Best IT Recipes

Understanding Windows WCF Authentication

I have a windows authenticated service. Using the following code, I can get the Windows identifier of the user who (using the client) uses this service.

String currentUser = OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name;

Server configuration:

 <binding name="messageSecurity"> <security mode="Message"> <message clientCredentialType="Windows"/> </security> </binding>

I also read that on the server it uses Kerberos for this.

Now I am trying to understand its significance in our corporate network. At the office, users will register on their desktops using their active directory credentials. Our service is hosted on a Windows server with the name "SERV1".

  • Are only users with access (to log in) to "SERV1" available? Or all users who can enter the office network (judging the credentials of the active directory) will be able to use this service?

  • Is there a way to guarantee that only approved CIO applications will be available to the service while keeping the service as authenticated Windows?

  • Is authentication performed for each call to the service operation, or only for the first call?

  • Can the service in any way be able to find out the credentials of a Windows user?

Note. I understand that Windows Authentication can be compared to a membership provider by providing a username and password from a central location. It can be compared to an ASP.Net membership provider or an Active Directory membership provider.

Further reading:

+7
c # wcf windows-authentication
Mar 06 2018-12-12T00:
source share
2 answers

Access to the service can only be obtained by users who have access (to enter the system) to "SERV1"?

Yes - The point of using Windows credentials in the WCF service. Only users with a domain account in this Active Directory domain (or a separate domain that has full trust bi-directional communication with your domain) will be able to access the service.

Or all users who can enter the office network (judging the credentials of the active directory) will be able to use this service?

WCF Security Border The Active Directory domain is an undefined server.

Is there a way to make sure that only approved CIO applications will be available to the service while keeping the service as authenticated Windows?

How do these CIO approved apps differ from others? Access to WCF is through accounts - usually user accounts. You can limit which accounts have access to your service (for example, by requiring these accounts to be members of this AD group or something else). You cannot β€œrestrict” based on applications (only if these applications use certain application level accounts to access your WCF service)

Is this authentication performed for each call to the service operation, or only for the first call?

Depends on your service - if you use the WCF service for each call , then verification is performed for each call. If you use the WCF service for a session with security negotiation enabled, then the check occurs once at the beginning of the session, and not until the end of the session.

Is there any way the service can find out the credentials of a Windows user?

Yes - OperationContext.Current.ServiceSecurityContext.WindowsIdentity IS the Windows credentials (Windows identifier) ​​used to invoke your service. This is much more than just a username .....

+9
Mar 06 2018-12-12T00:
source share

  • This is not an authentication task, an authorization task. Kerberos is responsible for providing user authentication (the name you get for them is their actual name). LDAP manages authorization. In the context of Windows, this means that the user must be a member of a group of allowed servers (and the service must verify that this is the case).

  • Applications? Not really. That is, in Active Directory there are two types of authenticated members: users and computers. But why does it matter which application starts if the user doing the work has permission to connect to the service? By referring to another method, you cannot prevent someone from using their own code to do what your code does.

  • Irrelevant. Authentication works, no? What actually happens is that a ticket is handed to the application to prove that the user has already authenticated (to KDC, to the active directory server).

  • Yes, a security context is, in a sense, a user set of credentials. They may also have other credentials, but you can also get them.

+2
Mar 06 2018-12-12T00:
source share


More articles:


All Articles