I have created a WCF service that is hosted using windows service.
The windows service is running under LocalSystem under services.msc
I only want to allow accept requests from my asp.net UI users who are part of dmain's user group?
Eventually we will have multiple UIs and I want to not write security checks code in the UI.
How do I check who is making the call so I could do something like:
if (incomingUserGroup != "GroupRequired)
{
throw NotAllowedException();
}
You can inspect the security credentials of the calling user through the OperationContext. This will be subject to your having made the service available on an endpoint using a secured binding such as netTcpBinding or WSHttpBinding.
OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Groups
Related
I have a WCF self-hosted web service (hosted in my Windows service under Local System account). Web methods have [OperationBehaviorAttribute(Impersonation = ImpersonationOption.Required)] attached. NTLM authentication is used.
In my web method's implementation I impersonate the caller and do some stuff. For this I use ServiceSecurityContext.Current.WindowsIdentity. If I don't give proper credentials when calling the web method then web service would return "401 Unauthorized".
When I call the method from Chrome then the windows identity and impersonation work great. I can create a new process under impersonated user, which will spawn in Windows session of that user (different from 0). Firefox also works when I add "localhost" string to network.automatic-ntlm-auth.trusted-uris preference. But when SoapUI calls the method then this windows identity is not set up properly. Web method is called, so NTLM works to a degree, but it just doesn't work properly. A call to ServiceSecurityContext.Current.WindowsIdentity.Owner.IsAccountSid() returns false (Owner is not a user account, but built-in "Administrators" group). Creating a new process while impersonated would create it in Windows session 0.
I've looked into HTTP communication with Wireshark, and NTLM handshake looks different between Chrome and SoapUI. No idea what to do with that information though.
How to make SoapUI to work properly with my web service and NTLM?
While I don't know how to fix the problem with WCF I switched to Web API and OWIN, and now I have a working solution.
I have a web application with a silverlight app on one of the pages. The website is secured using WIF. I am attempting to make a WCF call from silverlight to a service hosted in the same appdomain as my website.
If I have AspNetCompatibilityMode enabled this works fine. The browser has already authenticated and so when the WCF call is made the FedAuth cookies are sent up by the silverlight client and WIF correctly sets the HttpContext.Current.User from the session cookies (FedAuth/FedAuth1).
Unfortunately I need to have AspNetCompatibilityMode turned off. In this case I can see that the silverlight WCF call still passes the FedAuth cookies to the server and the SessionAuthenticationModule correctly sets the Thread.CurrentPrincipal. Unfortunately, the sessionauthenticationmodule seems to run in a different thread from the actual WCF method I am trying to invoke therefore I have lose the identity somewhere along the WCF/WIF pipeline.
Is there a way around this? I have tried creating a custom implementation of SessionAuthenticationModule and overriding SetPrincipalFromSessionToken (inside which I can access my claims etc.) but I am not sure where I can store the principal so that I have acess to it after the channel handler dispatches the call to my service on another thread.
I'm having a problem where i want to get the users windows login information sent to IIS then from there sent to a WCF service hosted in a console application and then that service uses the credentials to go to a database and retrieve results.
i'm looking for an example on the web that does EXACTLY this but for the life of me can't find one. I can find a million example that
1. Give general information about WCF, Windows Authentication, Delegation, impersonation etc..
1. Uses the credential to go to a WCF service hosted in IIS and then to the database
2. Uses the credentials to go straight to a WCF service and then to the database
But I can’t an example going first to a regular webpage in IIS, then to a WCF service hosted in a console app and then to the database
Can anyone find this specific scenario?
Can you get current user under IIS? write Login method in WCF and pass that data to WCF service, use sessions, and require that Login should be called first, after all close the session
I have a client app that calls a WCF service on a different server
in the service I print out the following:
1. ServiceSecurityContext.Current.WindowsIdentity.Name;
2. WindowsIdentity.GetCurrent().Name;
1 above gives me my windows login and 2 gives me the windows login that the server is logged in as
How can i change 2 so that it gives me my windows login (not the login of the server)? Is there a way to force it?
i want to do this because in the WCF service i need to call another service with my original windows login credentials
Check out these links about impersonating the caller's identity in a WCF service - that'll be what you have to do, basically:
WCF security guidance - How To Impersonate the original caller
Delegation and Impersonation with WCF
Setting up WCF to Impersonate Client credentials
Caller impersonation for WCF services
Marc
I'm sure there's an elegant solution to the problem but I just can't get my head around it. I am trying to call a web service from within a Windows service. The web service is secured (using Windows authentication). The account that the windows service runs under does have the rights to call the web service but I can't figure out how to get those credentials and send them off to the web service. The web service is WCF and is hosted on the same machine (in IIS) as the windows service.
You should be able to use something like this:
var myService = new myThing.Service();
myService.Credentials = System.Net.CredentialCache.DefaultCredentials;
Have you tried enabling integrated authentication (NTLM) for IIS? In my view that should allow you to call web service if the windows service user account has rights to invoke the service. you need not explicitly extract credentials.