25

I am creating a secure (SSL) public service where the users credentials reside in Active Directory. I want to leverage ServiceStack's Authentication and have read over the wiki article. I already have code written to verify the user credentials with AD. I have a few questions.

  1. Which Auth provider do I use? Credentials, Basic Auth or Custom? The service requires SSL so Basic Auth would be safe, however passwords would be encrypted for added safety.
  2. Do I still need to store the UserAuth and cache the AuthUserSession?
  3. Will the monotouch client support authentication?

Update 2: I did end up making a test SS service that integrated with AD, using CredentialsAuthProvider. However my ultimate goal it to have 1 site that is an api when called by clients. So basically a SS MVC site.

Update:

It is my understanding after doing some more research that SS is considering doing a commercial product that may support Windows Authentication in the future. I read this in a comment from mythz on the SS Google group. The reason I asked this SO question is that my company builds internal applications using IWA and adopting SS MVC is hard without IWA. I think I read that you could host the SS MVC site off of a ASP.NET site that uses IWA but I have not tried that yet.

BrandonG
  • 876
  • 11
  • 20
  • I spoke with Demis Bellot on twitter and got a similar response. `@ChaseFlorell Not something I've investigated, don't work in the Win/Active Directory anymore. Requires some R&D to find/resolve the issue`... You should write what he has said as an answer below. – Chase Florell Apr 26 '13 at 17:41

2 Answers2

5

Here is what Demis Bellot said on twitter. Probably possible but needs more research.

Not something I've investigated, don't work in the Win/Active Directory anymore. Requires some R&D to find/resolve the issue

I did eventually get a prototype service working with AD. I implemented the CredentialsAuthProvider. Now this is not tied to ASP.NET IWA at all, but does easily check to see if the user is in AD. Hopefully this might help someone.

public class LDAPAuthProvider : CredentialsAuthProvider
{
    public override bool TryAuthenticate(IServiceBase authService, string userName, string password)
                    {
                        //Check to see if the username/password combo is valid, an exception will be thrown if the username or password is wrong
                        try
                        {
                            DirectoryEntry entry = new DirectoryEntry(ConfigurationManager.AppSettings["TargetOU"], userName, password);
                            object nativeObject = entry.NativeObject;
                        }
                        catch (Exception)
                        {
                            //This means the username/password combo failed
                            return false;
                        }

                        return true;
                    }
}
BrandonG
  • 876
  • 11
  • 20
  • I'd add as much info as you can to this answer. Include some of the info from your "updates" above, and maybe some code on how you used `CredentialsAuthProvider`. – Chase Florell Apr 27 '13 at 02:21
  • I think a good compromise would be to use Forms Authentication. IWA used to easy to setup and require no setup for the user, but with newer versions of IE, you have to add the site to your trusted sites and then edit the security to allow for the user credentials to be passed along. You could implement Forms Authentication and if a client visits the url, you could authentication their credentials and still save the cookie using FormsAuthentication.SetAuthCookie(). – BrandonG May 02 '13 at 19:56
  • This SO question would be a great help: http://stackoverflow.com/questions/15068774/use-asp-net-authentication-with-servicestack – BrandonG May 02 '13 at 20:24
5

I've also hooked up ServiceStack with Integrated Windows Authentication (for a corporate application), and the key was to skip trying to integrate it with ServiceStack's AuthProviders entirely, since the general approach of IWA doesn't deal with credentials in your application code -- it's handled by the web server. What I did was:

  1. Configure the site/application in IIS so that Windows Authentication was the only enabled option. (No Anonymous access allowed.) This means IIS itself will take care of the challenge-response (HTTP 401/200) sequence with unauthenticated users, and handles the authentication part of the process for you.

  2. Implement ServiceStack's IHasRequestFilter (an HTTP pre-request filter) as an Attribute (e.g., [AdminOnly]). This filter's RequestFilter method fetches the current username from HttpContext (HttpContext.User.Identity.Name), looks it up from a repository (which could be a SQL database, flat file, etc.), caches results using ServiceStack's ICacheClient (memory cache, Redis, etc.), and throws a 403 HttpError if unauthorized.

With this done, all that was necessary was to add the attribute to classes or methods where desired (which gets this authentication/authorization into the service pipeline where desired), and register my desired cache provider in my AppHost implementation, e.g.:

 container.Register<ICacheClient>(new MemoryCacheClient() { FlushOnDispose = false });

It works beautifully.

Nick Jones
  • 4,395
  • 6
  • 33
  • 44