locked
WCF and Integrated Authentication RRS feed

  • Question

  • Hi,

     

    IIS is allowed for Integrated authentication.

    WCF servervice is hosted on IIS

    I am trying to use wsHttpBinding for communication between Windows client and Services hosted on IIS. It is intranet application and Credential store is Active Directory.

     

    When client tries to communicate with services, I m getting following error message.

     

    {"The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'."}

     

    I could not locate much information on passing user credentials.. I am trying to figure out how should I enable my client to communicate using Kerboros or NTML ...Any ideas?

     

     

     

    Thursday, May 8, 2008 2:27 PM

Answers

  • If you're confused by this you're not alone Smile

     

    WCF is very flexible and configurable, but concrete examples for common situations seem to be few and far between.  And many of the samples focus (probably rightly) on interoperability rather than intranet windows-only apps.

     

    I think you have three choices in your case:

     

    1) basicHttpBinding

    2) wsHttpBinding over HTTP with Anonymous access enabled in IIS

    3) wsHttpBinding over HTTPS with transport security mode.

     

    My understanding is as follows, but I may be wide of the mark:

     

    (1) is probably simplest in an intranet environment. I asked about it in these forums here

    http://forums.microsoft.com/Forums/ShowPost.aspx?PostID=3155724&SiteID=1 

     

    With basicHttpBinding messages will be passed unencrypted over the network, so if confidentiality is a concern (usually not the case for most intranet apps) it may not be the best choice.

     

    (2) is what is used in the "Quick Start" samples.  It requires you to enable anonymous access in IIS.  I believe messages are passed encrypted over HTTP, making it more secure than (1), presumably with a performance penalty.  So a good choice for intranet applications where confidentiality is important (e.g. annual HR appraisals).

     

    (3) is similar to (2) but does not encrypt messages.  According to Nicholas Allen's blog, it requires you to use HTTPS, presumably to ensure confidentiality.  Because it uses HTTP, you will need a certificate. 

     

     

     

     

    Tuesday, May 13, 2008 8:16 PM
  • Now my understandg is that wshttpbinding(if required settings are set)  has it's own machanisam of negotiating credentials to authenticate user. In order for that to work we need to enable ananymous acccess to service at IIS.. If my understanding is correct.. what we are doing to delaying authentication ( instead of doing at IIS we are letting service handle it)

     

     

     Hari123 wrote:

    Hi,

     

    IIS is allowed for Integrated authentication.

    WCF servervice is hosted on IIS

    I am trying to use wsHttpBinding for communication between Windows client and Services hosted on IIS. It is intranet application and Credential store is Active Directory.

     

    When client tries to communicate with services, I m getting following error message.

     

    {"The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'."}

     

    I could not locate much information on passing user credentials.. I am trying to figure out how should I enable my client to communicate using Kerboros or NTML ...Any ideas?

     

     

     

    Monday, July 21, 2008 6:57 PM
Thursday, May 8, 2008 10:47 PM
  •  

    Thank you for the information provided.

     

    Here are more details of the situation.. I am working on POC where in I need to consume HTTP endpoints exposed by SQL Server 2005.

     

    Here is the config file generated by VS 2008 when I added WCF service.

     

     

    <system.serviceModel>

    <bindings>

    <basicHttpBinding>

    <binding name="GETALLSoap" closeTimeout="00:01:00" openTimeout="00:01:00"

    receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"

    bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"

    maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"

    messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"

    useDefaultWebProxy="true">

    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"

    maxBytesPerRead="4096" maxNameTableCharCount="16384" />

    <security mode="None">

    <transport clientCredentialType="None" proxyCredentialType="None"

    realm="" />

    <message clientCredentialType="UserName" algorithmSuite="Default" />

    </security>

    </binding>

    </basicHttpBinding>

    </bindings>

     

    <client>

    <endpoint address="http://localhost/XUser" binding="basicHttpBinding"

    bindingConfiguration="GETALLSoap" contract="DataRef.GETALLSoap"

    name="GETALL" />

     

    </client>

    </system.serviceModel>

     

    I am trying to configure my client so that it can talk to my SQL server through endpoint.  I was not able to authenticate my client. Any ideas on it???

     

     

     

    Friday, May 9, 2008 2:48 PM
  • Wait, you said the service used WSHttpBinding.  Visual Studio generated a client proxy with BasicHttpBinding for your service?  Can you post the service web.config?

     

    It also looks like secutiry is pretty much off with the client proxy.  This explains the error message.  Let's see the service web.config file.

