locked
Windows Authentication RRS feed

  • Question

  • How can I secure data services with Windows Authentication hosted in IIS. And with the generated proxy from datasvcutil how can I use the current users credentials to authenticate?
    Tuesday, May 20, 2008 10:08 PM

Answers

  • Hi,

    you can authenticate to Windows Integrated Authenticated Astoria Services by using the Credentials Property of the Astoria Client  context.

    ex:

     

    Code Snippet

    AstoriaContext ctx = new AstoriaContext(uri);

    ctx.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;

     

     

     

    the second line will set the credentials of the context to that of the current logged in user.

     

     

    Tuesday, May 20, 2008 11:04 PM
    Moderator
  •  

    Hi ,

     if I understand correctly , your service fails to retrieve any data under Windows Integrated Authentication.

    I would do this to help debug the problem.

     

    In your Service , set the ServiceBehavior Attribute

     

    Code Snippet

    [System.ServiceModel.ServiceBehavior(IncludeExceptionDetailInFaults = true)]

    public class AstoriaService : DataService<T>

    {

    //Your other code

    config.UseVerboseErrors = true; <-- Show the error message on the page

    }

     

     

    This way , you can see the error message when running under WIA . also , you should have only WIA enabled for that website in the IIS MMC ,

    Let us know what the error message is when trying to retrieve the data under WIA .

    Wednesday, May 21, 2008 5:45 PM
    Moderator

All replies

  • Hi,

    you can authenticate to Windows Integrated Authenticated Astoria Services by using the Credentials Property of the Astoria Client  context.

    ex:

     

    Code Snippet

    AstoriaContext ctx = new AstoriaContext(uri);

    ctx.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;

     

     

     

    the second line will set the credentials of the context to that of the current logged in user.

     

     

    Tuesday, May 20, 2008 11:04 PM
    Moderator
  • I have tried to set up Windows Authentication on IIS 7 for the data service without success. I can direct my browser to the location of the service and successfully make it through the authentication prompt. However, the only data I can see is the service / workspace tags. Navigating anywhere like /Entity(1) or anything else I receive an internal service error.

    I can successfully query the context when removing Windows Authentication. So again,
    how can I secure data services with Windows Authentication hosted in IIS.

    I assume Phani's suggestion will work once I get the service side set up properly.
    Wednesday, May 21, 2008 1:31 PM
  •  

    Hi ,

     if I understand correctly , your service fails to retrieve any data under Windows Integrated Authentication.

    I would do this to help debug the problem.

     

    In your Service , set the ServiceBehavior Attribute

     

    Code Snippet

    [System.ServiceModel.ServiceBehavior(IncludeExceptionDetailInFaults = true)]

    public class AstoriaService : DataService<T>

    {

    //Your other code

    config.UseVerboseErrors = true; <-- Show the error message on the page

    }

     

     

    This way , you can see the error message when running under WIA . also , you should have only WIA enabled for that website in the IIS MMC ,

    Let us know what the error message is when trying to retrieve the data under WIA .

    Wednesday, May 21, 2008 5:45 PM
    Moderator
  • Yes that helped me track down the problem. It ended up being a permissions issue. It was using the anonymous user account rather than the authenticated user, due to IIS settings.

    It seems that data services are relying on IIS settings for security over service behavior configuration right? If so, will this continue to be the case in later beta releases?
    Wednesday, May 21, 2008 10:04 PM
  • Hi ,

     

    IIS is a host for the dataservice . If the Host decides that all the users connecting to it do not need to be authenticated , then the service should be compatible with it . If the service expects that users be authenticated , then the host needs to be aware of this and make sure that users connecting to the service need to be authenticated . This is the implicit contract that one assumes, that when you say you are hosting me , you know of my demands and requirements and that you will abide by them . If the host does not abide by the requirements that the service needs , all bets are off .

    And also , you wouldnt want your dataservice running on anonymous when you force that Users connecting to your website hosting the dataservice should authenticate themselves against an authority .That would allow malicious access  by circumventing your authentication requirement . Hope this helps.

    Wednesday, May 21, 2008 10:17 PM
    Moderator
  • I was only trying to express that the security settings / configuration seem inconsistent with WCF as it exists, and wondered if it was intentional, or lacking in the features. Sounds intentional.

    I understand the need to secure a data service, as it was the topic of conversation.
    Wednesday, May 21, 2008 11:38 PM
  •  

    Hi Katokay ,

     

    Good point, lemme confirm that and get back to you .

    Have a great day !

     

    Thursday, May 22, 2008 1:42 AM
    Moderator