WCF and Integrated Windows Authentication

[Larry]

I have an application with a web front-end and several web services. Some
of the web services will call other web services. I've previously been
using wsHttpBinding and certificates to connect to my IIS hosted wcf web
services, which has been working great. I've received a new requirement
that I need to support Integrated Windows Authentication and not allow
Anonymous access on the web site or the web services. For the web site, I
can uncheck the "Enable anonymous access" and update the web.config and I
can authenticate there fine. But when the web app calls a web service, I
get the error: "The HTTP request is unauthorized with client authentication
scheme 'Anonymous'. The authentication header received from the server was
'Negotiate,NTLM'." What am I missing?

Configuration:
The web site and web services run under an application pool with a domain
user identity.

Client Configuration:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService"
closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00"
sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32"
maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384"
/>
<reliableSession ordered="true"
inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost/WCFTestService/Service.svc"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IService"
contract="WCFTestService.IService"
name="WSHttpBinding_IService">
</endpoint>
</client>
</system.serviceModel>
</configuration>

Service config pieces:

<system.serviceModel>
<services>
<service name="Service" behaviorConfiguration="ServiceBehavior">
<!-- Service Endpoints -->
<endpoint address="" binding="wsHttpBinding" contract="IService">
<!--
Upon deployment, the following identity element should be
removed or replaced to reflect the
identity under which the deployed service runs. If removed,
WCF will infer an appropriate identity
automatically.
-->
</endpoint>
<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<!-- To avoid disclosing metadata information, set the value below
to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging
purposes, set the value below to true. Set to false before deployment to
avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>

 

[Steven Cheng]

Hi Larry,

From your description, you have some WCF service which are called by
ASP.NET web application(which use windows integrated authentication).
However, the ASP.NET web page(call those WCF service) report authentication
error, correct?

According to the WCF service and client proxy(in asp.net) configuration,
I've got that your WCF service is configured with WSHttpBinding and use the
default message layer security(with windows client credential type). In
such mode, the client-side proxy will automatically use the current
security account(of the current process/executing thread) as the client
security token) for the WCF service authentication if you haven't
explicitly specify a different account.

So I'd like to confirm the execution environment of your ASP.NET web
application since that will affect the authentication b ehavior between the
WCF service and the client running in the ASP.NET app.

** Is the ASP.NET web application running on the same server with WCF
service or they're hosted remotely

** What is the IIS version of the server that host ASP.NET web app? And
what is the current security account the ASP.NET web app(an the pages in
it) executing under? You can use the following code to output the executing
account in ASP.NET page:

Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);

** have you enabled "impersonate" in your ASP.NET web app?

All these will affect the authentication behavior between your ASP.NET WCF
client and the WCF service side.


Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

 

[Larry]

Thanks for the reply Steven.

With the product installation, the web app and the WCF services will usually
be on separate machines, though it can be on single machines (especially for
demos). The IIS version currently is 6.0, though I'm trying to get it to
work on 7.0 as well (I've got IIS 6 management compatibility installed).
The current security account is a domain user in the administrators group.
Impersonate is not enabled (I also have web services talking to each other,
so if this needs to be done, I need to do it between services as well).

Larry

 

[Steven Cheng]

Thanks for your reply Larry,

So let's just assume the server topology to be remote based (asp.net web
app and webservice hosted on separate machine).

For IIS6, the worker process account should be the application pool
account(configured for your application virtual directory), since you 're
using a domain account(with out impersonate), then this domain account
should be used as the security identity when your ASP.NET web app calling
the remote WCF service(which use wshttpBinding and default message layer
security).

Also, if you found that the above behavior is what happened in your case,
you can try explicitly specify a client credentials (when calling the WCF
service in ASP.NET page) to see whether it works. e.g.

