Why do I get a WindowsIdentity when using message security?

Question

When switching from no security to Certificate I get a WindowsIdentity in the IAuthorizationPolicy.Evaluate (evaluationContext.Properties.TryGetValue("Identities", out obj)? Is this by design :

From this :

<binding name="NetTcpBinding_IMyAppClientServiceRegular" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="infinite" sendTimeout="01:00:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="10" maxReceivedMessageSize="2147483647">
          <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
          <reliableSession ordered="true" inactivityTimeout="infinite" enabled="false"/>
          <security mode="None">
            <transport clientCredentialType="None"/>
          </security>
        </binding>

To this :

<binding name="netTcpCertificate" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="infinite" sendTimeout="01:00:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="1000" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="200" maxReceivedMessageSize="2147483647">
          <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
          <reliableSession ordered="true" inactivityTimeout="infinite" enabled="false"/>
          <security>
            <message clientCredentialType="Certificate"/>
          </security>
        </binding>

Is there any way to avoid getting the WindowsIdentity in IAuthorizationPolicy.Evaluate? I do only want the WindowsIdentity to be set when using this binding :

<binding name="NetTcpBinding_IMyAppClientServiceWindows" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="infinite" sendTimeout="01:00:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="10" maxReceivedMessageSize="2147483647">
          <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
          <reliableSession ordered="true" inactivityTimeout="infinite" enabled="false"/>
          <security mode="Message">
            <message clientCredentialType="Windows"/>
          </security>

Sixto Saez · Accepted Answer · 2013-01-31T15:43:36.927

0

I noticed you have not set the mode in <security> in your netTcpCertificate config instead of what you probably want: <security mode="Message">. By not setting the mode attribute, WCF will use the default value of Transport instead of Message which is what you likely want for certificate credentials. It's possible that WCF is passing the Windows identity when the mode is set to transport but I haven't tried to verify it.

UPDATE: Based on the comments below, you should make sure that the client config file endpoint>indentity>dns>value matches the name of server certificate CN= value. This value needs to be MyAppServer based on what you entered.

edited Jan 31 '13 at 15:43

answered Jan 30 '13 at 15:06

Sixto Saez

12,610
5
43
51

Hi, when setting it to mode=Message the IAuthorizationPolicy.Evaluate will not be triggered(=no login made). The service method is however executed but on return the following exception will be thrown : "Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'localhost' but the remote endpoint provided DNS claim 'MyAppServer' " . I thought that it was using message becouse of the – Banshee Jan 30 '13 at 15:49
The error you're seeing is due to the certificate not using localhost as a domain name (DNS identity). Leaving the `mode` attribute empty might be right though. Look at [this good walkthrough](https://wcfsecurity.codeplex.com/wikipage?title=How%20To%20-%20Use%20Certificate%20Authentication%20and%20Message%20Security%20in%20WCF%20calling%20from%20Windows%20Forms) for message security with certificates. Try getting that sample to work in wsHttpBinding successfully first. Next, change the sample binding sample to use netHttpBinding and get it to work. Finally, check your config with the sample. – Sixto Saez Jan 30 '13 at 16:04
What attribute should be empty? I have followed this example what is exacly what I need : http://www.codeproject.com/Articles/36683/9-simple-steps-to-enable-X-509-certificates-on-WCF It is using Peer trust instead of chain and its also TCP instead of wsHTTP. – Banshee Jan 31 '13 at 08:20
Sorry, I left out the element. I was referring to the `Security` element in the config. I've edited the answer. – Sixto Saez Jan 31 '13 at 15:35

Why do I get a WindowsIdentity when using message security?

1 Answers1