none
Implement custom username and password authentication in WCF. User Store - connections.config. Encrypt connnetions.config and protect it using Windows Authentication RRS feed

  • Question

  • Hi, I have used one of the Microsoft MSDN samples to create a POC for the security to implement custom username and password authentication in WCF using connections.config, encrypt the credentials and protect it using Windows Authentication in IIS.

    here is the MSDN article which used to create the Custom username and password authentication.

    How to: Use a Custom User Name and Password Validator

    As the article indicates, 

    This code is for illustration purposes only and 
    must not be used in a production environment because it is not secure.

    I understand that the username and password can't be in a plain text. For that reason, I have stored the credentials in connections.config file as per the MSDN article below.

    Connection Strings and Configuration Files

    Encrypting Configuration File Sections Using Protected Configuration

    In production, the client will invoke the WCF service securely using the custom username and password authentication mode and user store will be in connection.config file at the server side. Username and password will be encrypted and protected by windows authentication in IIS.

    I am looking for an advice from Microsoft technical expert on my approach to using the custom username and password authentication and storage of those credentials in connections.config file. Can I use <g class="gr_ gr_50 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation multiReplace" data-gr-id="50" id="50">connections.</g>config file as a User Store if the connections.<g class="gr_ gr_47 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="47" id="47">config</g> file going to be protected by Windows authentication in IIS?

    Please note that storage of username and password in a database is not an option for our company. We couldn't use SQL server ASP.ENT membership provider or any other database at the customer site to store user credentials. That's the reason to come up with the connections.config as a User Store and protect it using Windows authentication in IIS. Is it acceptable?

    Thank you,

    Jay Patel
    Friday, April 14, 2017 5:23 PM

Answers

  • Do you mean user name and password will be encrypted and store in connections.config file, and WCF will validate user and password according the connections.config, and connections.config will only be accessed by Windows authentication (windows admin users).

    From a technical point of view, I think it is OK.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by jay.patel Tuesday, April 18, 2017 12:33 PM
    Tuesday, April 18, 2017 6:30 AM

All replies

  • Hi, I have used one of the Microsoft MSDN samples to create a POC for the security to implement custom username and password authentication in WCF using connections.config, encrypt the credentials and protect it using Windows Authentication in IIS.

    here is the MSDN article which used to create the Custom username and password authentication.

    How to: Use a Custom User Name and Password Validator

    As the article indicates, 

    This code is for illustration purposes only and 
    must not be used in a production environment because it is not secure.

    I understand that the username and password can't be in a plain text. For that reason, I have stored the credentials in connections.config file as per the MSDN article below.

    Connection Strings and Configuration Files

    Encrypting Configuration File Sections Using Protected Configuration

    In production, the client will invoke the WCF service securely using the custom username and password authentication mode at the server side and user store will be in connection.config file at the server side. Username and password will be encrypted and protected by windows authentication in IIS.


    I am looking for an advice from Microsoft technical expert on my approach to using the custom username and password authentication and storage of those credentials in connections.config file.

    Please note that storage of username and password in a database is not an option for our company. We couldn't use SQL server ASP.ENT membership provider or any other database at the customer site. That's the reason to come up with the connections.config as a User Store and protect it using Windows authentication in IIS.

    Thank you,

    Jay Patel


    Thursday, April 13, 2017 3:44 PM
  • Hi jay.patel,

    Thank you for posting here.

    According to your question is more related to WCF, I will move it to Windows Communication Foundation, Serialization, and Networking forum for suitable support.

    The Visual C# discuss and ask the C# programming language, IDE, libraries, samples and tools.

    If you have some grammar or code errors, please feel free to contact us. We will try our best to give you a solution.

    Thanks for your understanding and cooperation.

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Friday, April 14, 2017 8:38 AM
  • Thank you, I have posted the same question on Windows Communication Foundation(WCF) forum. 
    Friday, April 14, 2017 5:34 PM
  • How did you host WCF Service? Is connections.config in WCF Service application?

    As this document How to: Use a Custom User Name and Password Validator, it seems you need to perform Windows authentication first when hosting in IIS.

    When a WCF service is hosted in Internet Information Services (IIS) using transport-level security and the UserNamePasswordValidationMode property is set to Custom, the custom authentication scheme uses a subset of Windows authentication. That is because in this scenario, IIS performs Windows authentication prior to WCF invoking the custom authenticator.

    I suggest you try below link to encrypt and decrypt the connection.config.

    #Encrypting and Decrypting Configuration Sections

    https://msdn.microsoft.com/en-us/library/zhhddkxy.aspx


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, April 17, 2017 2:07 AM
  • Hi Edward, 

    the WCF service is hosted in IIS. Yes, the connnections.config is part of the web.config file as shown below. 

    <connectionStrings configSource="connections.config" />

    I am already using Microsoft's encryption and decryption (your link above) to protect the connections.config file. 

    Let me give you more details on my POC so that you can advise me better. 

    • WCF service with Message level authentication using TransportWithMessageCredentials. This way we get a performance benefit from the Transport layer and message authentication using username and password at the Message level. 
    • Internet-based application application. We can't use windows authentication because username and password credentials can't be shared across multiple organizations. That's the reason to create a custom username and password authentication where credentials are shared with other organization but it can only invoke the WCF service. 
    • I have created a POC using Custom username and password authentication (WCF service with TransportWithMessageCredentials. Message level custom username and password authentication)
    • User Store is <g class="gr_ gr_1264 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="1264" id="1264">connections.config</g> file. Credentials will be encrypted using the #Encrypting and Decrypting Configuration Sections as you mentioned in your email above.
    • I have created a User Interface (web page) to encrypt and decrypt connections.config file. Encryption of the password will be done in the initial installation process. This user interface will be protected by Windows authentication (windows admin users). there is an IIS feature which I can use to protect the web page I have created. This way no one from outside world has access to the connections.config file.
    • When the client invokes the WCF service, custom username and password Validate method will be used for authentication. Authentication will be done against User store in the connections.config file. 

    Do you agree with my approach?

    My real question is about the User Store.

    Is encrypted connections.config file (User Store) safe to store user credentials if <g class="gr_ gr_2990 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="2990" id="2990">connections.config</g> file is protected by Windows authentication in IIS (only windows admin can access the web page to encrypt or decrypt user credentials)? 

    Thank you, 

    Jay Patel

    Monday, April 17, 2017 1:00 PM
  • Do you mean user name and password will be encrypted and store in connections.config file, and WCF will validate user and password according the connections.config, and connections.config will only be accessed by Windows authentication (windows admin users).

    From a technical point of view, I think it is OK.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by jay.patel Tuesday, April 18, 2017 12:33 PM
    Tuesday, April 18, 2017 6:30 AM
  • Yes. Thank you for the answer.
    Tuesday, April 18, 2017 12:34 PM