WCFSecurityGuide Wiki & Documentation Rss Feed

New Comment on "How To - Host WCF in a Windows Service Using TCP"

mabra — Mon, 11 Mar 2013 22:21:19 GMT

Hi ! Is at not simple ?? A simple example should and could have a simple download :-( ++mabra

New Comment on "Ch 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)"

markusmr — Fri, 25 Nov 2011 12:24:06 GMT

How can Basic Authentication be called best practice?

New Comment on "How To - Use SQL Role Provider with Username Authentication in WCF calling from Windows Forms"

manjinderenest — Mon, 13 Jun 2011 04:57:20 GMT

I have followed same instruction but after that when i call WCF service method with PrincipalPermission. I have got this error "Request for principal permission failed." can any body help me to solve this problem..

New Comment on "Ch 05 - Authentication, Authorization and Identities in WCF"

sukumarraju — Fri, 13 May 2011 14:53:51 GMT

Stand alone WCF service, which can authenticate multiple clients and authorize against ASP.NET Membership database. As client applications grow the same ASP.NET Membership database can be used by simply configuring the Membership sections in WCF web.config and end point , so that new client can utilise service methods to authenticate & authorize end user. The plumbing work is in WCF service configuraiton. Is there any good article that can walk through the scenario, failed to configure End Point configuration behavior because it has to be End Point Behavior instead of Service Behavior configuration. Unfortunately there is nothing in End point configuration for use Membershipx.

New Comment on "Ch 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)"

cxksnl — Mon, 07 Mar 2011 21:58:59 GMT

I have the same problem as above. Is there anyone add the reference successfully? I followed the code and it went through AuthenticateRequest several times...

New Comment on "Ch 06 - Impersonation and Delegation in WCF"

mhidalgo — Thu, 25 Nov 2010 21:22:52 GMT

Hi, Great article I have a question :What if I want to set network credentials in the client side, for example If I host the WCF service in IIS, so I created a proxy to consume this service. I set network credentials to consume the service. I have a question for you: How can I read this values in the Service side? Thanks

New Comment on "Ch 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)"

alusov — Tue, 07 Sep 2010 03:29:37 GMT

Hi! I have a question about this article. What is the min requrements for this sample. I have been trying this for 2 days. I use iis 5.1, XP SP3, VS2008. The problem is that I can't add a reference on web service in client in Visual Studio. I see the dialog with login and password, input them and continue to see this dialog. In IE 8.0 everything work fine. I assume that maybe the problem is connected with HTTP in IHttpModule. Could you please help me with it. Thanks.

New Comment on "Ch 05 - Authentication, Authorization and Identities in WCF"

JCM219 — Sun, 18 Jul 2010 16:14:17 GMT

Thanks!

New Comment on "Use a Custom Trace Listener only when message filtering is needed"

alhambraeidos — Fri, 09 Apr 2010 11:38:41 GMT

Hi, any sample code of YourCustomListener ?? thanks

New Comment on "Ch 05 - Authentication, Authorization and Identities in WCF"

hallis — Wed, 09 Dec 2009 19:47:15 GMT

Here is how you can do authorization with AzMan: http://hallvardkorsgaard.spaces.live.com/blog/cns!6A4336898CA0055D!883.entry

New Comment on "How To - Create and Install Temporary Client Certificates in WCF During Development"

stuberdo — Thu, 03 Sep 2009 22:06:12 GMT

Ensure makecert.exe is the latest version. The version of mine is 6.0.600.16384 makecert -! will document the -crl switch. makecert -crl ... failed for me on XP, but worked for me on Windows Server 2008.

New Comment on "How To - Use Certificate Authentication and Transport Security in WCF Calling from Windows Forms"

maheshc — Wed, 20 May 2009 10:12:43 GMT

Hi I tried the exact steps given above (for the server portion). The code didn't work till I modified the web.config as follows: <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" /> After this I could check the service in a browser.

New Comment on "How To - Host WCF in a Windows Service Using TCP"

codekitty — Wed, 04 Mar 2009 19:02:06 GMT

Hi and thanks for the tutorial. i tried following the steps and must have missed something. When i tried to start the windows service in services.msc, it says "The Service1 service on local computer started and then stopped. Some services stop automatically if they have no work to do, for example, the Performance Logs and Alerts service." What did i miss? Thanks!!

New Comment on "How to create an error handler to log details of faults for auditing purposes"

FabioCozzolino — Mon, 16 Feb 2009 15:12:56 GMT

I think there is an error in the interface. The right interface is: public interface IErrorHandler { bool HandleError(Exception error); void ProvideFault(Exception error, MessageVersion version, ref Message fault); } bye

Updated Wiki: Home

mycodeplexuser — Thu, 28 Aug 2008 00:12:38 GMT

patterns & practices Improving Web Services Security - Now Released

Welcome to the patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF project site! This guide shows you how to make the most of WCF (Windows Communication Foundation). With end-to-end application scenarios, it shows you how to design and implement authentication and authorization in WCF. Learn how to improve the security of your WCF services through prescriptive guidance including guidelines, Q&A, practices at a glance, and step-by-step how tos. It's a collaborative effort between patterns & practices, WCF team members, and industry experts. This guide is related to our WCF Security Guidance Project.