     

    -James

    Friday, May 9, 2008 4:53 PM
  • Hi James, Thanks.... sorry for the confusion caused... My scenario involves two services...

    Service1: wrapper to Business layer.. Here are the config files

    Service file: Generated by VS 2008. Part of the config file which has definitions for Services:

    < system.serviceModel>

    <bindings /> <client /><services>

    <service name="SerLayer.Service1" behaviorConfiguration="SerLayer.Service1Behavior">

    <endpoint address="" binding="wsHttpBinding" contract="SerLayer.IService1">

    <identity><dns value="localhost"/>

    </identity></endpoint >

    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>

    </service></services ><behaviors>

    <serviceBehaviors><behavior name="SerLayer.Service1Behavior">

    <serviceMetadata httpGetEnabled="true"/>

    <serviceDebug includeExceptionDetailInFaults="true"/>

    </behavior></serviceBehaviors ></behaviors>

    </system.serviceModel>

     

    Client Config File :

    <configuration><system.serviceModel>< bindings>

    <wsHttpBinding><binding name="WSHttpBinding_IService1" closeTimeout= "00:01:00"

    openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout ="00:01:00"

    bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"

    maxBufferPoolSize="524288" maxReceivedMessageSize="65536"

    messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true "

    allowCookies="false"><readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"

    maxBytesPerRead="4096" maxNameTableCharCount="16384" /><reliableSession ordered="true" inactivityTimeout ="00:10:00"enabled="false" /> <security mode=" Message"><transport clientCredentialType="Windows" proxyCredentialType="None" realm="" /><message clientCredentialType="Windows" negotiateServiceCredential=" true"

    algorithmSuite="Default" establishSecurityContext="true" /></security >

    </binding></wsHttpBinding></bindings><client><endpoint address =http://vvvv/TestServices/Service1.svc

    binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService1"contract= "SerRef.IService1" name="WSHttpBinding_IService1">

    <identity><dns value ="localhost" /></identity>

    </endpoint></client></system.serviceModel>

    <system.web><identity impersonate="true"/></system.web>

    </configuration >

    Here I am using Wshttpbinding... to communicate between my UI client and Business layer...

    Monday, May 12, 2008 8:32 PM
  • This post is not allowing to post complete message at once.. so following is description my second service

     

    Service 2: Here I am trying to consume HTTP endpoint exposed by SQL server using basicHttpbinding.. (Business layer to data access )

    I tried adding WebService Reference instead of Service reference and passed credentials using code mentioned below

    proxy.Credentials = System.Net.CredentialCache.DefaultCredentials;

    With these settings I was able to communicate with the HTTP endpoints exposed by SQL server. Here is the client config file for it... ( just settings for the URI).

    <applicationSettings><SerLayer.Properties.Settings>

    <setting name="BLayer_DBRef_GETALL" serializeAs="String">

    <value> http://localhost/XUser</value>

    </setting></SerLayer.Properties.Settings></applicationSettings>

    My IIS runs under NETWORK SERVICE account and I added the same to SQL Server and gave the privilges to access endpoint exposed by SQL server.


    It worked.... I am not sure if there any better way to do it.. I would appriciate if could let me know your view on it..

     

    Monday, May 12, 2008 8:34 PM
  • Sounds to me like you're doing everything correctly.  IIS pretty much always runs under Network Service, so if it accesses your SQL Server, it makes sense that NetworkService will need to be allowed access.  I've never used these VS tools to add services (generally, I just hand code them, but then again, I don't interface with SQL) but it sounds lik you're doing the right thing here.

     

    So is there still an issue here?

     

    -James

    Monday, May 12, 2008 8:40 PM
  • Hi,

     

    These are the issues I am trying to fix...

     

    1. My UI layer is not able to communicate with the Business layer using Services if I disable anonymus authentication in IIS. Following is the error message I am getting..

     

     

    {"The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM,Digest qop=\"auth\",algorithm=MD5-sess,nonce=\"0260bd960eb5c801e9e66692a0f35f98e2bc33013de220f118e32bf221692a27cabf3d272528f6f1\",charset=utf-8,realm=\"\"'."}

     

    2. I am looking to have WCF client rather than Web Service client when I communicate with the SQL Server.If I build a WCF service client. I am looking for a way in which I could authenticate with the SQL using Integrated authentication.

     

     

    I guess two issues are related as in both cases, I am trying to talk to service provider which require "Integrated Authentication" and I am trying to figure out how client can pass on required credentials( Authenticate with the server) to the server so that it can consume the service.

