Develop Reference

Implement Authentication in a WCF service (non ssl)

I have developed a .NET WCF service which uses basicHttp binding. This service is going to be hosted in IIS in an intranet and consumed by a non-Windows SAP PO client.
This service doesn't expose any sensitive information So I do not want to invest time on signing or encrypting messages. However, I also do not want the service to be accessed by anyone who knows the URL. so some form of authentication is required.
Can anyone please advise what would be the simplest way to authenticate my service?
UPDATE :
Thanks Keyur PATEL. I managed to host the service in IIS as per the link provided with security mode being set to "TransportCredentialOnly"
I enabled Basic Authentication in IIS
My windows client is able to subscribe the service however It receives below error when an operation is executed.
"The HTTP request is unauthorized with client authentication scheme 'Basic'. The authentication header received from the server was 'Basic realm="MY SERVER NAME"'.
Server Config
<?xml version="1.0"?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="CustomAuthentication">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic" proxyCredentialType="Basic"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="SecurityBehavior">
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="SimpleService.UserNamePasswordAuthentification, App_Code/UserNameValidator"/>
</serviceCredentials>
<serviceMetadata httpGetEnabled="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="SecurityBehavior" name="SimpleService.SimpleService">
<endpoint address="SimpleService" binding="basicHttpBinding" bindingConfiguration="CustomAuthentication" contract="SimpleService.ISimpleService"/>
<host>
<baseAddresses>
<add baseAddress="http://localhost:8080"/>
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>
<system.web>
<compilation debug="true"/>
</system.web>
</configuration>
Client Config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_ISimpleService">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://MYSERVERNAME:PORT/SimpleService.svc/SimpleService"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_ISimpleService"
contract="SimpleServiceDEV.ISimpleService" name="BasicHttpBinding_ISimpleService" />
</client>
</system.serviceModel>
</configuration>

WCF service with transport level security - Service unavailable

I have service with transport level security when I have changed http to https , i am unable to expose operation contract as it is showing site can't be reached in browser itself.
Below is my config file
<wsHttpBinding>
<binding name="transport">
<security mode="Transport">
<transport clientCredentialType="None">
</transport>
</security>
</binding>
</wsHttpBinding>
<service name="WcfService1.Service1">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="transport" contract="WcfService1.IService1"></endpoint>
</service>
My service is hosted via IISExpress where Project URL is as below
https://localhost:49500/
And also SSL is enabled with SSL URL which is different from http URL.
I have tried many possible way as stated in SO but couldn't able to find solution for this.
Please help!

Windows Service could not connect to WCF Service when installed on the same web server

I have to provide the userPrincipalName if the windows service is installed on the same web server but I can remove the identity tag if the windows service is installed on any other machine. what could be the reason of such behaviour?
NOTE: Application pool is running under custom domain account
Here is my Windows Service app.config settings:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ITimerJobService">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://domain/TimerJobService.svc"
binding = "wsHttpBinding" bindingConfiguration = "WSHttpBinding_ITimerJobService" contract="TimerJob.ITimerJobService" name= "WSHttpBinding_ITimerJobService">
<identity>
<userPrincipalName value="ApplicationPoolIdentity"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
Thank you very much.

