wcf security - WCF with transport authentication using certificates and message authentication using username/password -


i'm trying configure wcf service implement 2 factor authentication. idea being there message level authentication username/password (ws security) , transport level authentication using client certificate.

step 1: message level authentication

i've built wcf service uses message level authentication username/password. works great. see credentials passed client in soap header , service authenticates , authorizes user.

the system.servicemodel.servicesecuritycontext.current.primaryidentity object system.security.principal.windowsidentity type , has following property values:

  • authenticationtype = basic
  • impersonationlevel = impersonation
  • isanonymous = false
  • isauthenticated = true
  • name = ad account (domain\accountname)

the system.servicemodel.servicesecuritycontext.current.windowsidentity object windowsidentity , has same property values above.

step 2: transport level authentication certificates

then built new wcf service uses transport authentication certificates. again, works great.

the system.servicemodel.servicesecuritycontext.current.primaryidentity object system.identitymodel.claims.x509identity type , has following property values:

  • authenticationtype = x509
  • isauthenticated = true
  • name = subject attribute of certificate, thumbprint

the system.servicemodel.servicesecuritycontext.current.windowsidentity object system.security.principal.windowsidentity type , has following property values:

  • authentication type = ""
  • impersonationlevel = anonymous
  • isanonymous = true
  • isauthenticated = false

step 3: transport level authentication certificates & active directory mapping

next, turned on active directory mapping creating service behavior , setting servicecredientials\clientcertificate\authentication mapclientcertificatetowindowsaccount attribute true.

the service appears correctly map certificate active directory account.

the system.servicemodel.servicesecuritycontext.current.primaryidentity object system.security.principal.windowsidentity type , has following property values:

  • authenticationtype = ssl/pct
  • impersonationlevel = identification
  • isanonymous = false
  • isauthenticated = true
  • name = ad account (domain\accountname)

the system.servicemodel.servicesecuritycontext.current.windowsidentity object windowsidentity , has same property values above.

step 4: message level authentication , transport authentication

with above scenarios working, want combine them. created web service username password message level authentication , certificate transport authentication, active directory user mapping disabled.

<?xml version="1.0"?> <configuration>   <appsettings>         <add key="aspnet:usetaskfriendlysynchronizationcontext" value="true" />   </appsettings>   <system.web>     <compilation debug="true" targetframework="4.5" />     <httpruntime targetframework="4.5"/>   </system.web>    <system.servicemodel>     <services>       <service name="wcftransportauthcertificatemessageauthusername.service1"                behaviorconfiguration="mapclientcertificates">         <endpoint binding="custombinding"                bindingconfiguration="transportcertificateauthentication_messageusernameauthenticiation"                   contract="wcftransportauthcertificatemessageauthusername.iservice1">         </endpoint>       </service>     </services>      <bindings>           <custombinding>         <binding name="transportcertificateauthentication_messageusernameauthenticiation">           <textmessageencoding messageversion="soap11"></textmessageencoding>           <security authenticationmode="usernameovertransport"></security>           <httpstransport requireclientcertificate="true"></httpstransport>         </binding>       </custombinding>     </bindings>      <behaviors>       <servicebehaviors>         <behavior>           <servicemetadata httpgetenabled="true" httpsgetenabled="true"/>           <servicedebug includeexceptiondetailinfaults="false"/>         </behavior>          <behavior name="mapclientcertificates">           <servicemetadata httpgetenabled="true" httpsgetenabled="true"/>           <servicedebug includeexceptiondetailinfaults="false"/>            <servicecredentials>             <clientcertificate>               <authentication mapclientcertificatetowindowsaccount="false" includewindowsgroups="true" />             </clientcertificate>           </servicecredentials>         </behavior>        </servicebehaviors>     </behaviors>      <protocolmapping>       <add binding="basichttpsbinding" scheme="https"/>     </protocolmapping>      <servicehostingenvironment aspnetcompatibilityenabled="true" multiplesitebindingsenabled="true" />    </system.servicemodel>    <system.webserver>     <modules runallmanagedmodulesforallrequests="true"/>     <directorybrowse enabled="true"/>   </system.webserver>  </configuration>

the system.servicemodel.servicesecuritycontext.current.primaryidentity object system.security.principal.genericidentity type , has following property values:

