Internet – Web to Remote WCF Using Message Security (Original Caller)

- J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen

Applies To

  • WCF 3.5

Scenario

In this scenario, your users do not have Windows accounts and use a web client to connect over the Internet to an ASP.NET application on an IIS server. The business logic called by the WCF service requires fine-grained authorization and is backed by a SQL Server data store. The basic model for this application scenario is shown in the following figure.

Scenario6.jpg

Key Characteristics

This scenario applies to you if:
  • Your users have web clients
  • Your user accounts are stored in SQL
  • Your user roles are stored in SQL
  • The business logic behind your WCF service requires fine-grained authorization
  • Your application transmits sensitive data over the network that needs to be protected
  • A high performance connection between the ASP.NET application and the WCF service is more important than the ability to host the WCF service in IIS

Solution

Solution6.jpg

Solution Summary Table

In this solution you will:
  • Use username and password to authenticate users against the SQL Server Membership Provider
  • Impersonate the original caller when calling methods on the WCF service from the ASP.NET application
  • Use a service account to call the SQL Server from WCF
  • Use SSL to protect sensitive data between the web client and IIS
  • Use message security to protect sensitive data between the ASP.NET application and the WCF service
  • Use netTcpBinding to support the TCP transport for improved performance
  • Host WCF in a Windows Service since IIS does not support the TCP transport

Web Server

What Checks Example More Info
IIS
Configuration A dedicated application pool is created and configured to run under a custom service account. Use a domain account if possible.
The web application is configured to run under the service account. Assign the web application to the custom application pool.
Authentication The IIS virtual directory is configured to use Anonymous access. Users will be allowed to access pages and if required will be redirected to forms authentication page.
ASP.NET
Configuration Aspnet database is created to be used with SQL Membership Provider and SQL Role provider. aspnetregsql -S .\SQLExpress -E -A r m Aspnetregsql.exe creates the sql database to store the user and role information.
Connection string configured to point to the user and role store in SQL Server. <add name="MyLocalSQLServer" connectionString="Initial Catalog=aspnetdb;data source=localhost;Integrated Security=SSPI;" /> The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes for Windows authentication.
Web Application process identity is given access permissions on the ASPNET database. spgrantlogin 'NT AUTHORITY\Network Service'; USE aspnetdb GO spgrantdbaccess 'NT AUTHORITY\Network Service', 'Network Service'; spaddrolemember 'aspnetMembershipFullAccess', 'Network Service'; spaddrolemember 'aspnetRolesFullAccess', 'Network Service' Your Web Application process identity requires access to the Aspnetdb database. If you host the Web Application in Internet Information Services (IIS) 6.0 on Microsoft Windows Server® 2003, the NT AUTHORITY\Network Service account is used by default to run the Web Application.
Authentication ASP.NET is configured for Forms authentication <authentication mode = "Forms" > The web application will authenticate the users.
SqlMembershipProvider is configured to use with Membership feature for forms authentication <add name="MySqlMembershipProvider" connectionStringName="MyLocalSQLServer" type="System.Web.Security.SqlMembershipProvider, ..." ... /> The membership feature helps protect credentials, can enforce strong passwords, and provides consistent APIs for user validation and secure user management. The membership feature also automatically creates the authentication ticket for you.
Authorization Role Manager feature is enabled and SqlRoleProvider is configured for roles authorization. <roleManager enabled="true" defaultProvider="MySqlRoleProvider" > <providers> <add name="MySqlRoleProvider" connectionStringName="MyLocalSQLServer" applicationName="MyAppName" type="System.Web.Security.SqlRoleProvider" /> </providers> </roleManager> Role manager feature allows you to look up users' roles without writing and maintaining code. Additionally, the role providers offer a consistent way for you to check the role membership of your users, regardless of the underlying data store.
Use URL authorization to control access to pages and folders <authorization> <allow roles="Manager" /> <deny users="*" /> </authorization> The authorized users have access to specific pages
Role-checks are performed using role manager APIs Roles.IsUserInRole("TestRole")...
WCF Proxy
ASP.NET has a proxy reference to the WCF service. The application has access to the WCF metadata to create a service reference.
Root CA certificate for the service is installed in “Trusted Root Certification Authorities” All certificates that are signed with this certificate will be trusted by the client machine.
Proxy invokes services with the security context of service account and passes user credentials for to WCF service WCFTestService.ServiceClient myService = new WCFTestService.ServiceClient(); myService.ClientCredentials.UserName.UserName = "username"; myService.ClientCredentials.UserName.Password = "p@ssw0rd"; myService.GetData(123); myService.Close(); A proxy will invoke a WCF method within the service contained on the application server using the Service Accounts security context.


