Understanding WCF Windows Authentication

Asked 6/3, 2012 at 16:57 Answered 6/3, 2012 at 19:57

Solved c#asp.net .net wcf windows-authentication

I have a service with windows authentication. Using the following code, I can get the Windows Identity of the user who (by using the client) consumes the service.

String currentUser = OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name;

The configuration in the server is:

<binding name="messageSecurity">
<security mode="Message">
<message clientCredentialType="Windows"/>
</security>
</binding>

I also read that in the server, it is using Kerberos for this to work.

Now, I am trying to understand its significance in our corporate network. In the office, users will be logging into their desktops using their active directory credentials. Our service is hosted in a windows server named “SERV1” .

Is only users who have access (to login) to “SERV1” can access the service? Or all users who are able to login to the office network (suing active directory credentials) will be able to consume the service?
Is there a way to ensure that only CIO approved applications will be accessing the service, keeping the service as windows authenticated?
Does this authentication check happen for each service operation call or only for the first call?
Is there any way the service will be able to know the windows credentials of the user?

Note: What I understand is WindowsAuthentication can be compared to a Membership provider - providing username and password from a centralized location. It can be compared to ASP.Net Membership Provider or Active Directory Membership Provider.

Further reading:

Umbilical answered 6/3, 2012 at 16:57 Comment(2)

Here's a very nice post which illustrates how you could use AD Groups to restrict access to the service: https://mcmap.net/q/393680/-wcf-data-contracts-authorization – Footrest 6/3, 2012 at 18:2

@Darin. Thanks. I hope that link is for my second question. Could you please answer other questions too? Also (for question #2), I am not trying to restrict access based on role; but the client. – Umbilical 6/3, 2012 at 18:46

Can only users who have access (to login) to “SERV1” access the service?

Yes - that's the point of using Windows credentials in a WCF service. Only users which have a domain account in that Active Directory domain (or a separate domain which has a bidirectional full-trust relationship with your domain) will be able to access the service.

Or all users who are able to login to the office network (suing active directory credentials) will be able to consume the service?

The WCF security boundary is the Active Directory Domain - not a particular server.

Is there a way to ensure that only CIO approved applications will be accessing the service, keeping the service as windows authenticated?

How are those "CIO-approved" applications different from others? WCF is accessed by accounts - typically user accounts. You can limit which accounts have access to your service (by e.g. requiring those accounts to be member of a given AD group or something). You cannot really "limit" based on applications (only if those applications use specific application-level accounts to access your WCF service)

Does this authentication check happen for each service operation call or only for the first call?

Depends on your service - if you use a per-call WCF service, then the check happens for each call. If you use a per-session WCF service with "security negotiation" turned on, then the check happens once at the beginning of the session and not anymore until the session ends.

Is there any way the service will be able to know the windows credentials of the user?

Yes - OperationContext.Current.ServiceSecurityContext.WindowsIdentity IS the Windows credentials (the Windows identity) used to call your service. It's a lot more than just the user name.....

Toucan answered 6/3, 2012 at 19:57 Comment(4)

Thanks for the clear explanation. One question regarding the ServiceSecurityContext.WindowsIdentity. I can get the name and other details of the user. But will I be able to know the password of the user? – Umbilical 7/3, 2012 at 5:35

@Lijo: NO - there is NO way in Windows to retrieve the user's password. – Toucan 7/3, 2012 at 5:52

Thank you. That makes our discussion complete. I marking it as answered. – Umbilical 7/3, 2012 at 6:13

@Lijo: sorry, no, I don't have any experience with claims-based authentication. But please stop sending me these requests, OK? If it's an interesting WCF question where I can help you with - I'll see it, and I'll be happy to answer it. – Toucan 9/3, 2012 at 10:52

That's not an authentication task, that's an authorization task. Kerberos is responsible for ensuring the user is authenticated (the name you get for them is their actual name). LDAP manages authorization. In a Windows context, that means the user should be a member of some permitted-to-access-server-stuff group (and the service must check that this is the case).
Applications? Not really. That is to say, there are two types of authenticated principals in Active Directory: users and computers. But why does it matter what application is being run, if the user doing the running has the permission to connect to the service? Phrased another way, you can't stop someone from using their own code to do exactly what your code would do.
Shouldn't matter. The authentication is working, no? What's actually happening is that the application is being passed a ticket to prove that the user already authenticated (to the KDC, the active directory server).
Yes, the security context is, in some sense, the user's set of credentials. They might also have other credentials, but you can get those too.

Concertino answered 6/3, 2012 at 19:56 Comment(0)

Recommended topics

Hot tags