-1

Using latest VS 2013 and Azure SDK 2.4, I've created a Web Role and a WCF service in it. This service will be consumed by a standard generated .NET service reference client proxy.

I am trying to figure out what is the simplest way to secure this WCF service. I mean securing the authentication can not be hacked easy way, like clear text pwd etc.

Some additional info about the use case:

  • There will be only one user
  • It is completely OK to store any secret in client side (like username/pwd or certificate) because the client app will run in a secured place
  • I just would like to prevent my service to be accessed by the public. Only my secured place running client app should access it, I would like no more no less.

So I am googling the web, and more I read more I confused and overwhelmed with the options and possibilities what I do not need I think. When searching for client certificate I find overcomplicated federated auth methods with server side temp certs etc what I am not sure my simple use case requires.

Any help appreciated. Thanks in advance

g.pickardou
  • 32,346
  • 36
  • 123
  • 268

1 Answers1

1

If you really want to restrict access then I would look at client certificates. Configuring azure for client certificates seems quite complex to detail in a single SO post so I'll refer you to this blog post client-certificates-in-windows-azure and I'll summarize below [I used this myself recently so I know it works]

In essence you can make your own certificates using makecert [NOTE: you may want an official SSL cert for your site and only use self-signed for your client certificates.]

You then configure your site to accept client certs - normally I'd use appcmd.exe and a startup task but as the blog post points out your site is not ready so instead you need to add this to your webrole OnStart method [I actually went down the appcmd.exe path initially and was very confused].

using (var serverManager = new ServerManager())
{
   try
   {
       var siteName = RoleEnvironment.CurrentRoleInstance.Id + "_Web";
       var config = serverManager.GetApplicationHostConfiguration();
       var accessSection = config.GetSection("system.webServer/security/access", siteName);
       accessSection["sslFlags"] = @"SslNegotiateCert";

       serverManager.CommitChanges();
   }
   catch (Exception ex)
   {
        ...
   }
}

In the CertificateAuthHandler you can than validate the certificate and if you want (and I recommend) that the client certificate being sent is from your expected CA (if self-signed) or that the thumbprint of the certificate is the one you expect (if there is only going to be one) or a combination of the above.

Shaun Wilde
  • 8,228
  • 4
  • 36
  • 56