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Download the Guide

Released version posted on August 1st. Start using the guide today!

Download the Improving Web Services Security Guide - Release v1

Parts

Part I, "Security Fundamentals for Web Services"
Part II, "Fundamentals of WCF Security"
Part III, "Intranet Application Scenarios"
Part IV, "Internet Application Scenarios"

Forewords

Chapters

Part I, Security Fundamentals for Web Services

Part II, Fundamentals of WCF Security

Part III - Intranet Application Scenarios

Part IV - Internet Application Scenarios

Checklist

WCF Security Checklist

Guidelines

WCF Security Guidelines

Practices

WCF Security Practices at a Glance

Questions and Answers

WCF Questions and Answers (Q&A)

How Tos

Resources

WCF Security Resources

Team

Core Team: J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher
Contributors and Reviewers

Feedback

Send mail to WCFSec@microsoft.com
Post comments on the Discussions page.
Fill out our questionaire and send the answers to WCFSec@microsoft.com

Community

Guidance Share

Updated Wiki: Home

mycodeplexuser — Mon, 11 Aug 2008 01:10:45 GMT

patterns & practices Improving Web Services Security - Now Released

Download the Guide

Released version posted on August 1st. Start using the guide today!

Download the Improving Web Services Security Guide - Release v1

Parts

Part I, "Security Fundamentals for Web Services"
Part II, "Fundamentals of WCF Security"
Part III, "Intranet Application Scenarios"
Part IV, "Internet Application Scenarios"

Forewords

Chapters

Part I, Security Fundamentals for Web Services

Part II, Fundamentals of WCF Security

Part III - Intranet Application Scenarios

Part IV - Internet Application Scenarios

Checklist

WCF Security Checklist

Guidelines

WCF Security Guidelines

Practices

WCF Security Practices at a Glance

Questions and Answers

WCF Questions and Answers (Q&A)

How Tos

Resources

WCF Security Resources

Team

Core Team: J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher
Contributors and Reviewers

Feedback

Send mail to WCFSec@microsoft.com
Post comments on the Discussions page.
Fill out our questionaire and send the answers to WCFSec@microsoft.com

Community

Guidance Share

Related Sites

Updated Wiki: Home

mycodeplexuser — Mon, 11 Aug 2008 01:10:26 GMT

patterns & practices Improving Web Services Security - Now Released

Download the Guide

Released version posted on August 1st. Start using the guide today!

Download the Improving Web Services Security Guide - Release v1

Parts

Part I, "Security Fundamentals for Web Services"
Part II, "Fundamentals of WCF Security"
Part III, "Intranet Application Scenarios"
Part IV, "Internet Application Scenarios"

Forewords

Chapters

Part I, Security Fundamentals for Web Services

Part II, Fundamentals of WCF Security

Part III - Intranet Application Scenarios

Part IV - Internet Application Scenarios

Checklist

WCF Security Checklist

Guidelines

WCF Security Guidelines

Practices

WCF Security Practices at a Glance

Questions and Answers

WCF Questions and Answers (Q&A)

How Tos

Resources

WCF Security Resources

Team

Core Team: J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher
Contributors and Reviewers

Feedback

Send mail to WCFSec@microsoft.com
Post comments on the Discussions page.
Fill out our questionaire and send the answers to WCFSec@microsoft.com

Community

Guidance Share

Related Sites

Updated Wiki: How do I protect passwords in my user store?

rboucher — Sat, 02 Aug 2008 18:17:38 GMT

How do I protect passwords in my user store?

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Protect passwords in your user store by storing one-way password hashes with a salt. Generate the hash from a combination of the password and a random salt value. Use an algorithm such as SHA256. If your credential store is compromised, the salt value helps to slow an attacker who is attempting to perform a dictionary attack.

How do I use certificate authentication with X.509 certificates?

