1

I'm building a service, using soap (wcf). I want to make my endpoint a bit more secure with a single password and username. When i try to add following configuration, Windows Azure throws the following error:

Error: This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

Linecode is: I had to change this in my IIS when testing localy, but apparantly I'm not able to adjust it at the Windows Azure platform?

All i want to do, is using an own password and username for access. Is the

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.diagnostics>
    <trace>
      <listeners>
        <add type="Microsoft.WindowsAzure.Diagnostics.DiagnosticMonitorTraceListener, Microsoft.WindowsAzure.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" name="AzureDiagnostics">
          <filter type="" />
        </add>
      </listeners>
    </trace>
  </system.diagnostics>
  <system.web>
    <compilation debug="true" targetFramework="4.0" />
    <customErrors mode="Off"/>
  </system.web>

  <system.serviceModel>

    <behaviors>
      <serviceBehaviors>
        <behavior name="credsBehavior">
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata externalMetadataLocation="external metadata location" />

          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WCFServiceWebRole.CustomUserNameValidator, WCFServiceWebRole, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
      <endpointBehaviors>
        <behavior name="ServiceEndpointBehavior">
          <schemaValidator validateRequest="True" validateReply="False">
            <schemas>
              <add location="schemalocation" />
            </schemas>
          </schemaValidator>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="false" />

    <extensions>
      <behaviorExtensions>
        <add name="schemaValidator" type="WCFServiceWebRole.Validation.SchemaValidationBehaviorExtensionElement, WCFServiceWebRole, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
      </behaviorExtensions>
    </extensions>

    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpsBinding_CvServiceInterface" maxBufferSize="2147483647" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" receiveTimeout="01:00:00" openTimeout="01:00:00" closeTimeout="01:00:00" sendTimeout="01:00:00">
          <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
                        maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />

          <security mode="Transport">
              <transport clientCredentialType="Basic"/>
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>

    <services>
      <service name="WCFServiceWebRole.CvService" behaviorConfiguration="credsBehavior">
        <endpoint address="myendpoint" behaviorConfiguration="ServiceEndpointBehavior" binding="basicHttpBinding" bindingConfiguration="BasicHttpsBinding_CvServiceInterface" contract="ICvService" />
      </service>
    </services>

  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
    <directoryBrowse enabled="true" />

    <security>
      <authentication>
        <basicAuthentication enabled="true"/>
      </authentication>
    </security>
  </system.webServer>
</configuration>

<!--<system.webServer>
  <security>
    <authentication>
      <anonymousAuthentication enabled="false" />
      <basicAuthentication enabled="true" />
    </authentication>
  </security>
</system.webServer>-->

Jeroen

Jeroen Van Olmen
  • 23
  • 4

2 Answers2

1

Basic Authentication is not available by default in the Windows Azure web roles.

enter image description here

You'll need to create 2 startup scripts:

Powershell script to install basic authentication

Import-Module ServerManager
Add-WindowsFeature Web-Basic-Auth

Note: This requires PowerShell 2.0 that is included in Windows Server 2008 R2 (you'll need to set the osFamily to 2 to get Windows Server 2008 R2: http://msdn.microsoft.com/en-us/library/windowsazure/ee758710.aspx)

Bat file that will activate basic authentication

%windir%\system32\inetsrv\appcmd set config /section:basicAuthentication /enabled:true

Question

Why would you even need basic authentication? Correct me if I'm wrong, but UserName/Password authentication in WCF should work without IIS, so I don't see why it would need basic authentication to work.

Sandrino Di Mattia
  • 24,739
  • 2
  • 60
  • 65
  • Like I said, when I'm hosting my service on Windows Azure (which is using IIS), it gives me an error using the basic authentication. (the reason is, like you mentioned before, basic auth is not enabled). If you know an other approach or solution to my problem, be my guest. I just need the client to fill in username and password to verify against a username and password at server side. I'm relatively new to this matter so – Jeroen Van Olmen Apr 13 '12 at 12:29
  • You can remove the security element from the web.config, this is what's causing the problems. The security is present in the WCF infrastructure. Follow this guide to use custom username/password authentication: http://blogs.msdn.com/b/pedram/archive/2007/10/05/wcf-authentication-custom-username-and-password-validator.aspx – Sandrino Di Mattia Apr 13 '12 at 12:36
1

Like Sandrino mentioned, I don't need basicauth to get authorization and authentication with a custom username and password.

Instead of:

<security mode="Transport">
<transport clientCredentialType="Basic"/>
</security>

I had to do:

  <security mode="TransportWithMessageCredential">
    <transport clientCredentialType="None"/>
    <message clientCredentialType="UserName" />
  </security>

At client side:

    ServiceReference1.CvServiceInterfaceClient cl = new ServiceReference1.CvServiceInterfaceClient();
    ClientCredentials creds = new ClientCredentials();

    creds.UserName.UserName = "username";
    creds.UserName.Password = "password";
    var defaultCredentials = cl.Endpoint.Behaviors.Find<ClientCredentials>();
    cl.Endpoint.Behaviors.Remove(defaultCredentials);
    cl.Endpoint.Behaviors.Add(creds);

Jeroen

Jeroen Van Olmen
  • 23
  • 4