wcf server authentication without certificates

I have a self-hosted WCF service with netTcpBinding bindings. Both my servers and clients will all be in the same domain, so I'd like to use windows authentication, but I'd also like the clients to verify server credentials (to avoid an internal man-in-the-middle/dns tampering attack). I've read that the way to do this is to use an SPN, but I can't seem to get that to work; no matter what the spn is set to the client works (i.e. the server and client don't match, but the client connects anyway). Obviously I've got some kind of configuration error, but I'm not sure where. Here is the service config for the server:
<system.serviceModel>
<services>
<service name="AaaAuthService.AaaAuthService" behaviorConfiguration="AaaAuthServiceBehavior">
<endpoint address="" binding="netTcpBinding" bindingConfiguration="NetTcpBinding_IAaaAuth" contract="AAA.IAaaAuthService">
<!--
<identity>
<servicePrincipalName value="AaaShlkjhlkjjjjhhhhjjpn/justink-pc.sgasdf1.allamericanasphaltasdf.casdfom"/>
</identity>
-->
</endpoint>
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:9000/IAaaAuthService"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="AaaAuthServiceBehavior">
<serviceThrottling maxConcurrentCalls="2147483647" maxConcurrentInstances="2147483647" maxConcurrentSessions="2147483647"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_IAaaAuth" closeTimeout="00:00:20" openTimeout="00:00:10" receiveTimeout="00:00:10" sendTimeout="00:00:10" hostNameComparisonMode="StrongWildcard" maxConnections="2147483647">
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/>
<message clientCredentialType="Windows"/>
</security>
</binding>
</netTcpBinding>
</bindings>
The windows credentials do seem to get passed in - OperationContext.Current.ServerSecurityContext.WindowsIdentity is populated with the account information.
What am I missing here?

WCF 4 REST - Multiple Standard Endpoints for Authentication

So I'm attempting to configure a WCF 4 REST app to utilize multiple standard endpoints (for the help functionality). The reason for this is that my hosting IIS process has both Anonymous and Windows Authentication enabled, and certain endpoints within my WCF app require one or the other (both results in an exception).
Previously, I was able to do this by defining some bindings:
<bindings>
<webHttpBinding>
<binding name="Anonymous">
<security mode="None" />
</binding>
<binding name="WindowsAuthentication">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</webHttpBinding>
</bindings>
And then defining the services like so:
<services>
<service name="Host.SubscriberInfoHost">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="WindowsAuthentication" contract="Host.ISubscriberInfoHost" />
</service>
<service name="Utilities.Instrumentation.ServiceStatus.ServiceStatusHost">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="Anonymous" contract="Utilities.Instrumentation.ServiceStatus.IServiceStatusHost" />
</service>
</services>
This is what I've tried to do so far while utilizing the standard endpoints model:
<standardEndpoints>
<webHttpEndpoint>
<standardEndpoint name="Host.SubscriberInfoHost" helpEnabled="true" automaticFormatSelectionEnabled="true">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</standardEndpoint>
<standardEndpoint name="Utilities.Instrumentation.ServiceStatus.IServiceStatusHost" helpEnabled="true" automaticFormatSelectionEnabled="true">
<security mode="None" />
</standardEndpoint>
</webHttpEndpoint>
</standardEndpoints>
However doing this gets the service confused, as I receive:
System.InvalidOperationException: IIS specified authentication schemes 'Negotiate, Anonymous', but the binding only supports specification of exactly one authentication scheme. Valid authentication schemes are Digest, Negotiate, NTLM, Basic, or Anonymous. Change the IIS settings so that only a single authentication scheme is used
Which is exactly what I'm trying to get away from. Could anyone possibly give me a hand on how I would set this situation up using the new standard endpoints model? Thanks!

Found the answer to this after some experimentation. It turns out that the "name" attribute for standard endpoints is actually an endpoint configuration. So, you would use the following standard endpoints:
<standardEndpoint name="WindowsAuthentication" helpEnabled="true" automaticFormatSelectionEnabled="true">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</standardEndpoint>
<standardEndpoint name="Anonymous" helpEnabled="true" automaticFormatSelectionEnabled="true">
<security mode="None" />
</standardEndpoint>
And then, you would also configure a service such as the following (the "kind" and "endpointConfiguration" attributes must be set in order to tie this endpoint to the standard endpoint above)
<service name="SomeEndpoint">
<endpoint address="" kind="webHttpEndpoint" endpointConfiguration="WindowsAuthentication" contract="ISomeEndpoint" />
</service>
This allows you to mix authentication styles while maintaining the handy service help page.