Configure your service to use wsHttpBinding with message security and clientCredentialType set to Certificate, as follows:

      <wsHttpBinding>
        <binding name="WSHttpBinding_ICalculator">
          <security mode="Message">
            <message clientCredentialType="Certificate" />
          </security>
        </binding>
      </wsHttpBinding>

You can map an X509 certificate to Windows account by setting the mapClientCertificateToWindowsAccount property to true. By default, when using the certificate client credential type on bindings, the certificate is not mapped to Windows accounts. You can override this behavior by using the mapClientCertificateToWindowsAccount property as follows:

<serviceBehaviors>
  <behavior name="MyServiceBehaviorForWebHttp">
 
     <serviceCredentials>
      <clientCertificate>
       <authentication *mapClientCertificateToWindowsAccount*="*true*" />
      </clientCertificate>
     </serviceCredentials>
  </behavior>
</serviceBehaviors>

Additional Resources

For more information on using WCF with certificates, see “Working with Certificates” at http://msdn.microsoft.com/en-us/library/ms731899.aspx
For more information on mapping certificates to Windows accounts see, “Map certificates to user accounts” at http://technet2.microsoft.com/WindowsServer/f/?en/library/0539dcf5-82c5-48e6-be8a-57bca16c7e171033.mspx
For more information on mapping certificates to Active Directory, see “Mapping Client Certificates with Directory Service Mapping” at http://technet2.microsoft.com/windowsserver/en/library/7cce4299-28f2-45fa-8730-4e0cbe3be8561033.mspx?mfr=true
For more information on certificate-mapping strategies see, “Mapping Strategies” at http://technet2.microsoft.com/windowsserver/en/library/aa61c564-1599-4414-a12d-2f64786f6ec31033.mspx?mfr=true

Updated Wiki: How do I authenticate against a custom store?

rboucher — Sat, 02 Aug 2008 18:16:22 GMT

How do I authenticate against a custom store?

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

To use a custom user/identity store with username authentication, configure your application to use the username authentication with a custom username and password validator. The custom validator will be configured in a service behavior and implemented in a class library. The username and password validator will be used by your service to authenticate your users based on your custom user store.

The following configuration snippet shows how to configure a custom validator for your WCF service:

<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyUserNamePasswordValidator,Host"/>
<serviceCertificate findValue="CN=FabrikamEnterprises"/>
</serviceCredentials>

The following code snippet shows how to implement a custom username and password validator:

using System;
using System.Collections.Generic;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.Text;
 
namespace Validator
{
    public class MyUserNamePasswordValidator : UserNamePasswordValidator
    {
        public override void Validate(string userName, string password)
        {
            Console.Write("\nValidating username, {0}, and password, {1} ... ", userName, password);
            if ((string.Compare(userName, "don", true) != 0) || (string.Compare(password, "hall", false) != 0))
            {
                throw new SecurityTokenException("Unknown user.");
            }
            Console.Write("Done: Credentials accepted. \n");
        }
    }
}

Updated Wiki: How do I authenticate against a SQL store?

rboucher — Sat, 02 Aug 2008 18:15:59 GMT

How do I authenticate against a SQL store?

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

To use username authentication with a SQL Server database, you can configure your application to use the ASP.NET membership feature.

To configure the membership provider, perform the following steps:

Configure your SQL Server database for membership. From a Microsoft Visual Studio® 2008 command prompt, run the following command:

aspnet_regsql -S .\SQLExpress -E -A m -d <<YourDatabaseName>>

In this command:

-S specifies the server, which is (.\SQLExpress) in this example.
-E specifies to use Windows authentication to connect to SQL Server.
-A m specifies to add only the membership feature. For simple authentication against a SQL Server user store, only the membership feature is required.
-d specifies the SQL Server database name. If this option is not used, a default aspnetdb database will be created.

For a complete list of the commands, run Aspnet_regsql /?

Modify your Web.config file in your WCF service application by adding the following sections:

<connectionStrings>
  <add name="MyLocalSQLServer"
       connectionString="Initial Catalog=<<YourDatabaseName>>;
      data source=.\sqlexpress;Integrated Security=SSPI;" />
</connectionStrings>
 
…
<system.web>
  ...
  <membership defaultProvider="MySqlMembershipProvider" >
    <providers>
      <clear/>
      <add name="MySqlMembershipProvider"
           connectionStringName="MyLocalSQLServer"
           applicationName="MyAppName"
           type="System.Web.Security.SqlMembershipProvider" />
    </providers>
  </membership>
</system.web>
…

Configure the service to use username authentication.

…
<bindings>
  <wsHttpBinding>
    <binding name="wsHttpEndpointBinding">
      <security>
        <message clientCredentialType="UserName" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

Configure the service to use the membership provider.

<behaviors>
  <serviceBehaviors>
    <behavior name="ServiceBehavior">
 
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="MembershipProvider"
          membershipProviderName="MySqlMembershipProvider" />
      </serviceCredentials>
 
    </behavior>
  </serviceBehaviors>
</behaviors>
…

Additional Resources

For more information, see “How To – Use Username Authentication with the SQL Server Membership Provider and Message Security in WCF from Windows Forms” at http://www.codeplex.com/WCFSecurity/Wiki/View.aspx?title=How%20To%20-%20Use%20Username%20Authentication%20with%20the%20SQL%20Membership%20Provider%20and%20Message%20Security%20in%20WCF%20from%20Windows%20Forms&referringTitle=How%20Tos