Application Server

What Checks Example More Info
Windows Service
Configuration Windows Service is configured to run under a custom domain service account Use a domain account if possible.
WCF service is hosted in a Windows Service.
WCF Service
Configuration Connection string configured to point to the user and role store in SQL Server. <add name="MyLocalSQLServer" connectionString="Initial Catalog=aspnetdb;data source=localhost;Integrated Security=SSPI;" /> The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes for Windows authentication.
WCF Service process identity is given access permissions on the ASPNET database. spgrantlogin '<<Custom Service Account>>'; USE aspnetdb GO spgrantdbaccess '<<Custom Service Account>>', '<<Custom Service Account>>'; spaddrolemember 'aspnetMembershipFullAccess', '<<Custom Service Account>>'; spaddrolemember 'aspnetRolesFullAccess', '<<Custom Service Account >>’ Your WCF service process identity requires access to the Aspnetdb database.
WCF Service is configured to use netTcpBinding binding <endpoint address="" binding="netTcpBinding" bindingConfiguration="" name="" contract="WCFHostService.IMyService"/> The NetTcpBinding uses the TCP protocol and provides full support for SOAP security, transactions, and reliability. As client and WCF service both are in intranet this is a good choice from performance perspective.
A mex endpoint is created for publishing the metadata <endpoint address="Mex" binding="mexTcpBinding" bindingConfiguration="" name="MexEndpoint" contract="IMetadataExchange"/> This is required so that client can add reference to the WCF Service using SvcUtil utility.
Authentication The netTcpBinding is configured to use Username Authentication and Message security. ... <netTcpBinding> <binding name="NetTcpBindingEndpointConfig"> <security mode="Message"> <message clientCredentialType="UserName"/> </security> </binding> </netTcpBinding>
SqlMembershipProvider is configured to use with Username authentication <add name="MySqlMembershipProvider" connectionStringName="MyLocalSQLServer" type="System.Web.Security.SqlMembershipProvider, ..." ... /> The membership feature automatically authenticates and creates the authentication ticket for you.
Service behavior is configured to use membership provider for using with username authentication. <behaviors> <serviceBehaviors> <behavior name="ServiceBehavior"> ... <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="MySqlMembershipProvider" /> </serviceCredentials> ... </behavior> </serviceBehaviors> </behaviors>
Service certificate is installed on the WCF Service machine. The service behavior is configured to use the service certificate. ... <behaviors> <serviceBehaviors> <behavior name="ServiceBehavior"> <serviceCredentials> <serviceCertificate findValue="CN=tempCert" /> ... </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> ... This is required for protecting the user credentials in the message.
Authorization Role Manager feature is enabled and SqlRoleProvider is configured for roles authorization. <roleManager enabled="true" defaultProvider="MySqlRoleProvider" > <providers> <add name="MySqlRoleProvider" connectionStringName="MyLocalSQLServer" applicationName="MyAppName" type="System.Web.Security.SqlRoleProvider" /> </providers> </roleManager> Role manager feature allows you to look up users' roles without writing and maintaining code. Additionally, the role providers offer a consistent way for you to check the role membership of your users, regardless of the underlying data store.
WCF Operations are configured to do role checks. Role checks can be done either declaratively or imperatively [PrincipalPermission(SecurityAction.Demand, Role="Managers")] Use imperative check to do fine grain role check, avoiding the demand on the entire method execution
SQL The connection string for database is configured to use windows authentication The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes
Database connection is opened using the WCF process identity’s security context.

Database Server

What Check Example More Info
Configuration A SQL Server login is created for the WCF’s service account (process identity).
The login is mapped to a database user for the Web application.
Authentication SQL Server is configured to use Windows authentication.
Authorization The database user is placed in a database role for the WCF service. SQL Server authorizes the role rather than the user login.
Database permissions are granted to the database role. Only grants execute permissions on necessary stored procedures.


Communication Security

What Check Example More Info
Browser to Web Server SSL is used between browser and Web server to protect sensitive data on the wire. Certificate will need to be installed in the Web site. The virtual directory of the web application will need to be configured to use SSL
App server to Database IPSec or SSL can be used between App server and database server to protect sensitive data on the wire.

Contributors and Reviewers

  • External Contributors and Reviewers:
  • Microsoft Consulting Services and PSS Contributors and Reviewers:
  • Test team: Rohit Sharma, Chaitanya Bijwe, Parameswaran Vaideeswaran.
  • Edit team: Dennis Rea.
  • SEO team: Rob Boucher.

Last edited Apr 3, 2008 at 1:21 AM by prashantbansode, version 4

Comments

No comments yet.