ansaurus

Question

Answer 1

A:

You could add a security restriction in IIS to only allow calls from the domain to the webservice.

Benjamin Ortuzar 2009-12-14 15:57:13

Answer 2

A:

Unless you consider windows auth (since requests are coming from your domain), the preferred way to do this would be at a different level, via firewalls. At that level, you can restrict incoming traffic to a known set of IP addresses. This will only go so far, since IPs can be spoofed, but this is an open service, so there you go. A better alternative would be both firewalls and windows auth.

Alternatively, you could check client IP addresses in WCF by querying OperationContext.Current.IncomingMessageProperties.

Randolpho 2009-12-14 16:12:44

Answer 3

+2 A:

Yes, of course you can - just require Windows credentials (i.e. an Active Directory account in your domain) from your callers.

Anyone not authenticated against your domain will be rejected.

You can do this by specifying either netTcpBinding with transport security (if everything is behind a corporate firewall), or wsHttpBinding with message security:

<bindings>
   <netTcpBinding>
      <binding name="DomainUsersOnly">
         <security mode="Transport">
            <transport clientCredentialType="Windows" />
         </security>
      </binding>
   </netTcpBinding>
   <wsHttpBinding>
      <binding name="HttpDomainUsersOnly">
         <security mode="Message">
            <message clientCredentialType="Windows" />
         </security>
      </binding>
   </wsHttpBinding>
</bindings>

Now, all you need to do is reference one of those binding configurations in your endpoints:

<endpoint name="whatever"
          address="......"
          binding="netTcpBinding"
          bindingConfiguration="DomainUsersOnly"
          contract="IYourservice" />

and you should be good to go.

marc_s 2009-12-14 16:41:14

Careful here though - I think if a user has the same user name and password as a domain user (unlikely, I know) then they will be authenticated as the domain user.

Philip Wallace 2009-12-14 16:48:59

no they won't - they need to have an actual Windows credential - a Windows security token from your domain - not just the same name by chance.

marc_s 2009-12-14 17:18:51

So how do you explain the third column on the table here:http://msdn.microsoft.com/en-us/library/ms164725.aspx

Philip Wallace 2009-12-14 17:32:54

That has **nothing** to do with WCF....

marc_s 2009-12-14 17:41:57

when your client authenticates against a WCF using Windows credentials, it is not sending username/password - it's sending a Windows domain token - you can't fake that by having the same username/password as a domain user.

marc_s 2009-12-14 17:47:16

Marc is correct. You have to have an actual machine to machine trust established for windows credentials to work over WCF.

Daniel Auger 2009-12-14 22:18:38

Thank you Daniel for backing me up!

marc_s 2009-12-15 06:10:41

Answer 4

+1 A:

If all of your legitimate users are supposed to be on your internal corporate LAN (on the same subnet), then you could lock it down by IP address using an approach like this. You could also clamp it down to several specific IP masks that way if you wanted to.

But if you want to allow legitimate users to hit it from anywhere, then this is not a good approach. Authentication would be better in that case.

Clay Fowler 2009-12-14 16:46:21

ansaurus

tags:

views:

answers:

WCF - Preventing Unauthorized Clients

related questions