none
What security is required and how to implement RRS feed

  • Question

  • I have a web service located on the internet which is accessible by anyone who knows the wcf service address.

    How could i limit the service so only applications can connect to it using some form of username and password?

    Friday, September 13, 2013 10:23 PM

Answers

All replies

  • Hi,

    >>How could i limit the service so only applications can connect to it using some form of username and password?

    Please try to authenticate the wcf with a User Name and Password, and set the security mode of the binding to Message, set the ClientCredentialType of the binding to UserName.

    Here are some articles may help you, please try to refer to:

    #How to: Authenticate with a User Name and Password:
    http://msdn.microsoft.com/en-us/library/ms733131.aspx .

    #WCF Service with custom username password authentication:
    http://www.codeproject.com/Articles/96028/WCF-Service-with-custom-username-password-authenti .

    #How to authenticate client using User Name and Password:
    http://ashishkhandelwal.arkutil.com/wcf/wcf-authenticate-the-client-using-user-name-and-password/ .

    Best Regards,
    Amy Peng


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Monday, September 16, 2013 3:10 AM
    Moderator
  • Thanks. Im currently looking into the codeproject link (http://www.codeproject.com/Articles/96028/WCF-Service-with-custom-username-password-authenti)

    The link for the pluralsite cert tool does not work. So have two further questions:

    1. Could i generate a self signed cert on our public server and use that instead?
    2. How could i do the same on a Win 8 Pro laptop which doesnt have IIS installed (im trying not to install IIS and prefer to use the built in IIS Express) for local development?

    Thanks again

    Tuesday, September 17, 2013 1:56 PM
  • Hi,

    >>1. Could i generate a self signed cert on our public server and use that instead?

    Yes, of course, you can create a self signed cert.

    >>2. How could i do the same on a Win 8 Pro laptop which doesnt have IIS installed (im trying not to install IIS and prefer to use the built in IIS Express) for local development?

    If you do not want to use IIS, then its absolutely possible to host in a windows service and secure the WCF service. For username authentication you can still use the RoleProvider model if that's what you want to do or you can write a custom userName validator

    The WCF model is that all WCF features should be available independently of the hosting environment. The only time this changes if you opt into ASP.NET compatibility mode

    Edit: added wiring in customer role provider config

    To configure user names with a role provider use the following config

     <serviceBehaviors>
        <behavior>
          <serviceCredentials>
            <userNameAuthentication membershipProviderName="myCustomRoleProvider"/>
          </serviceCredentials>
        </behavior>
     </serviceBehaviors>

    Best Regards,
    Amy Peng


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Friday, September 20, 2013 7:50 AM
    Moderator
  • Thanks. Regarding question 2 what I'm asking is if I could carry out the task (from the article) without installing IIS. I know I could create a windows service and host it but that means I can't carry out the task without installing IIS. I prefer to use the built in IIS if possible?
    Tuesday, October 1, 2013 6:23 PM