WCF Security – Different Scenarios

Posted by soudamini on May 26, 2011 Leave a comment (2) Go to comments

Intranet Scenarios

1.    Web to remote WCF with transport security (Original Caller, TCP)

  • Use domain credentials to authenticate clients against an Active Directory user store.
  • Impersonate the original caller when calling methods on the WCF service from the ASP.NET application.
  • Use a service account to call the SQL Server from WCF (without impersonation).
  • Use SSL to protect sensitive data between the Web client and IIS.
  • Use Transport Security to protect sensitive data between the ASP.NET application and the WCF           service.
  • Use netTcpBinding to support the TCP transport for improved performance.
  • Host WCF in a Windows Service if using IIS 6( does not support the TCP transport) (prior to IIS7)

2.    Web to remote WCF with transport security (Trusted sub system, HTTP)

  • Use domain credentials to authenticate clients against an Active Directory user store.
  • Use a service account to call WCF from the ASP.NET application. The WCF Service uses Windows Authentication.
  • Use a service account to call the SQL Server from WCF. The SQL Server uses Windows Authentication.
  • Use SSL to protect sensitive data between the Web client and IIS.
  • Use Transport security to protect sensitive data between the ASP.NET application and the WCF Service.
  • Optionally, use IPSec to protect sensitive data between the WCF Service and SQL Server.
  • Use wsHttpBinding to provide support for interoperability and allow the service to be hosted in IIS.
  • Host WCF in IIS.

 

3.    Web to remote WCF with transport security (Trusted sub system, TCP)

  • Use domain credentials to authenticate clients against an Active Directory user store.
  • Use a service account to call WCF from the ASP.NET application. The WCF Service uses Windows Authentication.
  • Use a service account to call the SQL Server from WCF. The SQL Server uses Windows Authentication.
  • Use SSL to protect sensitive data between the Web client and IIS.
  • Use Transport security to protect sensitive data between the ASP.NET application and the WCF Service.
  • Optionally, use IPSec to protect sensitive data between the WCF Service and SQL Server.
  • Use netTcpBinding to support the TCP transport for improved performance.
  • Host WCF in a Windows Service if using IIS 6(does not support the TCP transport).

4.    Windows Forms to remote WCF with transport security (Original Caller, TCP)

  • Use domain credentials to authenticate clients against an Active Directory user store.
  • Use a service account to call the SQL Server from WCF.
  • Use transport security to protect sensitive data between the Windows Forms client and the
  • WCF Service.
  • Use netTcpBinding to support the TCP transport for improved performance.
  • Host WCF in a Windows Service if using IIS 6 (does not support the TCP transport).

 

Internet Scenarios

1.    WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)

  • Authenticate clients by using the SQL Server membership provider.
  • Authenticate clients by using the SQL Server membership provider with IIS via a custom HTTP module.
  • Use WCF to authorize users with roles in SQL Server by using the ASP.NET role provider.
  • Use a service account to call the SQL Server from WCF.
  • Use transport security to protect user credentials and sensitive data passed between the clients and the WCF service.
  • Use basicHttpBinding with transport security to ensure that the service is compatible with legacy ASMX clients.
  • Authenticate clients using a custom HTTP module in order to transmit user credentials over the transport, to ensure that the service is compatible with legacy ASMX clients.

2.    Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)

  • Use username and password to authenticate users against the SQL Server Membership Provider.
  • Use a service account to call WCF from the ASP.NET application.
  • Use a service account to call the SQL Server from WCF.
  • Use SSL to protect sensitive data between the Web client and IIS.
  • Use Transport Security to protect sensitive data between the ASP.NET application and the WCF service.
  • Use netTcpBinding to support the TCP transport for improved performance.
  • Host WCF in a Windows Service if using IIS 6 (does not support the TCP transport).

3.    Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

  • Use username and password to authenticate users against the SQL Server Membership Provider.
  • Use a service account to call the SQL Server from WCF.
  • Use message security to protect sensitive data between the ASP.NET application and the WCF service.
  • Use wsHttpBinding to allow IIS to host the service.
  • Host WCF in IIS.

Reference : WCF Security guide from patterns & practices

.NET
  1. Justin June 25, 2011 at 2:21 pm

    I’ve got an intranet scenario that matches I think two of the items listed here. When I impersonate a service account on a web page before calling the WCF service which is on a separate iis server, it works fine. But when I so an impersonation of the original caller I get an error indicating “The HTTP request is unauthorized with client authentication scheme
    ‘Negotiate’” – This works fine if I call the service from a test winform client but not from the web site.

    I wonder if hopping from browser to web server to second IIS server hosting WCF is some how dropping the credential information. Any thoughts?

    • soudamini June 27, 2011 at 4:39 am

      May be you have set the NTLM authentication in IIS. Please try changing that to Kerberos and NTLM setting. Also check the client web.config file for transportclient credential type. it should be windows.

Leave a Comment