Internet – Web to Remote WCF Using Message Security (Original Caller)
-
J.D. Meier
, Jason Taylor
, Prashant Bansode
, Carlos Farre, Madhu Sundararajan, Steve Gregersen
Applies To
Scenario
In this scenario, your users do not have Windows accounts and use a web
client to connect over the Internet to an ASP.NET application on an IIS
server. The business logic called by the WCF service requires
fine-grained authorization and is backed by a SQL Server data store. The
basic model for this application scenario is shown in the following
figure.
Key Characteristics
This scenario applies to you if:
- Your users have web clients
- Your user accounts are stored in SQL
- Your user roles are stored in SQL
- The business logic behind your WCF service requires fine-grained authorization
- Your application transmits sensitive data over the network that needs to be protected
- A high performance connection between the ASP.NET application and
the WCF service is more important than the ability to host the WCF
service in IIS
Solution
Solution Summary Table
In this solution you will:
- Use username and password to authenticate users against the SQL Server Membership Provider
- Impersonate the original caller when calling methods on the WCF service from the ASP.NET application
- Use a service account to call the SQL Server from WCF
- Use SSL to protect sensitive data between the web client and IIS
- Use message security to protect sensitive data between the ASP.NET application and the WCF service
- Use netTcpBinding to support the TCP transport for improved performance
- Host WCF in a Windows Service since IIS does not support the TCP transport
Web Server
What
|
Checks
|
Example
|
More Info
|
IIS
|
|
|
|
Configuration |
A dedicated application pool is created and configured to run under a custom service account. |
|
Use a domain account if possible. |
|
The web application is configured to run under the service account. |
|
Assign the web application to the custom application pool. |
Authentication |
The IIS virtual directory is configured to use Anonymous access. |
|
Users will be allowed to access pages and if required will be redirected to forms authentication page. |
ASP.NET
|
|
|
|
Configuration |
Aspnet database is created to be used with SQL Membership Provider and SQL Role provider. |
aspnetregsql -S ./SQLExpress -E -A r m
|
Aspnetregsql.exe creates the sql database to store the user and role information. |
|
Connection string configured to point to the user and role store in SQL Server. |
<add
name="MyLocalSQLServer" connectionString="Initial Catalog=aspnetdb;data
source=localhost;Integrated Security=SSPI;" /> |
The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes for Windows authentication. |
|
Web Application process identity is given access permissions on the ASPNET database. |
spgrantlogin 'NT AUTHORITY/Network Service'; USE aspnetdb GO sp
grantdbaccess 'NT AUTHORITY/Network Service', 'Network Service'; spaddrolemember 'aspnet
MembershipFullAccess', 'Network Service'; sp
addrolemember 'aspnetRoles
FullAccess', 'Network Service' |
Your
Web Application process identity requires access to the Aspnetdb
database. If you host the Web Application in Internet Information
Services (IIS) 6.0 on Microsoft Windows Server® 2003, the NT
AUTHORITY/Network Service account is used by default to run the Web
Application. |
Authentication |
ASP.NET is configured for Forms authentication |
<authentication mode = "Forms" > |
The web application will authenticate the users. |
|
SqlMembershipProvider is configured to use with Membership feature for forms authentication |
<add
name="MySqlMembershipProvider" connectionStringName="MyLocalSQLServer"
type="System.Web.Security.SqlMembershipProvider, ..." ... /> |
The
membership feature helps protect credentials, can enforce strong
passwords, and provides consistent APIs for user validation and secure
user management. The membership feature also automatically creates the
authentication ticket for you. |
Authorization |
Role Manager feature is enabled and SqlRoleProvider is configured for roles authorization. |
<roleManager
enabled="true" defaultProvider="MySqlRoleProvider" >
<providers> <add name="MySqlRoleProvider"
connectionStringName="MyLocalSQLServer" applicationName="MyAppName"
type="System.Web.Security.SqlRoleProvider" /> </providers>
</roleManager> |
Role manager feature allows you to look up
users' roles without writing and maintaining code. Additionally, the
role providers offer a consistent way for you to check the role
membership of your users, regardless of the underlying data store. |
|
Use URL authorization to control access to pages and folders |
<authorization> <allow roles="Manager" /> <deny users="*" /> </authorization> |
The authorized users have access to specific pages |
|
Role-checks are performed using role manager APIs |
Roles.IsUserInRole("TestRole")... |
|
WCF Proxy
|
|
|
|
|
ASP.NET has a proxy reference to the WCF service. |
|
The application has access to the WCF metadata to create a service reference. |
|
Root CA certificate for the service is installed in “Trusted Root Certification Authorities” |
|
All certificates that are signed with this certificate will be trusted by the client machine. |
|
Proxy invokes services with the security context of service account and passes user credentials for to WCF service |
WCFTestService.ServiceClient
myService = new WCFTestService.ServiceClient();
myService.ClientCredentials.UserName.UserName = "username";
myService.ClientCredentials.UserName.Password = "p@ssw0rd";
myService.GetData(123); myService.Close(); |
A proxy will invoke a
