This project is read-only.

Internet – Web App to Remote WCF to SQL Server - Original Caller

In this scenario, a Web server that runs ASP.NET pages connects to a WCF service on a remote server. This server in turn connects to a remote database server. The application relies on the WCF service for data retrieval. The basic model for this application scenario is shown in the following figure.

scenario.gif

Key Characteristics

  • User accounts are in SQL Server.
  • User roles are in SQL Server.
  • The application needs to flow the original caller credentials to authenticate and authorize user at application level (WCF).
  • Data tier should use Windows authentication.

Solution – Web to Application to Database

solution3.gif

Solution Summary Table

Web Server

What Checks Example More Info
IIS
Configuration A dedicated application pool is used and configured to run under a custom service account. ServiceAccount1 In developer environment use Network Service account and in production environment use custom domain service account.
The web application is configured to run under the service account. Assign the web application to the custom application pool.
Authentication The IIS virtual directory is configured to use Anonymous access. Users will be allowed to access pages and if required will be redirected to forms authentication page.
ASP.NET
Authentication ASP.NET is configured for Forms authentication <authentication mode = "Forms" > The web application will authenticate the users.
Connection string configured to point to the user store in SQL Server. <add name="MyLocalSQLServer" connectionString="Initial Catalog=aspnetdb;data source=localhost;Integrated Security=SSPI;" /> The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes for Windows authentication.
SqlMembershipProvider is configured to use with Membership feature for forms authentication <add name="MySqlMembershipProvider" connectionStringName="MyLocalSQLServer" type="System.Web.Security.SqlMembershipProvider, ..." ... />
Authorization If you have role segmentation in your application then you use URL authorization. The authorized users have access to specific pages
If required, Application is configured to enable role manager (SqlRoleProvider). <add name="SqlRoleManager" type="System.Web.Security.SqlRoleProvider" connectionStringName="SqlRoleManagerConnection".../> Role-checks are performed by using Role Manager APIs with SqlRoleProvider.
Connection string configured to point to the role store in SQL Server. <add name="SqlRoleManagerConnection" connectionString="Initial Catalog=aspnetdb;data source=localhost;Integrated Security=SSPI;" /> The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes for Windows authentication
Configuration ASP.NET has a proxy reference to the WCF service. The application has access to the WCF metadata to create a service reference.
Identity Flow ASP.NET Passes the original user creds to WCF proxy This allows to flow the original user creds to WCF service for downstream authentication and authorization
WCF Proxy
Proxy invokes services with the security context of service account and passes user credentials for to WCF service A proxy will invoke a WCF method within the service contained on the application server using the Service Accounts security context.
If NegotiageService Credentials is set to false then install the client certificate in the store This is needed to positively identify and restrict as to who can access the WCF service.

Application Server

What Checks Example More Info
IIS
Configuration A dedicated application pool is used and configured to run under a custom service account. ServiceAccount1 In developer environment use Network Service account, in production environment use a custom domain service account.
The WCF service is configured to run under a service account. Assign the WCF service to the custom application pool.
Authentication The IIS virtual directory is configured to allow anonymous access. IIS allows all users to access the WCF service.
WCF Service
Authentication The WCF service is configured to authenticate clients with username credentials. <message clientCredentialType="UserName" negotiateServiceCredential="false" />
Implement and configure custom validator for username authentication <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyNameSpace.MyCustomValidator,MyAssembly" /> Look into the Custom Validator section for more information on implementing custom validator.
Authorization The service is configured with a service behavior to authorize users with ASP.NET Roles. <serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="SQLRoleProvider"... /> Roles authorization can be performed declaratively or imperatively in the operation contract
Perform Role-checks declaratively using sql role provider. [PrincipalPermission(SecurityAction.Demand, Role = " Manager")]
Perform Role-checks imperatively using sql role provider new PrincipalPermission(id2, "Supervisor").Demand;
Configuration Configure to use basichttpbinding or Wshttpbinding <basicHttpBinding/> or <wsHttpBinding/> Check if basic binding can be used – the config needs to be updated accordingly.
Configure client certificate location to encrypt and sign the messages. <clientCertificate> <certificate findValue="cn=carlos4cpu" /> </clientCertificate> This settings are used by the client when adding the WCF service reference
Install the server certificate in the store in the location specified in above configuration <serviceCredentials> <serviceCertificate findValue="CN=carlos4cpu" /> </serviceCredentials>
The connection string for database is configured to use windows authentication The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes Use the WCF / ASP.NET process identity for accessing database
Encrypt the connection string section Using a protected configuration provider (DPAPI on a single machine, RSA if in a Web farm). Tradeoff here is added deployment complexity vs. keeping the database name and location a secret

Database Server

What Check Example More Info
Configuration A SQL Server login is created for the WCF’s service account (process identity).
The login is mapped to a database user for the Web application.
Authentication SQL Server is configured to use Windows authentication.
Authorization The database user is placed in a database role for the WCF service. SQL Server authorizes the role rather than the user login.
Database permissions are granted to the database role. Only grants execute permissions on necessary stored procedures.

Communication Security

What Check Example More Info
Browser to Web Server SSL is used between browser and Web server to protect sensitive data on the wire.
Web Server to App Server To protect sensitive data, use message level security – encrypt and sign messages using certificate
App server to Database IPSec or SSL can be used between App server and database server to protect sensitive data on the wire.

Analysis

Authentication

  • On the Web Server the Anonymous access is used in IIS, because all users can have access to the forma authentication page.
  • On the Application Server, WCF uses username authentication mode, as users are stored in a custom SQL user store.
  • Per user authentication is used for accessing WCF, so if required to roles based authorization can be done..
  • Using Windows authentication to SQL Server means that you avoid storing credentials in files and passing credentials over the network to the database server.

Authorization

  • In the ASP.NET application on the Web server, the Url authorization is used to performs role checks against the original caller to restrict access to pages.
  • In the ASP.NET application on Web Server, role based authorization on the original caller's sql role provider is done to control access to the WCF service methods.
  • In WCF Service on Application Server .NET roles are used to authorize the users based on the sql roles to which they belong.
  • If the WCF service accesses local system resources and the database using the ASP.NET process identity. As a result, all calls are made using the single process account. This enables database connection pooling to be used.

Administration

  • The ASP.NET application on the Web Server is running under the security context of the Service account which is a least privileged local / domain account, so potential damage from compromise is mitigated.
  • As we are using forms authentication on the web server, consider using SSL which will protect the user credentials.
  • The WCF service on the Application server is running under the security context of the service account which is a least privileged local / domain account, so potential damage from compromise is mitigated.
  • As the Web Server and WCF service exchange user credentials which needs to be protected – use message security, where the messages are encrypted and signed using the windows token.
  • SQL Server database user roles are preferred to SQL server application roles to avoid the associated password management and connection pooling issues associated with the use of SQL application roles.
  • The database user is added to a database user role and permissions are assigned for the role so that if the database account changes; you don't have to change the permissions on all database objects.
  • If the sensitive data exchanged between the WCF service and the database is to be protected consider using IPSec / SSL.

Authorization

  • The service is configured with a service behavior to authorize users with ASPNEtRoles.
  • Perform Role-checks declaratively using Windows Identity Token, for checking Active Directory group membership.
[PrincipalPermission(SecurityAction.Demand, 
                     Role = "Manager")]
public string Hello(string message)
{
    return "hello";
}
  • Perform Role-checks imperatively using Permission demands
String role2 = "Supervisor";
PrincipalPermission PrincipalPerm2 = 
    new PrincipalPermission(id2, role2);
PrincipalPerm2.Demand();

Custom Validator

The service needs to provide an implementation of a Custom validator for username authentication. The validator is a class that derives from UserNamePasswordValidator
public class MyUserNamePasswordValidator : UserNamePasswordValidator
{
    public override void Validate(string userName, string password)
    {
        // implement your validation logic
    }
}

