WCF - validate transport windows credential against A/D group?

Question

User-1796506859 posted

Hi Folks,

I have a managed windows service (C# .Net 4) that is using Transport Security Mode with TransportCredentialType.Windows.  

All is working fine, however, I want to be able to check the credential that is passed to see if it is a member of a specific Active Directory security group.  

I figure that I need to write a custom WindowsSecurityTokenAuthenticator or something like that, or I need to write some other Authorization routine.

Does anyone have an example on how to do either of these.

Regards

Andy

 Edit: Sorry, I forgot to add, needs to be done in code as there is no config file.

Answer 1

User-1662538993 posted

Please check this -

http://msdn.microsoft.com/en-us/library/ms788756.aspx

http://msdn.microsoft.com/en-us/library/ms733061.aspx

http://reflector.webtropy.com/default.aspx/WCF/WCF/3@5@30729@1/untmp/Orcas/SP/ndp/cdf/src/WCF/IdentityModel/System/IdentityModel/Selectors/WindowsSecurityTokenAuthenticator@cs/1/WindowsSecurityTokenAuthenticator@cs

Answer 2

User-917364509 posted

If your service is using Windows authentication you should be able to evaluate the WindowsIdentity.Groups property of the current security context:

WindowsIdentity caller = ServiceSecurityContext.Current.WindowsIdentity;
List<string> groups = new List<string>();
foreach(var group in caller.Groups)
{
   groups.Add(group.Value);
}