     

    Thanks,

     

    Tuesday, May 13, 2008 3:35 PM
  • I had exactly the same error and had to enable anonymous access in IIS when using wsHttpBinding.

     

    An alternative that works without enabling anonymous access is to use basicHttpBinding.

     

    Here's a blog that talks about it.

     

    http://blogs.gotdotnet.com/drnick/archive/2007/03/23/preventing-anonymous-access.aspx

     

     

    Tuesday, May 13, 2008 5:15 PM
  • Thanks..

     

    My understanding from the article is that either we should go for basichttpBinding or WsHTTPBinding with HTTPS...Am I correct..

     

    Ours is intranet application.. Any suggestions on the approach I need to take ??

     

     

    Tuesday, May 13, 2008 6:22 PM
  • If you're confused by this you're not alone Smile

     

    WCF is very flexible and configurable, but concrete examples for common situations seem to be few and far between.  And many of the samples focus (probably rightly) on interoperability rather than intranet windows-only apps.

     

    I think you have three choices in your case:

     

    1) basicHttpBinding

    2) wsHttpBinding over HTTP with Anonymous access enabled in IIS

    3) wsHttpBinding over HTTPS with transport security mode.

     

    My understanding is as follows, but I may be wide of the mark:

     

    (1) is probably simplest in an intranet environment. I asked about it in these forums here

    http://forums.microsoft.com/Forums/ShowPost.aspx?PostID=3155724&SiteID=1 

     

    With basicHttpBinding messages will be passed unencrypted over the network, so if confidentiality is a concern (usually not the case for most intranet apps) it may not be the best choice.

     

    (2) is what is used in the "Quick Start" samples.  It requires you to enable anonymous access in IIS.  I believe messages are passed encrypted over HTTP, making it more secure than (1), presumably with a performance penalty.  So a good choice for intranet applications where confidentiality is important (e.g. annual HR appraisals).

     

    (3) is similar to (2) but does not encrypt messages.  According to Nicholas Allen's blog, it requires you to use HTTPS, presumably to ensure confidentiality.  Because it uses HTTP, you will need a certificate. 

     

     

     

     

    Tuesday, May 13, 2008 8:16 PM
  • I didn't address your second question above.

     

    There's a good article on identity in ASP.NET apps here:

     

    http://www.microsoft.com/technet/security/guidance/identitymanagement/idmanage/P3ASPD_1.mspx?mfr=true

     

    Much of this applies to WCF, especially the section on Identity Flow

     

    Your point (2) seems to be asking about the "delegation model".

     

    This is more complex to configure and implement than the "trusted subsystem model", where the WCF service uses a service account to access SQL server.  For example, your server needs to be trusted for delegation.

     

    There are other disadvantages, the most obvious of which is that you can't take advantage of connection pooling when using delegation.   So I'd recommend you look at the "trusted subsystem model" if at all possible.

     

     

     

     

    Tuesday, May 13, 2008 8:24 PM
  • Now my understandg is that wshttpbinding(if required settings are set)  has it's own machanisam of negotiating credentials to authenticate user. In order for that to work we need to enable ananymous acccess to service at IIS.. If my understanding is correct.. what we are doing to delaying authentication ( instead of doing at IIS we are letting service handle it)

     

     

     Hari123 wrote:

    Hi,

     

    IIS is allowed for Integrated authentication.

    WCF servervice is hosted on IIS

    I am trying to use wsHttpBinding for communication between Windows client and Services hosted on IIS. It is intranet application and Credential store is Active Directory.

     

    When client tries to communicate with services, I m getting following error message.

     

    {"The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'."}

     

    I could not locate much information on passing user credentials.. I am trying to figure out how should I enable my client to communicate using Kerboros or NTML ...Any ideas?

     

     

     

    Monday, July 21, 2008 6:57 PM
  • Create Active Directory Service using WCF – Accusing AD Functions using WCF Services – AD Services
    http://ledomoon.blogspot.com/2009/12/create-active-directory-service-using.html
    Waleed Mohamed
    Wednesday, December 9, 2009 1:07 PM
  • in web.config you set your binding mode security  MessageCredential or TransportWithMessageCredential,

    and  clientCredentialType message binding ="UserName".

    <behavior>

     

     

     

    .......

    <

     

    serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="CffRoleProvider" />

    </

     

    behavior>

    Thank

    Good luck.

     

     

    Wednesday, December 15, 2010 10:57 AM