WCF method within the service contained on the application server using
the Service Accounts security context. |
Application Server
What
|
Checks
|
Example
|
More Info
|
Windows Service
|
|
|
|
Configuration |
Windows Service is configured to run under a custom domain service account |
|
Use a domain account if possible. |
|
WCF service is hosted in a Windows Service. |
|
|
WCF Service
|
|
|
|
Configuration |
Connection string configured to point to the user and role store in SQL Server. |
<add
name="MyLocalSQLServer" connectionString="Initial Catalog=aspnetdb;data
source=localhost;Integrated Security=SSPI;" /> |
The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes for Windows authentication. |
|
WCF Service process identity is given access permissions on the ASPNET database. |
spgrantlogin '<<Custom Service Account>>'; USE aspnetdb GO sp
grantdbaccess '<<Custom Service Account>>', '<<Custom Service Account>>'; spaddrolemember 'aspnet
MembershipFullAccess', '<<Custom Service Account>>'; sp
addrolemember 'aspnetRoles
FullAccess', '<<Custom Service Account >>’ |
Your WCF service process identity requires access to the Aspnetdb database. |
|
WCF Service is configured to use netTcpBinding binding |
<endpoint address="" binding="netTcpBinding" bindingConfiguration="" name="" contract="WCFHostService.IMyService"/> |
The NetTcpBinding
uses the TCP protocol and provides full support for SOAP security,
transactions, and reliability. As client and WCF service both are in
intranet this is a good choice from performance perspective. |
|
A mex endpoint is created for publishing the metadata |
<endpoint address="Mex" binding="mexTcpBinding" bindingConfiguration="" name="MexEndpoint" contract="IMetadataExchange"/> |
This is required so that client can add reference to the WCF Service using SvcUtil utility. |
Authentication |
The netTcpBinding is configured to use Username Authentication and Message security. |
...
<netTcpBinding> <binding
name="NetTcpBindingEndpointConfig"> <security mode="Message">
<message clientCredentialType="UserName"/> </security>
</binding> </netTcpBinding> |
|
|
SqlMembershipProvider is configured to use with Username authentication |
<add
name="MySqlMembershipProvider" connectionStringName="MyLocalSQLServer"
type="System.Web.Security.SqlMembershipProvider, ..." ... /> |
The membership feature automatically authenticates and creates the authentication ticket for you. |
|
Service behavior is configured to use membership provider for using with username authentication. |
<behaviors>
<serviceBehaviors> <behavior name="ServiceBehavior"> ...
<serviceCredentials> <userNameAuthentication
userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="MySqlMembershipProvider" />
</serviceCredentials> ... </behavior>
</serviceBehaviors> </behaviors> |
|
|
Service certificate is installed on the WCF Service
machine. The service behavior is configured to use the service
certificate. |
... <behaviors> <serviceBehaviors>
<behavior name="ServiceBehavior"> <serviceCredentials>
<serviceCertificate findValue="CN=tempCert"
/> ... </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> ... |
This is required for protecting the user credentials in the message. |
Authorization |
Role Manager feature is enabled and SqlRoleProvider is configured for roles authorization. |
<roleManager
enabled="true" defaultProvider="MySqlRoleProvider" >
<providers> <add name="MySqlRoleProvider"
connectionStringName="MyLocalSQLServer" applicationName="MyAppName"
type="System.Web.Security.SqlRoleProvider" /> </providers>
</roleManager> |
Role manager feature allows you to look up
users' roles without writing and maintaining code. Additionally, the
role providers offer a consistent way for you to check the role
membership of your users, regardless of the underlying data store. |
|
WCF Operations are configured to do role checks. Role checks can be done either declaratively or imperatively |
[PrincipalPermission(SecurityAction.Demand, Role="Managers")]
|
Use imperative check to do fine grain role check, avoiding the demand on the entire method execution |
SQL |
The connection string for database is configured to use windows authentication |
The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes |
|
|
Database connection is opened using the WCF process identity’s security context. |
|
|
Database Server
What
|
Check
|
Example
|
More Info
|
Configuration |
A SQL Server login is created for the WCF’s service account (process identity). |
|
|
|
The login is mapped to a database user for the Web application. |
|
|
Authentication |
SQL Server is configured to use Windows authentication. |
|
|
Authorization |
The database user is placed in a database role for the WCF service. |
|
SQL Server authorizes the role rather than the user login. |
|
Database permissions are granted to the database role. |
|
Only grants execute permissions on necessary stored procedures. |
Communication Security
What
|
Check
|
Example
|
More Info |
Browser to Web Server |
SSL is used between browser and Web server to protect sensitive data on the wire. |
|
Certificate
will need to be installed in the Web site. The virtual directory of the
web application will need to be configured to use SSL |
App server to Database |
IPSec or SSL can be used between App server and database server to protect sensitive data on the wire. |
|
|
Contributors and Reviewers
- External Contributors and Reviewers:
- Microsoft Consulting Services and PSS Contributors and Reviewers:
- Test team:
Rohit Sharma, Chaitanya Bijwe, Parameswaran Vaideeswaran.
- Edit team:
Dennis Rea.
- SEO team:
Rob Boucher.