tags:

views:

36

answers:

1
Q: 

wcf and windows authentication

I like to use wcf (windows communication foundation) with windows authentication.

Do I need Active directory for this purpose? How the server knows about the identity of the client?

If someone can found out the pass of the client that is using the wcf services, can he create the same user name on different computer and use the password to access the wcf services ?

Regards, Darko Petreski

+1  A: 

Yes, if you want to use Windows authentication, you need Active Directory as the source where the user gets validated.

The way this happens is by means of a user "token" - when your client logs into his PC with his Windows credentials, the login process will check with AD whether the user is legit and issue a "token". This token is then used in calls to a WCF service to determine who it is that is calling the service.

marc_s  2010-04-24 08:25:40
Is the user connected somehow with the hardware or it can be used from several computers? I mean if it is once added to the active directory with admin pass for the active directory, can it be reused from other computer (just to add the username to the computer and full the active directory?).Example for payment software for supermarket. I cannot trust the sellers. Can they see the windows username and somehow find the pass and reuse them for malicious attacks from another computer?
darko petreski  2010-04-24 08:40:33
The user is authenticated against the Active Directory - he's definitely *not* tied to a specific PC
marc_s  2010-04-24 08:52:17
If you need something like this, you could send along the machine name as a WCF header, and in your service check against a list of "allowed" machine names or something. But even that can be spoofed, if they really want to....
marc_s  2010-04-24 08:55:44
Great answer. Thanks.
darko petreski  2010-04-24 09:20:39

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication