ansaurus

Question

WCF Web Service Authentication based on AD groups

Answer 1

+1 A:

You need to two keep concepts apart:

AUTHENTICATION is the process of determining who it is that's calling you, and making sure he really is who he claims to be; this can be done using username/password, Windows credentials (he had already authenticated himself to his Windows box through logging on), or by requiring the caller to have some information (certificate)
AUTHORIZATION is the process - once you know who is calling you, to determine what that caller can do (or what he cannot do)

In order to use Active Directory groups, you need to use a security mode in WCF that supports Windows credentials. The easiest is to use Windows credentials from the beginning, which is the default for wsHttpBinding and netTcpBinding - in this case, the caller will always pass along his Windows credentials with every call, and you can inspect those on the server side by looking at the ServiceSecurityContext.Current.WindowsIdentity:

WindowsIdentity caller = ServiceSecurityContext.Current.WindowsIdentity;

This works well in an Intranet scenario - everyone is behind a corporate firewall and authenticated on their machines anyway. In order to enable this, just use wsHttp or netTcp binding (I'd recommend netTcp in this case).

The other slightly more complicated case is when you have your client present a X.509 certificate, and you then map that on the server side to an existing AD user in your network. That's rather advanced, however.

Once your caller is authenticated, e.g. you know who is calling, you can use the regular role-based security model to limit privileges. Just add [PrincipalPermission(....)] attributes to your methods that you want to protect, and if the user doesn't match any of those requirements, a security exception will the thrown and the method will not be executed.

    [PrincipalPermission(SecurityAction.Demand, Role = "Administrators")]
    [PrincipalPermission(SecurityAction.Demand, Name = "JohnDoe")]
    public string SayHello(string caller)
    {
     ......
    }

You can have multiple of those "PrincipalPermission" attributes, and they're matched together in an "OR"-fashion - if any one of them matches the current caller, he'll be allowed to make the call.

Check out page 4 of this article Fundamentals of WCF Security for more details on how to use role-based security.

Marc

marc_s 2009-08-26 05:22:34

Thanks arc, Let me try your proposed solution. Many Thanks again.

Lalit Sharma 2009-08-26 14:48:26

This is great, thanks. Solved me a lot of work. How do you catch the SecurityException that is thrown, however? It seems to be thrown before the method is called but doesn't get propagated up the callstack...

trendl 2009-10-11 21:18:49

It's thrown to the client - the client needs to deal with that.

marc_s 2009-10-12 05:40:42

Answer 2

A:

But How can I fetch Windows Group Name belongs to Logged in User in Web Service? I'm trying this code but unbale to get User Password in Webservice to run this code.

List<string> fullAccessUserGroups = new List<string>();
fullAccessUserGroups.Add("WindowsGroup1");

//Checking domain
using (PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, "My Domain"))
{
   if (ServiceSecurityContext.Current.WindowsIdentity.IsAnonymous == true)
   {
      error = String.Empty;
      return true;
   }

   try
   {
      if (principalContext.ValidateCredentials(username, password))
      {
         string username = String/ServiceSecurityContext.Current.WindowsIdentity.Name;

         using (UserPrincipal user = UserPrincipal.FindByIdentity(principalContext, IdentityType.SamAccountName, username))
         {
             var gpList = user.GetAuthorizationGroups();

             foreach (GroupPrincipal gp in gpList)
             {
                 if (user.IsMemberOf(gp))
                 {
                     foreach (string fullAccessGroups in fullAccessUserGroups)
                     {
                        if (fullAccessGroups == null)
                        {
                           continue;
                        }

                        if (fullAccessGroups.CompareTo(gp.Name) == 0)
                        {
                           error = String.Empty;
                           return true;
                        }
                     }
                  }
               }
            }
         }
      }
      catch (Exception e)
      {
         return false;
      }
} //end using PrincipalContext}

Lalit Sharma 2009-08-27 17:04:48

But not sure that this the right code to fetch windows group of logged in user in WCF web service. Please help

Lalit Sharma 2009-08-27 17:07:24

you will **NEVER** be able to read a user's Windows password!

marc_s 2009-08-27 20:25:14

You dont' need to do all this checking yourself - just add the PrincipalPermission attributes on your methods - that's all **you** need to do, the rest is handled by WCF

marc_s 2009-08-27 20:27:40

ansaurus

tags:

views:

answers:

WCF Web Service Authentication based on AD groups

related questions