We have created a downloading client-service model application in which a WCF service is hosted on one of our servers and the client application is distributed among the partners.
Partners are provided with unique pin using which they can authenticate themselves with the WCF service and can place requests for downloading to the WCF Service.
The clients connect to the WCF Service through Windows Azure Service Bus within which we have created a namespace using which client applications can connect to the service.
Every namespace has a Default Issuer and Default Key. We have embedded this Default key in our code when connecting to the service bus.
Somebody told me that the key needs to be secured and you need to get the application signed in order to protect the embedded key. Is that true?
Do we really need to secure this key?
If yes then how? and Is there a way we can simply provide authentication in Service Bus which identifies the clients from their pins and and allows only a set of people to access the service bus namespace?
OR
I'm uselessly getting worried on such points? :)
We are using Service Bus Relay.
I have been reading about SAS and ACS and it seems according to the documentation that SAS is not supported for Relays. Following is the link:
"Support for Service Bus relays will be added in the near future."
http://msdn.microsoft.com/en-us/library/windowsazure/dn170477.aspx
I am unable to understand how to use ACS for authenticating clients. The information provided in the Windows Azure documentation are all bouncers for me and I can not relate them to anything no matter how hard I try.
If somebody has any information for my concerns then please help me with proper links and guidance.
Thanks!
EDIT!!!
I have been searching on this and the following link provides a methodology for creating an unauthenticated client:
http://msdn.microsoft.com/en-us/library/microsoft.servicebus.nettcprelaybinding.aspx
by using following tag in my client App.Config
<security relayClientAuthenticationType="None" />
I have tried this, but getting the below error:
"Generic: There was an authorization failure. Make sure you have specified the correct SharedSecret, SimpleWebToken, SharedAccessSignature, or Saml transport client credentials. MissingToken: Relay security token is required."
I'm looking more about this error. But few questions arise.
If we make the azure service bus accessible without authentication, can somebody simply misuse the service bus for their own advantage?
Do we really need to secure this key?
You store Issuer and Default Key on your server side.
To authorize on the Azure service bus, Service Bus WCF endpoint uses the Issuer and Default Key to create a token that will be signed with the Default Key that means that Default Key will never be sent to Azure.
Is there a way we can simply provide authentication in Service Bus
which identifies the clients from their pins and and allows only a set
of people to access the service bus namespace? OR I'm uselessly
getting worried on such points?
As far as I understood you have already implemented some kind of security on the WCF side.
There is another one way of doing that. You can use ACS to authentificate Clients. By Default Azure relay Service provides Support for the Simple Web Tokens.
Here is the workflow:
Client send UserName/Password( or UserName/Key) to the ACS.
ACS validates whether the credentials are valid.
ACS send the SWT token back to the Client.
Client packs the SWT token onto the HTTP request(for instance into
headers)
Client sends a request to the Web Service with the token in Header.
WCF web Service recieves the token and validates the token with the
secured shared key that was provided from ACS Namespace.(note that
this key is not sent during the communication it has to be manually
copied from the ACS Portal to the web Service config file)
If token is valid then web Service sends data to the Client.
Related
I have a c# .net wcf web service on a windows server with iis. I need to know if there is a way to tell the web service that it can accept request only from specific URL.
example:
ApplicationA call ApplicationAwebService = should work
ApplicationB call ApplicationAwebService = should be denied
Right now, they are all on the same server, but I need a solution that works even if they are on a different server (3tier applications).
thanks
If you are using WCF then its possible to use mutual authentication between services and clients. Mutual authentication achieves not only security for the server to accept connections from legit clients but provides the ability for the clients to verify that they are talking to a legit server.
Mutual authentication can be achieved through Message security (Encrypting the data sent between the client and server and vice versa) by using certificates, kerberos (Windows auth), tokens and a username/password configuration.
