Internet – Web to Remote WCF Using Message Security (Original Caller)
- J.D. Meier , Jason Taylor , Prashant Bansode , Carlos Farre, Madhu Sundararajan, Steve GregersenApplies To
- WCF 3.5
Scenario
In this scenario, your users do not have Windows accounts and use a web client to connect over the Internet to an ASP.NET application on an IIS server. The business logic called by the WCF service requires fine-grained authorization and is backed by a SQL Server data store. The basic model for this application scenario is shown in the following figure.Key Characteristics
This scenario applies to you if:- Your users have web clients
- Your user accounts are stored in SQL
- Your user roles are stored in SQL
- The business logic behind your WCF service requires fine-grained authorization
- Your application transmits sensitive data over the network that needs to be protected
- A high performance connection between the ASP.NET application and the WCF service is more important than the ability to host the WCF service in IIS
Solution
Solution Summary Table
In this solution you will:- Use username and password to authenticate users against the SQL Server Membership Provider
- Impersonate the original caller when calling methods on the WCF service from the ASP.NET application
- Use a service account to call the SQL Server from WCF
- Use SSL to protect sensitive data between the web client and IIS
- Use message security to protect sensitive data between the ASP.NET application and the WCF service
- Use netTcpBinding to support the TCP transport for improved performance
- Host WCF in a Windows Service since IIS does not support the TCP transport
Web Server
| What | Checks | Example | More Info |
|---|---|---|---|
| IIS | |||
| Configuration | A dedicated application pool is created and configured to run under a custom service account. | Use a domain account if possible. | |
| The web application is configured to run under the service account. | Assign the web application to the custom application pool. | ||
| Authentication | The IIS virtual directory is configured to use Anonymous access. | Users will be allowed to access pages and if required will be redirected to forms authentication page. | |
| ASP.NET | |||
| Configuration | Aspnet database is created to be used with SQL Membership Provider and SQL Role provider. | aspnetregsql -S ./SQLExpress -E -A r m | Aspnetregsql.exe creates the sql database to store the user and role information. |
| Connection string configured to point to the user and role store in SQL Server. | <add name="MyLocalSQLServer" connectionString="Initial Catalog=aspnetdb;data source=localhost;Integrated Security=SSPI;" /> | The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes for Windows authentication. | |
| Web Application process identity is given access permissions on the ASPNET database. | spgrantlogin 'NT AUTHORITY/Network Service'; USE aspnetdb GO sp grantdbaccess 'NT AUTHORITY/Network Service', 'Network Service'; spaddrolemember 'aspnet MembershipFullAccess', 'Network Service'; sp addrolemember 'aspnetRoles FullAccess', 'Network Service' | Your Web Application process identity requires access to the Aspnetdb database. If you host the Web Application in Internet Information Services (IIS) 6.0 on Microsoft Windows Server® 2003, the NT AUTHORITY/Network Service account is used by default to run the Web Application. | |
| Authentication | ASP.NET is configured for Forms authentication | <authentication mode = "Forms" > | The web application will authenticate the users. |
| SqlMembershipProvider is configured to use with Membership feature for forms authentication | <add name="MySqlMembershipProvider" connectionStringName="MyLocalSQLServer" type="System.Web.Security.SqlMembershipProvider, ..." ... /> | The membership feature helps protect credentials, can enforce strong passwords, and provides consistent APIs for user validation and secure user management. The membership feature also automatically creates the authentication ticket for you. | |
| Authorization | Role Manager feature is enabled and SqlRoleProvider is configured for roles authorization. | <roleManager enabled="true" defaultProvider="MySqlRoleProvider" > <providers> <add name="MySqlRoleProvider" connectionStringName="MyLocalSQLServer" applicationName="MyAppName" type="System.Web.Security.SqlRoleProvider" /> </providers> </roleManager> | Role manager feature allows you to look up users' roles without writing and maintaining code. Additionally, the role providers offer a consistent way for you to check the role membership of your users, regardless of the underlying data store. |
| Use URL authorization to control access to pages and folders | <authorization> <allow roles="Manager" /> <deny users="*" /> </authorization> | The authorized users have access to specific pages | |
| Role-checks are performed using role manager APIs | Roles.IsUserInRole("TestRole")... | ||
| WCF Proxy | |||
| ASP.NET has a proxy reference to the WCF service. | The application has access to the WCF metadata to create a service reference. | ||
| Root CA certificate for the service is installed in “Trusted Root Certification Authorities” | All certificates that are signed with this certificate will be trusted by the client machine. | ||
| Proxy invokes services with the security context of service account and passes user credentials for to WCF service | WCFTestService.ServiceClient myService = new WCFTestService.ServiceClient(); myService.ClientCredentials.UserName.UserName = "username"; myService.ClientCredentials.UserName.Password = "p@ssw0rd"; myService.GetData(123); myService.Close(); | A proxy will invoke a WCF method within the service contained on the application server using the Service Accounts security context. |