ASP.NET Compatibility

WCF service hosted in IIS can run with ASP.NET compatible mode. For this to happen a entry in configuration file needs to be included and an attribute at a service level also needs to be used
  • Configuration entry
<system.serviceModel>
  <serviceHostingEnvironment aspNetCompatibilityEnabled="false"/>
</system.serviceModel>
  • Attribute of service contract
[ServiceBehavior]
[AspNetCompatibilityRequirements(RequirementsMode=AspNetCompatibilityRequirementsMode.Allowed)]
class BarService : IHelloContract
{
    // ...
}
  • Using asp.net compatible mode provides the following benefits:
    • ASP.net impersonation if WCF impersonation is not enabled. If WCF impersonation is enabled it prevails over ASP.net impersonation.
    • ASP.net session state, which provides with a shared state mechanism, surviving app domain recycles and support in web farms environments.
    • File URL authorization in ASP.net.
    • HTTPcurrent. Context features also present in OperationContext.Current WCF counterpart.
    • Globalization and configuration in ASP.net
    • Support for cookies with HttpTransportBindingElement.AllowCookies binding configuration.

Service Accounts

When deciding on the Service accounts to be used, you need to consider whether it’s a development or production scenario. For development scenario you need to use the easier method to avoid the overheads, but with production scenario you need to ensure its secure and practical in production environment.

Development Scenario

  • Local network service accounts can be used on both Web and WCF servers. The network service account is identified as machine account in the domain and hence can be used to windows authentication.

Production Scenario

  • Create a custom domain service accounts with least privilege. For more information see “How To: Create a Service Account for an ASP.NET 2.0 Application” at http://msdn2.microsoft.com/en-us/library/ms998297.aspx
  • The same domain account can be used both at Web and WCF servers. If a domain account is used then is necessary to create service principal name attached to the domain account for Kerberos to work.
setspn -a http/perfapp01.npscode.com npscode\aspnethost
  • In web farms configurations a domain account must be used, instead of local network service account. Additionally a SPN identity must be configured in the endpoint configuration for clients to be able to authenticate the service
<identity>
          <servicePrincipalName value=" HOST/perfapp01.npscode.com.com" />
</identity>

Auditing and Logging

  • Auditing for authorization and authentication in WCF can be configured via service behavior. Configure the service behavior as follows:
<serviceSecurityAudit serviceAuthorizationAuditLevel="Failure"
messageAuthenticationAuditLevel="Failure" />
  • Logging can be configured to log messages at transport or message level
<system.diagnostics>
 <sources>
   <source name="System.ServiceModel" switchValue="Off,ActivityTracing"
     propagateActivity="true">
     <listeners>
       <add type="System.Diagnostics.DefaultTraceListener" name="Default">
         <filter type="" />
       </add>
       <add name="ServiceModelTraceListener">
         <filter type="" />
       </add>
     </listeners>
   </source>
   <source name="System.ServiceModel.MessageLogging" switchValue="Warning, ActivityTracing">
     <listeners>
       <add type="System.Diagnostics.DefaultTraceListener" name="Default">
         <filter type="" />
       </add>
       <add name="ServiceModelMessageLoggingListener">
         <filter type="" />
       </add>
     </listeners>
   </source>
 </sources>
 <sharedListeners>
   <add initializeData="c:\pag\wcfservice1\web_tracelog2.svclog"
     type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
     name="ServiceModelTraceListener" traceOutputOptions="Timestamp">
     <filter type="" />
   </add>
   <add initializeData="c:\pag\wcfservice1\web_messages4.svclog"
     type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
     name="ServiceModelMessageLoggingListener" traceOutputOptions="DateTime, Timestamp, ProcessId, ThreadId">
     <filter type="" />
   </add>
 </sharedListeners>
 <trace autoflush="true" />
</system.diagnostics>

Last edited Jan 17, 2008 at 5:11 AM by prashantbansode, version 3

Comments

No comments yet.