This is a continuation of the previous post on “Security in WCF - I”.
Here, I’ll explain how we can implement Windows authentication with transport level security in intranet environment.
Windows Authentication
In intranet environment, client and service are .NET applications. Windows authentication is the most suitable authentication type in intranet where client credentials are stored in Windows accounts & groups. Intranet environment addresses a wide range of business applications. Developers have more control in this environment.
For Intranet, you can use netTcpBinding
, NetNamedPipeBinding
and NetMsmqBinding
for secure and fast communication.
Windows credential is default credential type and transport security is default security mode for these bindings.
Protection Level
You can set Transport Security protection level through WCF:
- None: WCF doesn’t protect message transfer from client to service.
- Signed: WCF ensures that message has come only from authenticated caller. WCF checks validity of message by checking
Checksum
at service side. It provides authenticity of message. - Encrypted & Signed: Message is signed as well as encrypted. It provides integrity, privacy and authenticity of message.
Configuration in WCF Service for Windows Authentication
- Service is hosted on
netTcpBinding
with credential type windows and protection level as EncryptedAndSigned
.
var tcpbinding = new NetTcpBinding(SecurityMode.Transport);
tcpbinding.Security.Transport.ClientCredentialType =
TcpClientCredentialType.Windows;
tcpbinding.Security.Transport.ProtectionLevel =
System.Net.Security.ProtectionLevel.EncryptAndSign;
Client credential type can be set by TcpClientCredentialType enum
.
public enum TcpClientCredentialType
{
None,
Windows,
Certificate
}
Protection level can be set by ProtectionLevel enum
.
public enum ProtectionLevel
{
None = 0,
Sign = 1,
EncryptAndSign = 2,
}
WCF Service Code
Service Host
class Program
{
static void Main(string[] args)
{
Uri baseAddress = new Uri("http://localhost:8045/MarketService");
using (var productHost = new ServiceHost(typeof(MarketDataProvider)))
{
var tcpbinding = new NetTcpBinding(SecurityMode.Transport);
tcpbinding.Security.Transport.ClientCredentialType =
TcpClientCredentialType.Windows;
tcpbinding.Security.Transport.ProtectionLevel =
System.Net.Security.ProtectionLevel.EncryptAndSign;
ServiceEndpoint productEndpoint = productHost.
AddServiceEndpoint(typeof(IMarketDataProvider), tcpbinding,
"net.tcp://localhost:8000/MarketService");
ServiceEndpoint producthttpEndpoint = productHost.AddServiceEndpoint(
typeof(IMarketDataProvider), new BasicHttpBinding(),
"http://localhost:8045/MarketService");
productHost.Open();
Console.WriteLine("The Market service is running and is listening on:");
Console.WriteLine("{0} ({1})",
productEndpoint.Address.ToString(),
productEndpoint.Binding.Name);
Console.WriteLine("{0} ({1})",
producthttpEndpoint.Address.ToString(),
producthttpEndpoint.Binding.Name);
Console.WriteLine("\nPress any key to stop the service.");
Console.ReadKey();
}
}
}
Alternatively, you can configure the binding using a config file:
<bindings>
<netTcpBinding>
<binding name = "TCPWindowsSecurity">
<security mode = "Transport">
<transport
clientCredentialType = "Windows"
protectionLevel = "EncryptAndSign"
/>
</security>
</binding>
</netTcpBinding>
</bindings>
Run WCF Service
Client Application
static void Main(string[] args)
{
try
{
Console.WriteLine("Connecting to Service..");
var proxy = new ServiceClient(new NetTcpBinding(),
new EndpointAddress("net.tcp://localhost:8000/MarketService"));
Console.WriteLine("MSFT Price:{0}", proxy.GetMarketPrice("MSFT.NSE"));
Console.WriteLine("Getting price for Google");
double price = proxy.GetMarketPrice("GOOG.NASDAQ");
}
catch (FaultException ex)
{
Console.WriteLine("Service Error:" + ex.Detail.ValidationError);
}
catch (Exception ex)
{
Console.WriteLine("Service Error:" + ex.Message);
}
Console.ReadLine();
}
ServiceClient
is a custom class which inherits ClientBase<T>
class in System.ServiceModel
namespace to create channels and communication with service on endpoints.
public class ServiceClient : ClientBase, IMarketDataProvider
{
public ServiceClient() { }
public ServiceClient(string endpointConfigurationName) :
base(endpointConfigurationName) { }
public ServiceClient(string endpointConfigurationName, string remoteAddress) :
base(endpointConfigurationName, remoteAddress) { }
public ServiceClient(string endpointConfigurationName,
System.ServiceModel.EndpointAddress remoteAddress) :
base(endpointConfigurationName, remoteAddress)
{ }
public ServiceClient(System.ServiceModel.Channels.Binding binding,
System.ServiceModel.EndpointAddress remoteAddress) :
base(binding, remoteAddress)
{}
public double GetMarketPrice(string symbol)
{
return base.Channel.GetMarketPrice(symbol);
}
}
Verify User credentials in Service
You can see caller information in WCF service by ServiceSecurityContext
class. Every operation on a secured WCF service has a security call context. The security call context is represented by the class ServiceSecurityContext
.The main use for the security call context is for custom security mechanisms, as well as analysis and auditing.
ServiceSecurityContext
.Current
in Quickwatch window.
Send Alternate Windows Credentials to Service
WCF also gives an option to send alternate Windows credential from the client. By default, it sends logged in user credential. You can send alternate credentials like below:
proxy.ClientCredentials.Windows.ClientCredential.Domain = "mydomain";
proxy.ClientCredentials.Windows.ClientCredential.UserName = "ABC";
proxy.ClientCredentials.Windows.ClientCredential.Password = "pwd";
Now if I run client application with changed credentials, if credentials are of valid windows user, service will authenticate caller else it will reject caller request. In my case, I deliberately give wrong credential to produce reject exception.
Service sends “System.Security.Authentication.InvalidCredentialException
with message "The server has rejected the client credentials.
”
I hope you understood the Windows authentication concept here. If you have any questions, please feel free to send me comments.
You can download the code from here.
CodeProject