Application Server
| What | Checks | Example | More Info |
|---|---|---|---|
| Windows Service | |||
| Configuration | Windows Service is configured to run under a custom domain service account | Use a domain account if possible. | |
| WCF service is hosted in a Windows Service. | |||
| WCF Service | |||
| Configuration | Connection string configured to point to the user and role store in SQL Server. | <add name="MyLocalSQLServer" connectionString="Initial Catalog=aspnetdb;data source=localhost;Integrated Security=SSPI;" /> | The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes for Windows authentication. |
| WCF Service process identity is given access permissions on the ASPNET database. | spgrantlogin '<<Custom Service Account>>'; USE aspnetdb GO sp grantdbaccess '<<Custom Service Account>>', '<<Custom Service Account>>'; spaddrolemember 'aspnet MembershipFullAccess', '<<Custom Service Account>>'; sp addrolemember 'aspnetRoles FullAccess', '<<Custom Service Account >>’ | Your WCF service process identity requires access to the Aspnetdb database. | |
| WCF Service is configured to use netTcpBinding binding | <endpoint address="" binding="netTcpBinding" bindingConfiguration="" name="" contract="WCFHostService.IMyService"/> | The NetTcpBinding uses the TCP protocol and provides full support for SOAP security, transactions, and reliability. As client and WCF service both are in intranet this is a good choice from performance perspective. | |
| A mex endpoint is created for publishing the metadata | <endpoint address="Mex" binding="mexTcpBinding" bindingConfiguration="" name="MexEndpoint" contract="IMetadataExchange"/> | This is required so that client can add reference to the WCF Service using SvcUtil utility. | |
| Authentication | The netTcpBinding is configured to use Username Authentication and Message security. | ... <netTcpBinding> <binding name="NetTcpBindingEndpointConfig"> <security mode="Message"> <message clientCredentialType="UserName"/> </security> </binding> </netTcpBinding> | |
| SqlMembershipProvider is configured to use with Username authentication | <add name="MySqlMembershipProvider" connectionStringName="MyLocalSQLServer" type="System.Web.Security.SqlMembershipProvider, ..." ... /> | The membership feature automatically authenticates and creates the authentication ticket for you. | |
| Service behavior is configured to use membership provider for using with username authentication. | <behaviors> <serviceBehaviors> <behavior name="ServiceBehavior"> ... <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="MySqlMembershipProvider" /> </serviceCredentials> ... </behavior> </serviceBehaviors> </behaviors> | ||
| Service certificate is installed on the WCF Service machine. The service behavior is configured to use the service certificate. | ... <behaviors> <serviceBehaviors> <behavior name="ServiceBehavior"> <serviceCredentials> <serviceCertificate findValue="CN=tempCert" /> ... </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> ... | This is required for protecting the user credentials in the message. | |
| Authorization | Role Manager feature is enabled and SqlRoleProvider is configured for roles authorization. | <roleManager enabled="true" defaultProvider="MySqlRoleProvider" > <providers> <add name="MySqlRoleProvider" connectionStringName="MyLocalSQLServer" applicationName="MyAppName" type="System.Web.Security.SqlRoleProvider" /> </providers> </roleManager> | Role manager feature allows you to look up users' roles without writing and maintaining code. Additionally, the role providers offer a consistent way for you to check the role membership of your users, regardless of the underlying data store. |
| WCF Operations are configured to do role checks. Role checks can be done either declaratively or imperatively | [PrincipalPermission(SecurityAction.Demand, Role="Managers")] | Use imperative check to do fine grain role check, avoiding the demand on the entire method execution | |
| SQL | The connection string for database is configured to use windows authentication | The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes | |
| Database connection is opened using the WCF process identity’s security context. |
Database Server
| What | Check | Example | More Info |
|---|---|---|---|
| Configuration | A SQL Server login is created for the WCF’s service account (process identity). | ||
| The login is mapped to a database user for the Web application. | |||
| Authentication | SQL Server is configured to use Windows authentication. | ||
| Authorization | The database user is placed in a database role for the WCF service. | SQL Server authorizes the role rather than the user login. | |
| Database permissions are granted to the database role. | Only grants execute permissions on necessary stored procedures. |
Communication Security
| What | Check | Example | More Info |
|---|---|---|---|
| Browser to Web Server | SSL is used between browser and Web server to protect sensitive data on the wire. | Certificate will need to be installed in the Web site. The virtual directory of the web application will need to be configured to use SSL | |
| App server to Database | IPSec or SSL can be used between App server and database server to protect sensitive data on the wire. |
Contributors and Reviewers
- External Contributors and Reviewers:
- Microsoft Consulting Services and PSS Contributors and Reviewers:
- Test team: Rohit Sharma, Chaitanya Bijwe, Parameswaran Vaideeswaran.
- Edit team: Dennis Rea.
- SEO team: Rob Boucher.
1872
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
