Click here to Skip to main content
Click here to Skip to main content
Technical Blog

Tagged as

Implement Windows authentication and security in WCF Service

, 13 Jan 2012 CPOL
Rate this:
Please Sign up or sign in to vote.
This is a continuation of the previous post on “Security in WCF -I”.

This is a continuation of the previous post on “Security in WCF -I”.

Here, I’ll explain how we can implement Windows authentication with transport level security in intranet environment.

Windows Authentication

In intranet environment, client and service are .NET applications. Windows authentication is the most suitable authentication type in intranet where client credentials are stored in Windows accounts & groups. Intranet environment addresses a wide range of business applications. Developers have more control in this environment.

For Intranet, you can use netTcpBinding, NetNamedPipeBinding and NetMsmqBinding for secure and fast communication.

Windows credential is default credential type and transport security is default security mode for these bindings.

Protection Level

You can set Transport Security protection level through WCF:

  • None: WCF doesn’t protect message transfer from client to service.
  • Signed: WCF ensures that message has come only from authenticated caller. WCF checks validity of message by checking Checksum at service side. It provides authenticity of message.
  • Encrypted & Signed: Message is signed as well as encrypted. It provides integrity, privacy and authenticity of message.

Configuration in WCF Service for Windows Authentication

    Service is hosted on netTcpBinding with credential type windows and protection level as EncryptedAndSigned.
var tcpbinding = new NetTcpBinding(SecurityMode.Transport);
//Client credential will be used of windows user
tcpbinding.Security.Transport.ClientCredentialType =
        TcpClientCredentialType.Windows;
// When configured for EncryptAndSign protection level, 
// WCF both signs the message and encrypts
//its content. The Encrypted and Signed protection level provides integrity,
//privacy, and authenticity.
tcpbinding.Security.Transport.ProtectionLevel =
System.Net.Security.ProtectionLevel.EncryptAndSign;

Client credential type can be set by TcpClientCredentialType enum.

public enum TcpClientCredentialType
{
    None,
    Windows,
    Certificate
}

Protection level can be set by ProtectionLevel enum.

// Summary:
//     Indicates the security services requested for an authenticated stream.
public enum ProtectionLevel
{
    // Summary:
    //     Authentication only.
    None = 0,
    //
    // Summary:
    //     Sign data to help ensure the integrity of transmitted data.
    Sign = 1,
    //
    // Summary:
    //     Encrypt and sign data to help ensure the confidentiality and integrity of
    //     transmitted data.
    EncryptAndSign = 2,
}

WCF Service Code

Service Host

class Program
{
    static void Main(string[] args)
    {
        Uri baseAddress = new Uri("http://localhost:8045/MarketService");
        using (var productHost = new ServiceHost(typeof(MarketDataProvider)))
        {
            var tcpbinding = new NetTcpBinding(SecurityMode.Transport);
            //Client credential will be used of windows user
            tcpbinding.Security.Transport.ClientCredentialType =
            TcpClientCredentialType.Windows;
            // When configured for EncryptAndSign protection level, 
            // WCF both signs the message and encrypts
            //its content. The Encrypted and Signed protection level provides integrity,
            //privacy, and authenticity.
            tcpbinding.Security.Transport.ProtectionLevel =
            System.Net.Security.ProtectionLevel.EncryptAndSign;

            ServiceEndpoint productEndpoint = productHost.
            AddServiceEndpoint(typeof(IMarketDataProvider), tcpbinding,
            "net.tcp://localhost:8000/MarketService");

            ServiceEndpoint producthttpEndpoint = productHost.AddServiceEndpoint(
            typeof(IMarketDataProvider), new BasicHttpBinding(),
            "http://localhost:8045/MarketService");

            productHost.Open();
            Console.WriteLine("The Market service is running and is listening on:");
            Console.WriteLine("{0} ({1})",
             productEndpoint.Address.ToString(),
             productEndpoint.Binding.Name);
            Console.WriteLine("{0} ({1})",
             producthttpEndpoint.Address.ToString(),
             producthttpEndpoint.Binding.Name);
            Console.WriteLine("\nPress any key to stop the service.");
            Console.ReadKey();
        }
    }
}

Alternatively, you can configure the binding using a config file:

<bindings>
<netTcpBinding> 
    <binding name = "TCPWindowsSecurity"> 
     <security mode = "Transport"> 
          <transport 
                 clientCredentialType = "Windows" 
                 protectionLevel = "EncryptAndSign" 
           /> 
     </security> 
</binding> 
</netTcpBinding> 
</bindings>

