none
Why do I get a WindowsIdentity when using message security? RRS feed

  • Question

  • Hi

    I got a WCF 4.0 (TCP/Selfhost) that I have been running without security but now I need to be able to run with certificate as well. The problem is that I get a WindowsIdentity in the IAuthorizationPolicy.Evaluate (evaluationContext.Properties.TryGetValue("Identities", out obj)? Is this by design :

    From this :

    <binding name="NetTcpBinding_IMyAppClientServiceRegular" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="infinite" sendTimeout="01:00:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="10" maxReceivedMessageSize="2147483647">
              <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
              <reliableSession ordered="true" inactivityTimeout="infinite" enabled="false"/>
              <security mode="None">
                <transport clientCredentialType="None"/>
              </security>
            </binding>

    To this :

    <binding name="netTcpCertificate" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="infinite" sendTimeout="01:00:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="1000" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="200" maxReceivedMessageSize="2147483647">
              <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
              <reliableSession ordered="true" inactivityTimeout="infinite" enabled="false"/>
              <security>
                <message clientCredentialType="Certificate"/>
              </security>
            </binding>
    Is there any way to avoid getting the WindowsIdentity in IAuthorizationPolicy.Evaluate? I do only want the WindowsIdentity to be set when using this binding :

    <binding name="NetTcpBinding_IMyAppClientServiceWindows" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="infinite" sendTimeout="01:00:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="10" maxReceivedMessageSize="2147483647">
              <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
              <reliableSession ordered="true" inactivityTimeout="infinite" enabled="false"/>
              <security mode="Message">
                <message clientCredentialType="Windows"/>
              </security>



    Wednesday, January 30, 2013 2:57 PM

Answers

  • Hi,

    For NectTcpBinding, it use Transport security mode by default(in <security> tab), you can set the mode to None, Trasport, Message and Mixed. WindowsIdentity represents a Windows user, it based on Windows authentication. If you choose Transport mode for your service, you can set clientCredentialType as you want(None, Windows or Certificate, it use Windows by default).

    If you want to use the NetTcpBinding with a certificate for transport security, you may take a look at below document, check "To use the NetTcpBinding with a certificate for transport security " part.

    http://msdn.microsoft.com/en-us/library/ms789011.aspx

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, January 31, 2013 6:12 AM
    Moderator

All replies

  • Hi,

    For NectTcpBinding, it use Transport security mode by default(in <security> tab), you can set the mode to None, Trasport, Message and Mixed. WindowsIdentity represents a Windows user, it based on Windows authentication. If you choose Transport mode for your service, you can set clientCredentialType as you want(None, Windows or Certificate, it use Windows by default).

    If you want to use the NetTcpBinding with a certificate for transport security, you may take a look at below document, check "To use the NetTcpBinding with a certificate for transport security " part.

    http://msdn.microsoft.com/en-us/library/ms789011.aspx

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, January 31, 2013 6:12 AM
    Moderator
  • Thanks,

    1. The security tag will as you say be default Transport, but what will then the child message tag mean(se my second code snippet, first post)? Should it not be a transport tag there instead?

    2. If I change the security tag to message  the IAuthorizationPolicy.Evaluate will no longer be triggered(=no login made)? The service method is however executed but on the return the following exception will be thrown :  "Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'localhost' but the remote endpoint provided DNS claim 'MyAppServer' ", How to fix this?

    3. Im using the IAuthorizationPolicy.Evaluate where I check if its a WindowsIdentity(Windows login) or if its a regular login and then do a login. The problem is that even when not using clientCredentialType="Windows" (se second codesnippet above) I will get a WindowsIdentity? Is there any way to avoid this but still keep the encrypted communication with certificates?

    4. Your example shows this binding for TCP and Certificates : 

    <binding name="myTcpBinding">
        <security mode="TransportWithMessageCredential" >
           <message clientCredentialType="Windows" />
        </security>
      </binding>
    Why is the clientCredentialType set to Windows and not Certificate? I dont want Windows login only certificate encrypted communication? If this really is the way to get it to use certificate, does that mean that Im not using certificates in my second code snippet? It seemse like both the client and service demands that the certificates are in place? Why do that if its not used?



    • Edited by SnowJim Thursday, January 31, 2013 7:36 AM
    Thursday, January 31, 2013 7:33 AM
  • Hi,

    >>1. The security tag will as you say be default Transport, but what will then the child message tag mean(se my second code snippet, first post)? Should it not be a transport tag there instead?

    It used to specify client credential type for message-level security, you cannot use a transport tag instead.

    >>2&3

    I confused with which security moce and clientCredentialType you want to use.

    >>Why is the clientCredentialType set to Windows and not Certificate? I dont want Windows login only certificate encrypted communication?

    You can set it to Certificate as b.Security.Message.ClientCredentialType = MessageCredentialType.Certificate.

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, February 1, 2013 3:07 AM
    Moderator