RE: How to Authenticate to WCF Service Via VPN
- From: stcheng@xxxxxxxxxxxxxxxxxxxx (Steven Cheng [MSFT])
- Date: Thu, 17 Jul 2008 07:36:48 GMT
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Thanks for your reply Schmitz,
\par
\par So assigning the default networkCredential not work. Currently as for VPN connected client, is it using the same user account as when you tested via a non-VPN client? If the code work when not use VPN but fails (with identical account) via VPN connection, we may need to focus on the VPN part. Otherwise, I think the problem is still the client credential not correctly be recognized by the server-side. for current security context, you can use the following code to check it:
\par
\par System.Security.Principal.WindowsIdentity.GetCurrent()
\par
\par Sincerely,
\par
\par Steven Cheng
\par
\par Microsoft MSDN Online Support Lead
\par
\par
\par Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@xxxxxxxxxxxxxx
\par
\par ==================================================
\par Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notifications.
\par ==================================================
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par \pard\li720 --------------------
\par From: =?Utf-8?B?VXdlIFNjaG1pdHo=?= <USchmitz@xxxxxxxxxxxxxxxx>
\par References: <7F04BC5E-22EA-429C-8CBF-033B4C5BC23C@xxxxxxxxxxxxx> <yR75c7l5IHA.3320@xxxxxxxxxxxxxxxxxxxxxx>
\par Subject: RE: How to Authenticate to WCF Service Via VPN
\par Date: Tue, 15 Jul 2008 09:45:02 -0700
\par
\par Thank you for your prompt reply, Steven.
\par
\par Your assessment of the problem is correct.
\par
\par However, assigning
\par
\par serviceProxy.ClientCredentials.Windows.ClientCredential =
\par System.Net.CredentialCache.DefaultCredentials;
\par
\par fails to compile with the following error: "Cannot implicitly convert type
\par 'System.Net.ICredentials' to 'System.Net.NetworkCredential'."
\par
\par and assigning
\par
\par serviceProxy.ClientCredentials.Windows.ClientCredential =
\par System.Net.CredentialCache.DefaultNetworkCredentials;
\par
\par compiles, but fails to authenticate with the following
\par System.ServiceModel.Security.SecurityNegotiationException: "The caller was
\par not authenticated by the service.". This is the same exception thrown when
\par invoking the service operation without assigning the
\par serviceProxy.ClientCredentials.Windows.ClientCredential property.
\par
\par Although the solution I proposed (creating a System.Net.NetworkCredential
\par from the operator's domain, user name and password and assigning it to the
\par serviceProxy.ClientCredentials.Windows.ClientCredential property) compiles
\par and functions correctly, storing or prompting for the credentials seems
\par sub-optimal.
\par
\par Perhaps I could restate the requirement in the hope of finding a better
\par solution:
\par
\par "On his Windows XP workstation, Bob authenticates to DomainA as Bob
\par (DomainA\\Bob). He launches Cisco Systems VPN Client and authenticates as
\par DomainB\\BSmith. He then launches an application which contains the following
\par code:
\par
\par
\par System.AppDomain.CurrentDomain.SetPrincipalPolicy(System.Security.Principal.PrincipalPolicy.WindowsPrincipal);
\par
\par
\par System.Console.WriteLine(System.Threading.Thread.CurrentPrincipal.Identity.Name);
\par
\par The application displays 'DomainA\\Bob'. The application should display
\par 'DomainB\\BSmith', the VPN-authenticated identity. How should the application
\par be re-written to support this?"
\par
\par
\par "Steven Cheng [MSFT]" wrote:
\par
\par > Hi Schmitz,
\par >
\par > From your description, you're encountering some problem when calling a WCF
\par > service from a client which use a VPN connection to the server's domain
\par > environment, correct?
\par >
\par > According to your description, the following code is required and is the
\par > reasonable approach to make it work:
\par >
\par > =========================
\par > serviceProxy.ClientCredentials.Windows.ClientCredential =
\par > new System.Net.NetworkCredential("userName", "password", "domain");
\par > =========================
\par >
\par > the fact is that for your VPN connected client, it is not a machine joined
\par > in the target domain( where the service running at), and your client user's
\par > logon account is likely not a domain user account. In that case, you need
\par > to manually use NetworkCredential to construct a credential with the
\par > certain domain user's username/password.
