I have created a project which is basically described as a consumable service to create or edit users on a remote computer. The idea is to connect to a server and add a user. The structure of the project is as follows:
WCF Service: to expose functions to create/edit/select users
Utility assembly: Netapi32 COM functions wrapped in a utility class
Consumer: Usable assembly that wraps calls to the WCF service to use in site
The problem I am having, is that I can get a list of all the users on the computer running the WCF service, but i cannot create or edit them. it is only giving me readonly functionality.
Does anyone have any idea how I might be able to fix this or even trouble shoot it?
The account that actually runs the WCF Service may very well not have rights to create or edit users.
Make sure your service is running under an admin user that actually has the rights to create users. If you use the default user for IIS i bet it does not have that kind of access.
Related
I would like to add a password protected page to my WPF modernUI application and could use some help with it.
First of all I don't really have a clue how to handle this stuff correctly in my case.
My application is used on several machines. The protected page should be some kind of admin-page to edit a database that is used by the app.
My idea is, that there is only one Admin-account. But this account can be used from any machine. The admin should be able to change his password. So there must be some kind of encrypted password file on the server which can be accessed from any machine. I don't want to store the password within the application, as this would mean that the admin has to change his password on every machine.
So my question is: What is the best/safest solution for my idea? I'm just looking for hints as I don't have a clue what to search for.
The best Practise nowadays for distributed client applications who share a Database is indeed not to have direct access to the Database.
What you need is a WebService. A web service can be anything. It just has to be hosted somewhere. It can be an ASP.NET application, a WCF Service, or even something not .NET related like a PHP or Java application.
The communication between your application and your WebService depends on what you decide to use. Today a lot of people are using so called REST APIs which use either XML or JSON as data transfer format and use the HTTP protocol.
Its not hard to implement such an API since there are ton of Libs and Solutions out there.
You could use RestSharp for the communication at your client side. Which is straight forward and simple. You could also consume a WCF Service. Which is hosted in IIS somewhere.
However your Problem is nothing special and there are several solutions available. The decision is on your side since it depends on a lot of things such budget, available infrastructe etc.
Your question is quite broad but as far as WPF is concerned you could implement custom authentication and authorization in your application by creating classes that derive from the IIdentity and IPrincipal interfaces and overriding the application thread’s default identity. Please refer to the following blog post for more information an an example.
Custom authorization in WPF: https://blog.magnusmontin.net/2013/03/24/custom-authorization-in-wpf/
The actual credentials should be stored on some remote server that may be accessed through a web service, WCF service or some other kind of API. The details of how to actually get the credentails would be implemented in the AuthenticationService class in the sample code from the above link.
i need to build this architecture and i need some orientation on "how should i build". I've read many docs and examples but i can't find and figure how to do trying to be efficient and secure:
External app (android app, ios app) where users, after a login, can access to their personal info and manage the account (updating personal data, showing personal documents related to their account and much more). The username / pwd input must be done only 1 time.
A public wcf service will receive their actions and will call to a another internal wcf service. It will work like a 'bridge'.
The internal wcf service will get the request and do the operations needed (logical and db operations). This will return data to the external wcf service and this one to the client (obvious).
UserName/PWD are stored in a database.
WCF services can only be accessed with the correct credentials and are IIS hosted.
So i find many problems/questions:
I don't know HOW and WHERE should I build the AUTH (internal, external, both?). How can i manage a session between wcf services and app clients to avoid sending credentials every time?
The client app needs to send credentials every time? This means every service requires to SELECT the database for checking the username?
SOAP? Rest Services? It doesn't care? (on internal wcf, external wcf, both?).
I need work with asp.NET sessions or i really don't need? I don't see how services that needs username/pwd that are called frequently and repeatedly are efficient without old asp.net sessions.
Thanks for your help and orientation.
Regards!
If someone interested... seems Routing Service seems to fit for my design and can solve my problem after some tests i have done.
I am building an ASP.NET WCF Restful Service for several colleges. The service allows students to authenticate, therefore I will be leveraging some sort of central authentication at each College. For example one college may require authentication via Open LDAP while another may require Active Directory Authentication.