===============
static void CallService()
{

ServiceReference1.WSHttpServiceClient client = new
IISHostClientApp.ServiceReference1.WSHttpServiceClient();

//use the current security identity
client.ClientCredentials.Windows.ClientCredential =
System.Net.CredentialCache.DefaultNetworkCredentials;

//explicitly specify a credential
//client.ClientCredentials.Windows.ClientCredential = new
System.Net.NetworkCredential("username", "password", "domain");

string ret = client.SayHello("steven");

Console.WriteLine(ret);
client.Close();
}
===============

You can also test the behavior via a console client(running on that ASP.NET
web application host server) to watch the difference. If there is any
findings or anything unclear on this, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).


--------------------

From: "Larry" <[email protected]>
References: <#[email protected]>

 

[Larry]

Steven,

Thanks for the reply. Unfortunately, what you mentioned in your last
response is how I am already doing things. You can see my config from my
original posting. The web application and the web services all run under an
application pool with a domain administrator. I also have to disable
anonymous access in IIS. If I enable anonymous access, what I've done and
what you mention works. But, it is a requirement to not allow anonymous
access. Can I get this to work with windows authentication and message
level security?

Larry

The problems is that as I stated in my original question, I can't allow
anonymous access in IIS. What I

 

[Steven Cheng]

Thanks for your reply Larry,

So the problem is actually due to "anonymous access" has been disabled on
that directory. Unfortunately, so far the recommended way for WCF securing
is either using transport layer or using message layer security. When the
IIS virtual dir has disabled anonymous access, that means you have to
follow tranport layer security (the IIS security setting is at transport
layer ). Is it possible to allow "anonymous access" for that IIS
application? Thus, we can still use windows authentication at message layer
and get the client-side caller's security credentials.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.


--------------------

 

[Larry]

Thanks for looking into this Steven. It looks like I may change the host
from IIS to a windows service (for more reasons that this issue). But out
of curiosity, what is it about the anonymous access that WCF uses to make it
a requirement? I'm just trying to understand this aspect of the
communication more. If you could provide any links, documentation or book
references that would be appreciated.

Larry

 

[Steven Cheng]

Thanks for your reply Larry,

When you host WCF in IIS, the difference from other hosting scenario(like
self host) is that IIS help provide the transport layer(http layer). And
that also means all those IIS specific authentication is at transport
layer. In such cases, you'll have the following reasonable security
configuraion for your WCF service:

1. Use the IIS provided transport security. You can basicHttpBinding, this
is the simplest HTTP binding which completely conform to standard http
communication also used by other ASP.NET web page and ASMX webservice. And
by set security mode to "TransportCredentialsOnly", you can get the same
behavior like an ASP.NET asmx webservice. So you can let IIS to help do the
windows authentication here(over http protocol) , but no encrypt, signing
is provided here.

Or you can use https/SSL to ensure further encrypt and signing protection.


2. Use message layer security. Then, the WCF use WS-* message layer
protocols to ensure encrypt and signing protection. And
authentication/credentials are also processed at message layer. We no
longer rely on IIS to do the authentication. So in such cases, we need to
turn off the IIS authentication(let all the request pass through). That's
why we need to turn anonymous access on. We do all the authentication at
WCF message layer.

For reference, I would suggest the MSDN document's security reference on
WCF:

#Security Overview
http://msdn.microsoft.com/en-us/library/ms735093.aspx

And here are some web articles discussing on using the basic httpbinding
with WCF:

#How to: Configure WCF Service to Interoperate with ASP.NET Web Service
Clients
http://msdn.microsoft.com/en-us/library/ms731134.aspx

#WCF : BasicHttpBinding compared to WSHttpBinding at SOAP packet level
http://geekswithblogs.net/claeyskurt/archive/2008/04/22/121508.aspx

#Recipe: WCF basicHttpBinding with Windows Authentication
http://www.rickgaribay.net/archive/2007/04/04/recipe-wcf-basichttpbinding-wi
th-windows-authentication.aspx

If you have any specific questions ,please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

--------------------