  • authentication type = ""
  • isauthenticated = false
  • name = ""

the system.servicemodel.servicesecuritycontext.current.windowsidentity object system.identitymodel.claims.x509identity type , has following property values:

  • authenticationtype = x509
  • isauthenticated = true
  • name = subject attribute of certificate, thumbprint

so @ point, can see details of certificate credentials, not of message credentials. first question - why can't see message level credentials?

step 5: message level authentication , transport authentication ad mapping.

now turn on ad user mapping setting servicecredientials\clientcertificate\authentication mapclientcertificatetowindowsaccount attribute true.

the system.servicemodel.servicesecuritycontext.current.primaryidentity object system.security.principal.genericidentity type , has following property values:

  • authentication type = ""
  • isauthenticated = false
  • name = ""

the system.servicemodel.servicesecuritycontext.current.windowsidentity object system.security.principal.windowsidentity type , has following property values:

  • authenticationtype = ""
  • impersonationlevel = anonymous
  • isauthenticated = false
  • isanonymous = true
  • name = ""

authentication appears happening correctly @ both transport , message level. if specify incorrect username/password in soap header, soap fault back. if not provide client certificate, or provide untrusted one, error so here, understand system.servicemodel.servicesecuritycontext.current.windowsidentity system.security.principal.windowsidentity type because service configured map ad account, why did not map?


Comments

Post a Comment

Popular posts from this blog

java - Spring Data JPA: Why findOne(id) executing delete query internally? -

i have 1 application using @manytomany annotation link 2 different entities 1 parent entity. not sure if have implemented properly. when execute .findone() on parent entity's repository find it, @ first fetch data along executing delete queries internally delete record mapping table (a table jpa creates after adding @manytomany annotation.). following generated sql queries , code snippet: java class @entity @table(name = "inventory") public class inventory { @id long id; // many other properties @manytomany(fetch=fetchtype.lazy) private list<stream> streams; @manytomany(fetch=fetchtype.lazy) private list<subject> subjects; } there no other annotation i've put in stream , subject entity class link inventory class. when run app, create following tables: inventory stream subject inventory_stream inventory_subject (inventory_stream , inventory_subject, 2 tables created automatically, don't k...
Read more

python - Mongodb How to add addtional information when aggregating? -

i beginner , wrote line pipeline works, wanna add other information output, screen name , or number of tweets.i tried add under $group gave me syntax error everytime here pipeline: def make_pipeline(): # complete aggregation pipeline pipeline = [ { '$match': { "user.statuses_count": {"$gt":99 }, "user.time_zone": "brasilia" } }, { "$group": { "_id": "$user.id", "followers": { "$max": "$user.followers_count" } } }, { "$sort": { "followers": -1 } }, { "$limit" : 1 } ]; i using on example : { "_id" : objectid("5304e2e3cc9e684aa98bef97"), "text" : "first week of school on :p", "in_reply_to_status_id" : null, "retweet_count" : null, ...
Read more

java - Incorrect order of records in M-M relationship in hibernate -

Image
i have 4 records in bridge table in mysql database. using @manytomany in hibernate, accurate order of employees incorrect incorrect of projects. following required material figure out doing mistake. this source. @entity @table(name="project") public class projectbean { @id @generatedvalue @column(name="project_id") private int projectid; @column(name="title") private string projecttitle; @manytomany(mappedby="projects") private collection<employeebean> employees; public projectbean() { employees = new arraylist<employeebean>(); } //getters & setters } @entity @table(name="employee") public class employeebean { @id @generatedvalue @column(name="employee_id") private int employee_id; @column(name="first_name") private string ...
Read more