0

Development Environment: Windows 7 Enterprise with .NET 4.0 with Visual Studio 2010

Production Environment: Windows 2008 Server with IIS 7.0

I'm trying to figure out the best way to authenticate and authorize against a WCF service running on a separate machine in a separate security zone from the ASP .NET web application.

Users log in with a username and password against credentials we have stored in a database. We did not implement Membership Provider, but when the user's credentials pass mustard, we manually create a Forms Auth ticket with the user id.

I did roll my own Role Provider that implements RoleProvider. As a result, we have "standard" ASP .NET roles along with a forms auth ticket working on our ASP .NET web application.

What I need to do is somehow pass these credentials along to the WCF service that's sitting on another machine. Originally, I thought I might use the Windows Identity Foundation and create a custom Security Token Service (STS). Basically, if the user authenticates, then create a token and add in the claims based authorization along with user identity into the token and pass that along to the WCF service.

We are currently using a .NET Remoting service (.NET 1.1 timeframe) that does not authenticate or authorize at all.

That seems like it might be a bit of overkill as there might be a way to simply pass along the information I currently have with the user as when you create the Forms Auth ticket, I know the current IPrinciple is set with the IIdentity set with a "name" property set to the user id on the Thread.CurrentIdentity.

I'm pretty sure IsInRole("WhateverRole") would work correctly at this point too, but all of this is on the Web application side. Nothing gets passed to the .NET Remoting service.

Looking at these two classes:
AuthenticationService Class
ServiceAuthorization Class
I don't think they are what I want. Likewise, I've read through Michele Bustamante's Learning WCF, but I don't really see this particular scenario covered. When I read about Windows Authentication, I keep thinking that needs to be tied into some internal NTLM or Kerberos associated with the internal Windows security situation. None of our users are internal users. They're strictly external.

Now, I know that if the user gets a Forms Auth ticket, they essentially get a valid IPrinciple and the roles should be set, right?

If so, is there a way to pass this along to a WCF service setting on another machine? If I set the WCF clientCredentialType to windows and set the serviceAuthorization principlePermissionMode to "UseAspNetRoles", will these be passed along in the security context from the web application to the WCF service when I make the service call?

Nothing I can find is clear on how this might happen. Thanks.

John Saunders
  • 160,644
  • 26
  • 247
  • 397
Dan7el
  • 1,995
  • 5
  • 24
  • 46
  • Do you need the WCF service to authenticate against the users credentials? Or just the web servers credentials? Are both servers in the same web domain (not windows domain)? – Erik Funkenbusch May 14 '13 at 20:36
  • Ideally, I would want the WCF to authenticate against the user's credentials. They are not in the same domain. – Dan7el May 14 '13 at 20:54

1 Answers1

1

I think what you want is this:

http://thoughtorientedarchitecture.blogspot.com/2009/10/flowing-aspnet-forms-authentication.html

This isn't super secure, since you're effectively creating your own man-in-the-middle attack, but it's probably secure enough for most needs.

Essentially this boils down to this:

  1. Configure both servers with the same MachineKey
  2. Grab the FormsAuthentication cookie from the user request
  3. Attach the cookie to the outgoing WCF service call
  4. ???
  5. Profit
Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291