locked
Can a WCF Service with Integrated Windows Authentication work outside domains? RRS feed

  • Question

  • User-1293329318 posted

    I have a WCF service hosted on test environment (IIS6). It accepts only "Integrated Windows Authentication", all others are unchecked in IIS. It works fine till now when I test it within the domain forest. But, since the consumer of this service can be outside the domain forest, I tried testing outside the domain and it works fine too. Should it work really?

    The way I did for testing outside domain is : I removed one of my VM machine from domain and added to workgroup. Then assuming that this workgroup machine is outside the domain I hosted the test application on this machine. I ran the application and it works fine. 

    When I googled about Integrated windows authentication, it says that "Windows authentication is suitable for within domains".

    Am I doing the test wrong? Could someone clarify me on this?

    My config looks like below:

    <basicHttpBinding>
    <binding>
    <security mode="TransportCredentialOnly">
    <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
    <message clientCredentialType="UserName" algorithmSuite="Default" />
    </security>
    </binding>
    </basicHttpBinding>

    ...

    <endpoint address="" binding="basicHttpBinding" name="BasicHttpEndpoint" contract="MyHome.CanonServices.IImageService">

    Thanks in advance.

    Tuesday, June 18, 2013 4:23 PM

Answers

  • User260886948 posted

    Hi,

    If you want to use Windows authentication cross domain, then the domain A and domain B must trust each other, you need configure it on Active Directory. 

    #Domain Trust

    http://technet.microsoft.com/en-us/library/cc961481.aspx .

    Hope it can help you.

    Best Regards,
    Amy Peng 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, June 21, 2013 5:02 AM

All replies

  • User-488622176 posted

    Windows authentication is Windows authentication, not domain authentication.  An individual machine in the "workgroup" domain can connect using Windows authentication.

    What do you want to achieve?

    Tuesday, June 18, 2013 5:40 PM
  • User-1293329318 posted

    What is the meaning of "workgroup" domain?

    I want my WCF service to be accessed from within the domain forest as well as from outside the domain forest by passing domain\username and password.

    Could you please suggest.

    Thanks.

    Wednesday, June 19, 2013 8:59 AM
  • User260886948 posted

    Hi,

    If you want to use Windows authentication cross domain, then the domain A and domain B must trust each other, you need configure it on Active Directory. 

    #Domain Trust

    http://technet.microsoft.com/en-us/library/cc961481.aspx .

    Hope it can help you.

    Best Regards,
    Amy Peng 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, June 21, 2013 5:02 AM
  • User-488622176 posted

    The "workgroup" logic goes way back in Windows history. Let's just call it a dirty hack to allow reusing domain logic for non domain (home use) pc's & devices :-). In a domain, your account name will be in form <domain>\<username>, in a workgroup this is kinda similar : <machinename>\<username>

    You need to make the difference between accessibility & authentication. Accessiblity can be arranged by anonymous access. You can for example make and endpoint to your service that allows anonymous access, and call this endpoint from outside your domain (random pc), if the user has physical access to this endpoint (firewall config, ...)

    If you need to secure your service (authentication wise), the problem is somewhere different. In this case, the service needs te be able to verify the provided credentials. A server cannot verify credentials on a workgroup machine, so providing workgroup credentials will not work. However, there is nothing that blocks you from creating a domain account/user, and pass these domain credentials to the service, from the client/workgroup machine.

    Friday, June 21, 2013 10:01 AM
  • User-1293329318 posted

    Sorry for not being able to make you understand my situation yet.

    I have nothing to do with the "workgroup" here. The only thing I did is: I removed my computer from domain and added into workgroup so that I can make that computer out of domain. Because I need to test my WCF service out of domain. I didn't pass the workgroup user credentials to the service. I passed it the following way from test application:

    MyServices.MyServiceClient fc = new MyServices.MyServiceClient();
    fc.ClientCredentials.Windows.ClientCredential.UserName = "User123";
    fc.ClientCredentials.Windows.ClientCredential.Password = "Pass123";
    fc.ClientCredentials.Windows.ClientCredential.Domain = "AD1";

    and the service will check the authentication in the following way:

    if(OperationContext.Current.ServiceSecurityContext.WindowsIdentity.IsAuthenticated){}

    I have little knowledge of accessibility, authentication and authorization. This project is working perfectly on intranet. My concern is: The service needs to be accessed by the consumer application outside of domain. What needs to be done to make this happen?

    Thanks,

    Friday, June 21, 2013 1:43 PM