WCF service in dmz authenticating with AD RRS feed

  • Question

  • First of all, let me start by saying that i'm not pro-accesingdomaincontrollersfromdmz because of the enormous security hole it implies but one of my customers wants this for some strange reason.... I have a server A hosting a wcf authentication service, placed in the DMZ and they allowed it in their firewall to get to:

    - Sql Server B through port 1433. This one is inside the domain network.

    - Domain controller C, port 389.

    I have a html form to test the authentication before deploying, so i send this -- username:DOMAIN\USER pass:PASSWORD and i always get this in my logs: LogonUser error: There are currently no logon servers available to service the logon request.

    The thing is in this sql server i have two databases of the same application. When you hit number 1, you're using the app's integrated security and the service returns an OK right away. The problem is when hitting the app's database that uses domain authentication, it always shows that message.  If i have an open connection to a domain controller is there something i need to setup to make this work? Any kind of guidance would be much appreciated.

    Tuesday, August 20, 2013 5:23 AM

All replies

  • Hi,

    To use Windows/Active Directory validation, set the clientCredentialType to "Windows". You might have to switch to wsHttpBinding, or even better: netTcpBinding (if you're on a Windows LAN behind a firewall).

        <binding name="WindowsSecured">
          <security mode="Transport">
            <transport clientCredentialType="Windows" />

    With this, only users who are registered in your Windows domain can even call the service. Any other users will be refused without any additional work on your side.

    Or you need a custom user name and password validator. 
    There is an MSDN article that covers all the steps:
    How to: Use a Custom User Name and Password Validator.

    Best Regards,
    Amy Peng

    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Wednesday, August 21, 2013 9:31 AM
  • Hi,

    Port 389 indicates use of LDAP 

    default port

    Check this one referred from mojoportal

    The LDAP/Active Directory authentication can be used to allow users to access a public facing (ie on the internet) or a private facing intranet web site.

    Arranging security may be ones private concern

    IpSec based networking would allow endpoint access like in a private network.

    Again arranging security would be ones private concern


    Please remember to mark the replies as answers if they help and unmark them if they provide no help , or you may vote-up a helpful post

    • Edited by murtazagandhi Wednesday, August 21, 2013 2:39 PM edit
    Wednesday, August 21, 2013 12:57 PM
  • Thanks Amy, the thing is that i'm able to authenticate with this webservice when in the domain network, so, when in the dmz i need to change the bindings tag?

    The service sends the AD credentials and logs me inside the network, when using the bindings tag like this in my web.config:

            <binding name="BasicHttpBinding_ICustomerHub" closeTimeout="00:10:00"
              openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00"
              allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
              maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
              messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
              <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              <security mode="None">
                <transport clientCredentialType="None" proxyCredentialType="None"
                  realm="" />
                <message clientCredentialType="UserName" algorithmSuite="Default" />

    I'm going to try the bindings xml tag you give me.

    Wednesday, August 21, 2013 9:55 PM
  • Right now this server, although in the dmz, has an open connection to all domain controllers through port 389, i'm able to ping and send ldap queries. I'll read the article you give me, any help is appreciated at this point, thanks.
    Wednesday, August 21, 2013 9:56 PM