proxy (beware of MAC spoofing, etc, with this solution)
Use dependency injection to add abstraction to the process and to remove the ability to specify a custom endpoint in an unintended manner programmatically; this solution will only work if you control the client code, however
From the sound of it, the issue you're describing doesn't seem like one regarding the visibility of the endpoints, but of the access control to leverage them. If I'm wrong, please let me know in a comment and I'll update my answer.
Here's a bit of a back story, feel free to skip to the problem below.
We have a handful of web applications exposed to the outside world (as opposed to ONLY on our internal business network) and these applications are using HTML5 for the offline capabilities. We also had IIS configured for Windows Authentication ONLY (no outside parties use our applications), thus we were issuing the challenge directly against our AD. With a recent update to Chrome for iOS, it broke the NTLM authentication (instead of prompting for use credentials, it just displayed a 401 unauthorized exception page) so we started looking at alternative solutions.
We figured we could leverage our current external ADFS/O365 access thus the user experience would be the same across all external facing applications (not just web apps).
We ended up adding OWIN to our WebForms app to use ADFS authentication and it works from a perspective of you can see the redirect to our external login page and then back to the web app. However, there is an additional problem. To get this to work, we had to DISABLE Windows Authentication in IIS and ENABLE Anonymous Authentication. Also, in the Web.Config in <system.web> we added <authorization><deny users="?" /></authorization>
PROBLEM
Since our applications are using HTML5 and are available offline, we are also using Web API to handle the push of data from the client device to the central system. When we moved to our "SSO type" solution, the POST methods in Web API started crashing. Turns out the line HttpContext.Current.User.Identity.Name stopped working.
How can I get the current authenticated [signed in] user when the user returns to the network and sync's their data? I'm not even sure what the best approach is here, I've tried a few different suggestions from SO and Google, but none seem to work. How does one get the current user in Web API with Owin using Federated Services?
My goal is to create a service that will allow someone to register their own domain (so, many domains being used), and have that domain point to a specific service/template within a single web application.
Is this possible using URL rewriting or some other method? I want to have a vanity domain that would essentially act as the unique identifier within my application...
So instead of www.myapplicationdomain.com/site/1 and www.myapplicationdomain.com/site/2, i could allow a vanity domain that my application would utilize.
www.customwdomain.com = application/site/1
www.bettercustomwdomain.com = application/site/2
Is this possible, or would i essentially have to dynamically create new websites in IIS and drop files in those folders that the domain would point to? I know IIS can support multiple websites on the same host, but I was trying to take it a step further.
I guess my question is very similar to this question:
IIS with multiple domains on one single web application
Some considerations:
Trying to make this work on Azure shared hosting
I don't want to use sub-domains
I want the vanity domain to always be in use (e.g. not a redirect)
It is possible.
We have an Ecommerce web application that has many web domains being pointed to it, each with their own unique interface. This is entirely dependent on technologies of the Apache software foundation, and I'm not aware of a way to do this without a web server sorting out domains for the application.
We rely on Apache HTTP server for Virtualhost configurations (the listener & configs for each domain), and for serving static content.
We rely on Apache Tomcat for the single Java app that displays most of the interface and functionality. The Apache HTTP server is configured to pass relevant traffic to the Java app.
Configure multiple custom domains to an web-app and then add application gateway at the front of the application. Now based on the application url redirect to the updated url of the website.
I've got two MVC sites that use the same STS for authentication. I need to create a WCF service as part of one of the sites that allows the other site to retrieve data.
These sites could be on different machines accessible over the internet (although currently they're on the same machine) and the WCF service should only be able to be accessed from the client site. The authentication token used to log into the client site should be passed through to the WCF service.
I've been looking at the different WS-Security options available (Transport, Message etc) and it's not quite sinking in 100%, and I feel like I'd end up implementing something that seemed secure but wasn't actually secure due to a lack of understanding. Any help much appreciated.
Edit:
My first attempt was with transport layer security and setting the WCF service virtual directory with require SSL in IIS. However that left me with an error of:
"The remote certificate is invalid according to the validation procedure."
And I had no way of ensuring that a specific client was connecting to the service, only that a client had a certificate from a trusted CA. At least as far as I know. I'm probably missing something vital here.
The authentication token used to log into the client site should be
passed through to the WCF service.
In this case you should be requesting an "ActAs" token from the STS:
The WCF service should be configured as a Relying Party of the STS.
The MVC site should call back to the STS and request an ActAs token specific to the WCF service.
The MVC site uses the ActAs token to call the service.
The motivation for the complexity: Delegation, or traversing multilayer architectures
Since you mentioned WS standards:
Requesting Delegation (ActAs) Tokens using WSTrustChannel (as opposed to Configuration Madness)
Not knowing your STS its hard to say more, but Googling "ActAs token" will probably give you what you need.
It's running into an Intranet, .net framework 3.5, hosted in IIS 7.0 and it's using wsHttpBinding with null security. Now I have to protect it to allow only specific users can run it.
Seems that I should use SSL and certificates but I'd really like stay away of that because looks complex, basically I'm looking for the simplest way.
I took a look to netTcpBinding and seems to me this is the right way, if so, can you confirm if using net.tcp it would be able to be consumed by some asp.net site.
Any comments are welcome.
Thanks,
In your case you have an intranet, which means that you have internal users. It depends where the call to the WCF service is coming from.
If we assume:
Internal users, who login to a windows domain
The client machines and the server are in the same domain
The user runs a windows app on their machine, which makes the WCF call
Then the simplest solution is to use windows authentication
The client makes the call in the security context of the logged on user
The server checks the group membership of the user to determin if it should allow access
You said you are using an Intranet app.
If so, you could turn on Windows Authentication, and allow only specific users in IIS (this is also controlled in the web.config). If everyone is on the intranet, it should authenticate automatically without users needing to enter a password or user name.
However, if anyone outside your intranet needs to reach this service, you'll need to include SSL & https to protect the credentials sent to the service.