I need the ability to easily drop code into my project to change the authentication type (Open LDAP, Active Directory, etc..).
My solution is to create an interface and implement it in my Custom Authentication class. I would drop the compiled authentication class into my bin folder and add a key value entry into the web.config file which specifies the Assembly name and Class name. When a user Authenticates I would create the class through reflection and use the interface methods to authenticate the user.
Is the above approach a good approach to handle custom authentication? Has anyone solved this using a different approach?
Thank you for your time.
Victor
You could just use the ASP.NET provider model or use MEF to look through your directories and assemblies to discover implementations of an interface. That way you don't have to write the reflection code yourself, and it will be correctly loaded on application initialization, rather than you creating it on every authentication attempt.
I think you can develop a custom service behavior, and in that behavior you can define your customized authentication ways.
This link (http://www.codeproject.com/KB/WCF/Custom_Authorization_WCF.aspx) may help you.
First, I have two project working on: ASP.NET and Silverlight
Both uses a class (QueryServiceClass in a library class project) that have query methods to access the database with ADO.NET, manipulating the database. (open connection to database, add customer, edit, update etc.)
So I stored them into a C# Class library and it shared with ASP.Net and Silverlight.
ASP.NET project and Silverlight's Web project will have a reference to the QueryServiceClass project.
But then if I publish the ASP.NET/Silverlight Project, the QueryServiceClass project's dll file should also be published ( the dll should be locate in the server side at this point).
Because the QueryServiceClass's method has to be public so ASP.NET/Silverlight project can use it.
So someone might able to use that dll to access the database? Would that be safe?
======
Edit
In the Silverlight's Web Project, I am using WCF inhert the QueryServiceClass and an Interface to access the database, so on Silverlight Client, it will access the database through the WCF.
I am more concern on someone might take the dll file from the server and give to someone.
Thanks in advance.
King
You can make your members internal instead of public and modify the AssemblyInfo.cs class and make internals visible to specific asseblies.
[assembly: InternalsVisibleTo("OtherLib.Domain.Stuff")]
This doesn't keep someone from disassembling your DLL to get the info, but will keep people from using your dll in their code.
Public or not, that will not be safe. If your thing accesses a database without proper access restrictions, in any way, from a non-trustworthy computer, your database will be wide open.
The correct way to do this is to put a web service between your Silverlight thing and the database and do thorough access checks in the service.
Probably the safest way to prevent any issue is to not allow remote access to your database from the public internet. This is usually handled by having a service run on a web server (the service could be a website) and then connecting to the database with the service. Basically, you should ensure that no connections can be made directly to the database server from a machine outside of your network.
You can make this safe by storing your DB login credentials in a config file and encrypting them. Then they could access the dll, but without valid credentials could not connect to the DB.
Here's an article that describes encrypting values in a web.config file.
Edit: Combine this with Chris's suggestion, and you have a good, secure solution.
Even if you made the methods private, they could use reflection or decompile the DLL to get your code and then access the database.
You could have a WCF service which does all DB interactions and the client connects through the service. This way a direct connection can't be made but methods could still be called if the end user can determine the location and authentication scheme, etc., of your WCF service.
You could just store and encrypt the connection info the config file.
I have read a lot about impersonation, and I have tried a ton of tags in my config file. I have tried [OperationBehavior(Impersonation = ImpersonationOption.Required)] on my method that hits the database.
None of it works. I get a wide variety of error messages depending on how my config is setup.
Can anyone lay out for me what C# and configuration (ie bindings, behaviors, endpoints settings) is needed to get the following scenario to work:
I call a WCF method via WCFTestClient.
The WCF Method is hosted in IIS (running under an IIS user that is not a valid user in the DB).
That method sees who the caller is and passes those credentials on to the call to the database
The Call to the database is in a different project (a class library) and uses Linq-to-sql
The database performs the action as if the caller of the WCF service had done it.
If anyone has clarified this mystery please share the details with me.
Thanks!
(NOTE: I am developing in Visual Studio 2010 Ultimate and hosting in IIS 7)
There is a nice walkthrough of how to set up impersonation in WCF here. You may be missing the servicebehavior setting?