Mutual authentication can also be achieved in WCF through rolebased authentication, identities, and resource based authentication
Reference from msdn: https://msdn.microsoft.com/en-us/library/ff647503.aspx
When creating a WCF service application I've implemented UserNamePassValidator for custom authentication and this works as expected.
But due to the large amount of functionality on the service, I've decoupled this into different service contracts such as a stock management service, location management service, task management service etc. and I've then exposed these on different endpoints within the same service.
This seems to work fine, however what I would prefer is to authenticate with one endpoint and have this session state maintained across all of the endpoints. At present what happens is I authenticate to one, I can then access the functionality of that service contract but if I was to connect to another endpoint it requires me to authenticate again.
My current crutch solution is to pass the ClientCredentials between forms on the client side for authenticating, and although it's using Message security so they're encrypted over the wire this is obviously not an ideal solution.
Is there a solution to first part? And if not, what's the best practice for storing user entered credentials in memory (during runtime) at the client side.
You can implement a scheme similar to WS-Federation. It is kind of Federated Security for service level.
Firstly, your Authentication endpoint should be called STS (Security
Token Service). What it does is authentication and return a security
token to the client.
Secondly, STS should be trusted by all the Service Endpoints. When
invoking the endpoints you should pass in the security token that STS
provided so that the endpoints will be able to read that token and
recognize that the token was issued by a trusted STS.
I have implemented one with Thinktecture at https://github.com/khoanguyen/Test-WS-Federation but sorry that I didn't give explanation you will need to research a little bit about WS-Federation and Thinktecture and WIF. But you should know that it is possible to do.
A lightweight solution that I am using for REST services for mobile project is below:
I set up a Authentication endpoint. That endpoint hold a DSA private/public key pair. When client is authenticated, this endpoint generate a token and sign it with DSA private key. Then I combine the signature and token together and return it as a security token to the client.
At the service endpoints, I gave them the DSA public key (from the key pair of Authentication endpoint). The DSA public key is for verifying the security tokens.
When client call the service endpoints, it attaches the security token as a Header of HTTP message. Then, the service endpoints read the header to retrieve the security token -> extract the token and the signature from the security token -> use DSA public to verify it.
The strategy for generating the token depends on your need. In my case, my token contains client's username, expiration timestamp. By using DSA, the hacker can extract all the token's data but they cannot alter it because they must have the DSA private key to sign the altered token. Our job is just keeping the private key in secret and don't leave any sensitive info (e.g password) in the token.
This is very cheap way. I don't need to access DB to verify user, just ensure got a valid security token, token's data is just for extra need, you can even generate a random token and sign it. No session state needed.
I'm planning on deploying a WCF service to multiple devices to receive notifications of certain events. All of the events will originate from a client machine that can provide a certificate to the service to authenticate.
I'm less concerned about the client authenticating each service, but I'm having difficulty choosing the proper WCF security settings to provide this setup. It appears that message-level security requires a client certificate and a service certificate.
But the devices hosting the service will not be able to be maintained in a way that allows us to update the service certificate periodically when it expires. So here are my questions:
Is there a way to set up a WCF service for client certificate authentication without a service certificate on the server?
Is there a simpler approach for verifying the identity of the caller that I'm missing?
I apologize for the brevity of this answer, but it is better to think of it as a Server certificate, rather than a Service certificate. Multiple services could use the same certificate, and you can work around the expiration by not checking for expiration client side. In terms of is there any easier way, WCF supports a variety of authentication and authorization models, here's some useful links.
http://msdn.microsoft.com/en-us/library/ee748498.aspx
http://msdn.microsoft.com/en-us/library/ms733131(v=vs.110).aspx
There's a load of stuff to cover, so I'll try to keep it structured, as all good programmers should.. bear with me.
My Environment
.NET 3.5 SP1 Smart Client
Uses WCF+SOAP over HTTP to communicate to server for business logic / data access
Typically uses a custom (username+password) or Windows authentication scheme
Current work aims to extend to include a new Claims-based authentication scheme to facilitate SSO with ADFS
So far...
