We have Windows Service with tcp binding. It has a transport security mode and client credential type is Windows. Service is within a domain.
Now we want to make calls to this service from the ASP.NET application running on IIS which is not part of the domain. We don't need user impersonation. What is the most secure way to enable this sort of communication?
This is a pretty standard situation: Web server is in DMZ and I would like to know how to set a secure communication with WCF backend services.
I expect that it will not work. You cannot use Windows client credential type if you want to consume the service outside of your domain. You must use Certificate (or None but it means no authentication).
The difference is that Windows client credentials will create stream secured with SSPI whereas Certificate and None client credentials will create stream secured with SSL certificate. In case of Certificate client credentials each client will be identified by its own certificate (= you need one for your IIS server).
Related
I have a c# .net wcf web service on a windows server with iis. I need to know if there is a way to tell the web service that it can accept request only from specific URL.
example:
ApplicationA call ApplicationAwebService = should work
ApplicationB call ApplicationAwebService = should be denied
Right now, they are all on the same server, but I need a solution that works even if they are on a different server (3tier applications).
thanks
If you are using WCF then its possible to use mutual authentication between services and clients. Mutual authentication achieves not only security for the server to accept connections from legit clients but provides the ability for the clients to verify that they are talking to a legit server.
Mutual authentication can be achieved through Message security (Encrypting the data sent between the client and server and vice versa) by using certificates, kerberos (Windows auth), tokens and a username/password configuration.
Mutual authentication can also be achieved in WCF through rolebased authentication, identities, and resource based authentication
Reference from msdn: https://msdn.microsoft.com/en-us/library/ff647503.aspx
Hope my question is clear!
I have created a WCF Service and have implemented all necessary work for SSL implementation.
From IIS to Web.config
I am able to accessing Service with following URL successfully on browser from my own PC.
https://mycomputername/wcfService.svc
but How can I access it using my IP-Address e.g:
https://192.x.x.x/wcfService.svc
Actually I have to access the web service from another PC with in my network.
The SSL certificate will be associated with a domain name, not with an IP address.
So you will have to customize how to accept the SSL certificate. If you have a .NET client, you can use ServicePointManager.ServerCertificateValidationCallback and return true to accept any certificate.
Related: How to ignore the certificate check when ssl
It's been a week already and I'm still not fully comfortable with implementing ASP.NET Membership Provider with WCF. I'm wondering:
We already have a website which is running under HTTPS protocol. We are working on a new application which will have a WCF service and is going to replace our old application (with HTTPS). Now my question is, since we already have a secured website, do I have to get another certificate just for the WCF service?
If yes, then do I have to get certificates for clients as well? (As I was looking on the web, most of the answers I found were "yes".)
If no, can I use the existing certificate to authenticate my service?
To answer your 2nd question, you only need client certificates if you want your WCF service to support mutual (2-way) SSL authentication, in which both the server and client sides are authenticated by their respective certificates.
Refer to this question for further information on mutual ssl and wcf.
how to implement 2-way SSL certificate for WCF
You have to have 1 SSL Certificate per domain unless you purchase a wildcard certificate. So, if your current SSL Certificate is for subdomain.mydomain.com and you want to host the WCF service at anothersubdomain.mydomain.com (or even www.anotherdomain.com), then you'll need another certificate. If this is something that would happen fairly frequently, then I'd suggest you purchase a *.mydomain.com SSL certificate.
Another option would be to host the WCF service under the current subdomain with a URL like subdomain.mydomain.com\myservice\service.svc.
I can't answer your second question but I doubt you are using client side certificates.
Here's a link to a Beginner's guide on SSL Certificates.
I'm a not good at Web services and C#. I looked at other threads but I can't seem to find a solution. I think because I'm using SSIS I can't use WSE or WCF approaches.
I'm looking for a solution to exchange data between an application server and a secured web service. Overview:
There is a PFX file present which contains the client certificate and the private key.
The PFX is installed on the application server.
I can't approach the service endpoint through a browser e.g. internet explorer. Even with a certificate.
I received a SOAPUI project with already the bindings and methods defined (Can't insert the URL). I just needed to reference the PFX file in the settings. I compile a test for a method in the form of a SOAP message and I succesfully receive a response.
I need to generate the following SOAP header structure:
Picture
Now in C# how can I realize the same effect as in SOAPUI? At first I tried manually composing the soapmessage and posting it to the service, but I think this is not possible, because I can't seem to generate a security binary token. Now I'm thinking about generating proxy classes. Since I don''t have acces to the URL endpoint, I'll have to use offline versions of the WSDL + XSD's. Can the proxy class approach work with the web service security?
Basically you need to write custom script to consume web service in SSIS. First you need to install certificate on local machine. Then you will be able to consume it. SSIS provide support for web service, so you can use it. SOAPUI request is equivalent to web method.
MSDN Documentation: Call a Web service by using a client certificate for authentication.
Frequently, Web services must authenticate applications that call the Web services. The Web services must perform authentications of calling applications before the Web services can perform authorizations. One authentication technique is to require applications that call the Web service to present a client certificate.
When an ASP.NET Web application tries to call a Web service that uses
certificate authentication, you may receive an "access denied" error
message. When a console application or a Microsoft Windows Forms
application calls the same Web service, you do not receive an error
message.
This behavior occurs because the computer maintains two different
certificate stores: The local machine store: An ASP.NET Web
application looks in this store to locate client certificates. The
local user store: An interactive user application looks in this store
to locate client certificates. Typically, when an interactive user
application installs a client certificate, the client certificate is
installed in the local user store. Therefore, the client certificate
works for interactive user applications. However, the client
certificate does not work for ASP.NET Web applications.
To enable an ASP.NET Web application to use a client certificate, you
must install the client certificate in the local machine store. When
you install a client certificate in the local machine store, the
client certificate is only available for user accounts in the
Administrators group and for the user who installed the client
certificate. Therefore, you must grant access to the client
certificate for the user account that is used to run the ASP.NET Web
application.
Note You must have the Microsoft .NET Framework 1.1 Service Pack 1
(SP1) installed to use client certificates in the local machine store.
Additionally, when the ASP.NET Web application calls the Web service,
the application must export the client certificate from the
certificate store and then add the client certificate to the Web
service call.
Below are resources which would provide some starting point.
HOW TO: Write a Simple Web Service by Using Visual C# .NET
How to call a Web service by using a client certificate for authentication
Client certificate authentication with web services in .NET
Using authentication certificates to connect to web service
Accessing a web service and a HTTP interface using certificate authentication
Creating and Using C# Web service over HTTPS – SSL
I'm planning on deploying a WCF service to multiple devices to receive notifications of certain events. All of the events will originate from a client machine that can provide a certificate to the service to authenticate.
I'm less concerned about the client authenticating each service, but I'm having difficulty choosing the proper WCF security settings to provide this setup. It appears that message-level security requires a client certificate and a service certificate.
But the devices hosting the service will not be able to be maintained in a way that allows us to update the service certificate periodically when it expires. So here are my questions:
Is there a way to set up a WCF service for client certificate authentication without a service certificate on the server?
Is there a simpler approach for verifying the identity of the caller that I'm missing?
I apologize for the brevity of this answer, but it is better to think of it as a Server certificate, rather than a Service certificate. Multiple services could use the same certificate, and you can work around the expiration by not checking for expiration client side. In terms of is there any easier way, WCF supports a variety of authentication and authorization models, here's some useful links.
http://msdn.microsoft.com/en-us/library/ee748498.aspx
http://msdn.microsoft.com/en-us/library/ms733131(v=vs.110).aspx