Re: WCF authentication and remote workstations
- From: Frank Hauptlorenz <ecstasy.tribe@xxxxxxxxxxxxx>
- Date: Fri, 28 Nov 2008 09:33:13 +0100
Hi Steven,
thanks for your answer. This confirms my speculation.
I think a way to get around this is
a) move to another VPN solution, which can make our notebooks part of the network
b) disable the authentication and use an own one
For your Idea with another endpoint: nice idea but way to complicated.
Thank you,
Frank
Steven Cheng schrieb:
Hi Frank,.
As for the WCF communcation scenario in your context, would you provide some further information about the binding and security configuration of the service/endpoint. For example, are you using transport layer security, let the runtime forward the windows credential automatically for use message laye security(such as username authentication to authenticate the client)?
For the first one(windows authentication that let the client automatically forward the client security context(the current logon user). And I think this may somewhat cause the problem on your side. Because when the laptops are moved outside the domain. However, user can still logon the laptop via their domain credentials due to the cache, and I think it is likely that (when it works out side the domain), it is the cached domain credentials that's fowarded to server-side service. While in cases that the server may require the client to reauthenticate against their user identity, it failes since it's not in the domain. You can just put some trace code at server-side to print out the user identity. e.g.
====================
OperationContext.Current.ServiceSecurityContext.WindowsIdentity
====================
if the service is correctly called, and the security identity got at server-side correctly reflect the client user, that means the cached token are forwarded to server-side.
BTW, for such kind of environment, do you think the following design will help?
Since your client is possiblely be moved outside the domain, you may consider provide an additional endpoint. This endpoint may use a different security approach, such as message layer security(which can let the client manually supply username/password credentials). And whenever the default endpoint raise such security authentication error, your client app can switch to use another endpoint. What do you think?
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@xxxxxxxxxxxxxx
==================================================
Get notification to my posts through email? Please refer to http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
Note: MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 2 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
-------------------
Date: Thu, 27 Nov 2008 12:40:03 +0100
MIME-Version: 1.0
Subject: WCF authentication and remote workstations
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Hi out there,
we have an application which uses WCF to talk to our services with integrated security.
Some of these workstations are notebooks which are someday within our company (connected to the LAN) and
somedays outside (connected through an VPN (VPN-1 from checkpoint)).
On somedays the WCF throws an exception for the outside clients. On some days it works.
My idea is, the WCF does not trust the remote user profile (because it's not verified with the domain controller), but why it's then working
sometimes?
The error message is this one (german and translated from german to english):
Die Vertrauensstellung zwischen dieser Arbeitsstation und der
primären Domäne konnte nicht hergestellt werden.
The domain trust between the workstation and the primary domain could not be established.
Thank you for all ideas,
Frank
- References:
- WCF authentication and remote workstations
- From: Frank Hauptlorenz
- RE: WCF authentication and remote workstations
- From: "Steven Cheng"
- WCF authentication and remote workstations
- Prev by Date: Venkat Subramaniam to Speak on Debugging Ajax, Agile Development, Test Driven Development in .NET, Programming Groovy
- Next by Date: Re: WCF authentication and remote workstations
- Previous by thread: RE: WCF authentication and remote workstations
- Next by thread: Re: WCF authentication and remote workstations
- Index(es):
Relevant Pages
|