Main service endpoints using ws2007FederationHttpBinding bindings, configuration set up with Message security via trust/13/issuedtokenmixedsymmetricbasic256 ADFS 2.0 endpoint
Issuer endpoint configured with IssuedTokenOverTransport to HTTPS trust/13/usernamemixed ADFS 2.0 endpoint
Service has federateServiceHostConfiguration service behaviour specified
Created temporary certificate authority (CA) cert
Created temporary certificate signed by CA
Installed certificate (including private key) and made available to IIS app pool process account
Updated service WCF config to use X509 certificate
Client modified with new app’s own Client scheme/mode, programmatically sets up channel factory to ignore errors caused by temporary certificate and disables certificate revocation checks
Username/password credentials are successfully added (via standard WCF ClientCredentials object) to SOAP envelope of token requests
Token is successfully generated by usernamemixed endpoint and is returned to the client
My problem
Immediately following the token being issued, the subsequent call to issuedtokenmixedsymmetricbasic256 endpoint fails with generic error message that the security of the message could not be validated. Inspection of the SOAP envelope result gives no information at all beyond a simple ‘failed’ result enumeration value
Full tracing has been enabled on ADFS 2.0 server, but no events are logged at all in Event Log or event traces to further diagnose
Unable to configure to work in a federated manner thus far; token is successfully issues over usernamemixed endpoint in the ‘test’ environment (the internal ADFS server rather than a remote one). Use of the ‘live’ environment gives a simple unexplained 401 HTTP status code whether using usernamemixed with confirmed and valid credentials, or windowsmixed, when trying to obtain a token
Generally: Resources from Microsoft or other sources are either very scarce, very specific to one situation, and in a couple of cases, completely wrong or misleading
So ask a question already, doofus
Why does the call the issuedtokenmixedsymmetricbasic256 that WCF makes after getting the token fail? How can I diagnose the result? Other than what I've already done - enabling all trace flags in the service host config, checking the event log and event tracing data, what can I do?
Note, if you're about to suggest a link to a screencast/guide/blog/seemingly all-encompassing MSDN article, please stop. I believe I have found them all, tried them all, and what I need at this point - if you can help me please - is an answer to the above question. Not a general resource.
I'm currently developing a web api, with WCF web api, which allows me to write restful apis. One concern I have is security. For this reason I decided to protect my api with the OAuth protocol which works very good. However, the team got to the conclusion that our own applications shouldn't be authorized by oauth, instead they sould be authorized by http basic, meaning that the client application should send username and password.
So I have 2 questions:
How can I set up WCF Web Api to work with SSL, I'm using Web Api preview 6, and the project is a MVC3 application?
I have an operation handler which takes care of the creation of IPrincipal from the client access token, and then injects it into the operation parameters, so I can access the user's info. I would like to have in the same operation handler a condition where I could check if the authorization scheme is OAuth or http basic, and then in the case of http basic extract the user's credentials and authenticate that specific user against my data base, if authentication is successful create an IPrincipal and inject it to the operation parameters. However, as I see it, everytime an application using http basic requests something to the api, I would have to go to the data base and authenticate. So my question is: Am I in the right path, or this could be accomplished in some other way?
Any answers would be appreciate it. Thank you in advanced!
You setup SSL for WCF Web API just like you would any other WCF service exposed over HTTPS. If you are hosted in IIS, then you need to configure a site binding for HTTPS. If you are self hosted, then the configuration is bit more involved. See http://msdn.microsoft.com/en-us/library/ms733768.aspx for all of the details.
To handle basic auth against a custom identity provider you would typically use a custom authz module when hosted in IIS. See [http://custombasicauth.codeplex.com/] for an example of how to do this. If you are self hosted then you can use a custom username passworld validator. See http://msdn.microsoft.com/en-us/library/aa702565.aspx for details.
Yes, I believe you are correct that every request will require authentication unless you establish some sort of session-like semantics.
Hope this helps.