Run WCF Service

image

Client Application

static void Main(string[] args)
{
    try
    {
        Console.WriteLine("Connecting to Service..");
        var proxy = new ServiceClient(new NetTcpBinding(),
        new EndpointAddress("net.tcp://localhost:8000/MarketService"));
        Console.WriteLine("MSFT Price:{0}", proxy.GetMarketPrice("MSFT.NSE"));
        Console.WriteLine("Getting price for Google");
        double price = proxy.GetMarketPrice("GOOG.NASDAQ");
    }
    catch (FaultException ex)
    {
        Console.WriteLine("Service Error:" + ex.Detail.ValidationError);
    }
    catch (Exception ex)
    {
        Console.WriteLine("Service Error:" + ex.Message);
    }
    Console.ReadLine();
}

ServiceClient is a custom class which inherits ClientBase<T> class in System.ServiceModel namespace to create channels and communication with service on endpoints.

public class ServiceClient : ClientBase, IMarketDataProvider
    {
     public ServiceClient()   { }
     public ServiceClient(string endpointConfigurationName) :
        base(endpointConfigurationName) { }

     public ServiceClient(string endpointConfigurationName, string remoteAddress) :
        base(endpointConfigurationName, remoteAddress)   { }

     public ServiceClient(string endpointConfigurationName,
        System.ServiceModel.EndpointAddress remoteAddress) :
            base(endpointConfigurationName, remoteAddress)
        { }
     public ServiceClient(System.ServiceModel.Channels.Binding binding,
            System.ServiceModel.EndpointAddress remoteAddress) :
           base(binding, remoteAddress)
        {}
        ///<span class="code-SummaryComment"><summary>
</span>        /// IMarketDataProvider method
        /// <span class="code-SummaryComment"></summary>
</span>        ///
        ///
    public double GetMarketPrice(string symbol)
        {
            return base.Channel.GetMarketPrice(symbol);
        }
    }

Verify User credentials in Service

You can see caller information in WCF service by ServiceSecurityContext class. Every operation on a secured WCF service has a security call context. The security call context is represented by the class ServiceSecurityContext.The main use for the security call context is for custom security mechanisms, as well as analysis and auditing.

ServiceSecurityContext.Current in Quickwatch window.

image

Send Alternate Windows Credentials to Service

WCF also gives an option to send alternate Windows credential from the client. By default, it sends logged in user credential. You can send alternate credentials like below:

proxy.ClientCredentials.Windows.ClientCredential.Domain = "mydomain";
  proxy.ClientCredentials.Windows.ClientCredential.UserName = "ABC";

proxy.ClientCredentials.Windows.ClientCredential.Password = "pwd";

Now if I run client application with changed credentials, if credentials are of valid windows user, service will authenticate caller else it will reject caller request. In my case, I deliberately give wrong credential to produce reject exception.

Service sends “System.Security.Authentication.InvalidCredentialException with message "The server has rejected the client credentials.

image

I hope you understood the Windows authentication concept here. If you have any questions, please feel free to send me comments.

You can download the code from the link below:


License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Neeraj Kaushik 1980
Architect Initto Technologies India Pvt Ltd
India India
• Technical Architect with 9 years of Application development experience
• Good knowledge and expertise on multiple areas of technologies and their business applications
• Strong experience in high performance and business critical applications.
• Experience in creating framework, Code generators, and UML diagrams.
• Developed messaging framework for Algo Trading, technical analysis tool, market feed client Api, Payment Solutions for SWIFT, Internationalization for Core Banking Solution product etc.
• Practical knowledge of building and practicing agile delivery methodologies (SCRUM & TDD).
• Proven ability in producing technical documentation and presentation to clients.
• Active participation in trainings, article writing & taking initiatives.
• Passion to get knowledge from various resources acquires best practices.
• Good understanding of financial domain especially in investment banking and banking domain.
Specialties
 
Technical Architectures, Multi-threading Architecture, Algo Trading systems, Messaging Framework, FIX Implementation, Technical Analysis & Charting, ActiveMQ, MSMQ, C#, WinForms, ASP.NET MVC, Jquery, WCF, Sql Server 2008, Oracle, TFS, TDD, QuickFix, Open Source Tools & Framework.
Follow on   Twitter

Comments and Discussions

 
QuestionNeat article - but the source code link is broken PinmemberMember 1793308-Apr-13 8:19 
Questionvery nice article Pinmembernasser200927-Nov-12 6:32 
AnswerRe: very nice article PinmemberNeeraj Kaushik 19801-Dec-12 8:19 
Generalthe source code link is broken Pinmemberkamskyleo211-Jun-12 20:21 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.1411023.1 | Last Updated 13 Jan 2012
Article Copyright 2012 by Neeraj Kaushik 1980
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid