I have various bits of functionality implemented in WCF web services which are currently consumed by an Excel client via a local COM-visible library. I wish to implement some of the front-end functionality in a web client. I set up my client proxy using
dataChannel.Credentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Delegation;
ASP.NET impersonation is turned on as is windows authentication (no anonymous). When web services and web site are hosted on the same server there are no issues and the desktop user's credentials are passed from browser to web site to WCF perfectly. However, when web site and web services are hosted on different boxes (same domain, intranet only) I get 401 authentication errors. What am I doing wrong?
It sounds like you are suffering from the kerberos "double hop" problem. By default windows does not pass the kerberos authentication token onto another server so if you have user accesses webserver A and authenticates, webserver A accesses service on webserver B. WEbserver A does not pass the auithentication through to webserver B so you get a 401. I think this article should help you enable kerberos delegation between the web site server and the web service server
Related
I have a simple azure web app that I'd like to be accessible only to another azure web app. Is there a way to achieve this very simple thing without having to pay arm and leg for Azure Service Environment
If you want to deploy your Azure App service on a virtual machine , there is no way to do that. But if you deploy your web application on an Azure VM your requirement can be implemented easily : just using this feature , your web app service can access your web application hosted on virtual machine in Azure VENT and your web application is 100% secure as there is no route to access it for public accesses.
If Azure web app service is necessary for your web application,you can adding your first web app service outbound IP into IP whitelist of the web app service that you want to limit accesses by others . For how to find outbound IP of web app service, pls refer to this doc
However, you know for common Azure app services ,outbound IPs are shared with other common Azure web apps , so this way is available but not so perfect.
Using managed Identity to protect your web app service will be a better and easy way I think: Requests that have passed Azure AD auth will be able to access your web app service.
What's more , in previous link , all ways to protect your web app service have been listed under "Secure app" section , which will be helpful for you too.
I inherited a WCF application that is hosted in Windows Azure. The application is configured to only allow HTTPS connectivity to access the services, so I'm having problems running the code locally to call and debug it.
When I run the app, I run the WCF role in my cloud service:
When my app starts, I get to browser windows for an http and httpS endpoint
The http://localhost window exposes a basic service definition page. The links INSIDE this page point to an httpS endpoint. The https://localhost page indicates the page can't be displayed.
I tried following https://msdn.microsoft.com/en-us/library/ff795779.aspx and WCF service with Ssl Certificate in Azure emulator but to no avail. Why can't I browse this service with an https URL? What am I missing?
I'm a not good at Web services and C#. I looked at other threads but I can't seem to find a solution. I think because I'm using SSIS I can't use WSE or WCF approaches.
I'm looking for a solution to exchange data between an application server and a secured web service. Overview:
There is a PFX file present which contains the client certificate and the private key.
The PFX is installed on the application server.
I can't approach the service endpoint through a browser e.g. internet explorer. Even with a certificate.
I received a SOAPUI project with already the bindings and methods defined (Can't insert the URL). I just needed to reference the PFX file in the settings. I compile a test for a method in the form of a SOAP message and I succesfully receive a response.
I need to generate the following SOAP header structure:
Picture
Now in C# how can I realize the same effect as in SOAPUI? At first I tried manually composing the soapmessage and posting it to the service, but I think this is not possible, because I can't seem to generate a security binary token. Now I'm thinking about generating proxy classes. Since I don''t have acces to the URL endpoint, I'll have to use offline versions of the WSDL + XSD's. Can the proxy class approach work with the web service security?
Basically you need to write custom script to consume web service in SSIS. First you need to install certificate on local machine. Then you will be able to consume it. SSIS provide support for web service, so you can use it. SOAPUI request is equivalent to web method.
MSDN Documentation: Call a Web service by using a client certificate for authentication.
Frequently, Web services must authenticate applications that call the Web services. The Web services must perform authentications of calling applications before the Web services can perform authorizations. One authentication technique is to require applications that call the Web service to present a client certificate.
When an ASP.NET Web application tries to call a Web service that uses
certificate authentication, you may receive an "access denied" error
message. When a console application or a Microsoft Windows Forms
application calls the same Web service, you do not receive an error
message.
This behavior occurs because the computer maintains two different
certificate stores: The local machine store: An ASP.NET Web
application looks in this store to locate client certificates. The
local user store: An interactive user application looks in this store
to locate client certificates. Typically, when an interactive user
application installs a client certificate, the client certificate is
installed in the local user store. Therefore, the client certificate
works for interactive user applications. However, the client
certificate does not work for ASP.NET Web applications.
To enable an ASP.NET Web application to use a client certificate, you
must install the client certificate in the local machine store. When
you install a client certificate in the local machine store, the
client certificate is only available for user accounts in the
Administrators group and for the user who installed the client
certificate. Therefore, you must grant access to the client
certificate for the user account that is used to run the ASP.NET Web
application.
Note You must have the Microsoft .NET Framework 1.1 Service Pack 1
(SP1) installed to use client certificates in the local machine store.
Additionally, when the ASP.NET Web application calls the Web service,
the application must export the client certificate from the
certificate store and then add the client certificate to the Web
service call.
Below are resources which would provide some starting point.
HOW TO: Write a Simple Web Service by Using Visual C# .NET
How to call a Web service by using a client certificate for authentication
Client certificate authentication with web services in .NET
Using authentication certificates to connect to web service
Accessing a web service and a HTTP interface using certificate authentication
Creating and Using C# Web service over HTTPS – SSL
I'm writing a Windows mobile client that needs to call a web service.
The web service has a login method that returns a session id in a cookie.
I've written a quick test app using normal winforms and I can access the web service cookiecontainer property without any problem
In my windows mobile project (C# .net 2.0 targeting windows mobile professional 6.0) I can reference in the web service as a web reference but there's no cookiecontainer property on the proxy class created for my web service.
Is there any way to get the cookie back so that I can save it and send the session id cookie back with subsequent requests?
[edit 1]
If not, is there a better way to handle authentication on the web service rather than piggy-backing on the existing asp.net website's membership and using sessions?
I'm sure there's an elegant solution to the problem but I just can't get my head around it. I am trying to call a web service from within a Windows service. The web service is secured (using Windows authentication). The account that the windows service runs under does have the rights to call the web service but I can't figure out how to get those credentials and send them off to the web service. The web service is WCF and is hosted on the same machine (in IIS) as the windows service.
You should be able to use something like this:
var myService = new myThing.Service();
myService.Credentials = System.Net.CredentialCache.DefaultCredentials;
Have you tried enabling integrated authentication (NTLM) for IIS? In my view that should allow you to call web service if the windows service user account has rights to invoke the service. you need not explicitly extract credentials.