0

We have a webserver in a DMZ hosting an IIS website. The website talks to a middleware machine in a private domain, which is hosting WCF services.

When the webserver tries to communicate with the middleware machine via a TCP binding, we get the following error message,

The server has rejected the client credentials. The logon attempt failed.

The website uses an AppPool account from the private domain (DMZ trusts private domain). Forms and Anonymous authentication are enabled.

My question is, would the middleware server be able to authenticate valid credentials (hopefully the appPool credentials), even through they originated from an untrusted domain (dmz)??

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Kye
  • 5,919
  • 10
  • 49
  • 84
  • Not as far as I know - the WCF service will need to be able to verify the credentials, so if you're using Windows credentials, those have to be from a domain that's accessible to the WCF service; either the domain that the machine the WCF service is running on belongs to, or a fully trusted other AD domain. – marc_s Aug 17 '11 at 04:48

1 Answers1

1

@marc_s is right in his comment. It's not just a WCF thing though. it's security in general.

Just look at it from a conceptual point: "authenticate valid credentials" is not what is happening. The middleware service gets credentials. The question is then if those credentials are valid or not. In order to determine validity it needs to known it or ask something that it trust to validate it for him. Asking an untrusted party doesn't work since you can't determine if the answer you get is a valid answer or not. In your case there is no place to determine if passed credentials are valid or just a random token.

If you want to allow unvalidated credentials to pass you should really remove the authentication/authorisation all together.

Eddy
  • 5,320
  • 24
  • 40