\par >
\par > If you have already logon as a domain user account, you can try setting the
\par > serviceProxy.ClientCredentials.Windows.ClientCredential to the following
\par > value:
\par >
\par > System.Net.CredentialCache.DefaultCredentials
\par > or
\par >
\par > System.Net.CredentialCache.DefaultNetworkCredentials
\par >
\par > to see whether it works. This two properties represent the credentials of
\par > your application's current security context(mostly the logon user).
\par >
\par > Sincerely,
\par >
\par > Steven Cheng
\par >
\par > Microsoft MSDN Online Support Lead
\par >
\par >
\par > Delighting our customers is our #1 priority. We welcome your comments and
\par > suggestions about how we can improve the support we provide to you. Please
\par > feel free to let my manager know what you think of the level of service
\par > provided. You can send feedback directly to my manager at:
\par > msdnmg@xxxxxxxxxxxxxx
\par >
\par > ==================================================
\par > Get notification to my posts through email? Please refer to
\par > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
\par > ications.
\par >
\par > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
\par > where an initial response from the community or a Microsoft Support
\par > Engineer within 1 business day is acceptable. Please note that each follow
\par > up response may take approximately 2 business days as the support
\par > professional working with you may need further investigation to reach the
\par > most efficient resolution. The offering is not appropriate for situations
\par > that require urgent, real-time or phone-based interactions or complex
\par > project analysis and dump analysis issues. Issues of this nature are best
\par > handled working with a dedicated Microsoft Support Engineer by contacting
\par > Microsoft Customer Support Services (CSS) at
\par > http://msdn.microsoft.com/subscriptions/support/default.aspx.
\par > ==================================================
\par > This posting is provided "AS IS" with no warranties, and confers no rights.
\par >
\par > --------------------
\par > From: =?Utf-8?B?VXdlIFNjaG1pdHo=?= <USchmitz@xxxxxxxxxxxxxxxx>
\par > Subject: How to Authenticate to WCF Service Via VPN
\par > Date: Mon, 14 Jul 2008 21:16:01 -0700
\par >
\par >
\par > My team has created WCF services; these services are hosted by IIS and use
\par > the WSHttpBinding binding configured with message security and Windows
\par > authentication, as follows:
\par >
\par > <bindings>
\par > <wsHttpBinding>
\par > <binding name="Default">
\par > <security mode="Message">
\par > <message clientCredentialType="Windows"
\par > negotiateServiceCredential="true" />
\par > </security>
\par > </binding>
\par > </wsHttpBinding>
\par > </bindings>
\par >
\par > A service account is assigned to the application pool identity for each
\par > service; however, an SPN has not yet been created. The client endpoint
\par > includes the service account identity as a user principal name. Kerberos
\par > mutual authentication is assumed.
\par >
\par > Service authentication works perfectly when the client is authenticated to
\par > the same domain as the service account.
\par >
\par > When the client is authenticated using Cisco Systems VPN Client (to the
\par > same
\par > domain as the service account), however, service authentication works, but
\par > only with the following code:
\par >
\par > serviceProxy.ClientCredentials.Windows.ClientCredential =
\par > new System.Net.NetworkCredential("userName", "password", "domain");
\par >
\par > Authentication fails without this code.
\par >
\par > So the problem is that, when authenticated to the domain using Cisco
\par > Systems
\par > VPN Client, the client would need to collect the operator's domain
\par > credentials (again) in order to assign the serviceProxy.ClientCredentials
\par > property prior to invoking service operations.
\par >
\par > There must be a better solution.
\par >
\par > How can my team invoke service operations when authenticated via Cisco
\par > Systems VPN Client?
\par >
\par \pard
\par
\par }
- Follow-Ups:
- RE: How to Authenticate to WCF Service Via VPN
- From: Steven Cheng [MSFT]
- RE: How to Authenticate to WCF Service Via VPN
- References:
- RE: How to Authenticate to WCF Service Via VPN
- From: Steven Cheng [MSFT]
- RE: How to Authenticate to WCF Service Via VPN
- From: Uwe Schmitz
- RE: How to Authenticate to WCF Service Via VPN
- Prev by Date: RE: How to specifiy default values in WCF web services (repost)
- Next by Date: Re: How to specifiy default values in WCF web services (repost)
- Previous by thread: RE: How to Authenticate to WCF Service Via VPN
- Next by thread: RE: How to Authenticate to WCF Service Via VPN
- Index(es):
Relevant Pages
|
Loading
