WCF BasicHttpBinding Security Resolution (4) windows authentication (iis host)

Now we will discuss the security configuration in transportcredentialonly security mode. First, add the configuration section as shown in code list 11-84 in the configuration file to configure windows verification. Windows creden are authenticated Based on Windows group accounts or domain accounts. In this Authentication mode, the Windows credential corresponding to the window account that the client process runs is automatically used as the client credential for calling the service, so you do not need to display the specified windiws credential. To call the service in the name of another Windows Account, the client needs to explicitly set the Windows credential of the client by notifying the specified Windows account and password. Windows credential are represented by windowsclientcredential in WCF. The real credential are stored in the clientcredential attribute of networkcredential type. This attribute allows you to specify the domain name, user name, and password of the Windows credential.

Note:

The TransportCredentialOnly security mode is plain text transmission. This mode is used to view the communication details. It is not recommended in actual scenarios.

Code List 11-84 configure windows Verification

   1: <bindings>

   2:  

   3:     <basicHttpBinding>

   4:  

   5:       <binding name="basicBindingConf">

   6:  

   7:         <security mode=" TransportCredentialOnly" >

   8:  

   9:           <transport clientCredentialType="Windows">

  10:  

  11:           </transport>

  12:  

  13:         </security>

  14:  

  15:       </binding>

  16:  

  17:     </basicHttpBinding>

  18:  

  19:   </bindings>

Go to listing 11-84 and set the security mode to transportcredentialonly through <ecurity mode = "transportcredentialonly">. Then, set <transport clientcredentialtype = "Windows"> to set the client credential type to Windows. In addition, we need to set the site Authentication Mode to Windows, such as the code list 11-85.

Code List 11-85 set the site Authentication Mode to Windows

   1: <system.web>

   2:  

   3:   <authentication mode="Windows"></authentication>

   4:  

   5: </system.web>

After the server changes, make sure that Windows authentication is enabled for IIS. Finally, we update the service reference of the client, right-click the service reference, and click "Update Service reference". The pop-up box shown in 11-36 is displayed.

Figure 11-36 update the credential to be verified when taking the reference

After the verification information is entered, the security configuration of the client is updated to the content shown in code list 11-86.

Code List 11-86 Client Security Configuration During Windows Authentication

   1: <security mode="TransportCredentialOnly">

   2:  

   3:           <transport clientCredentialType="Windows" proxyCredentialType="None"

   4:  

   5: alm="" />

   6:  

   7:           <message clientCredentialType="UserName" algorithmSuite="Default" />

   8:  

   9:         </security>

We pass an incorrect user account information and start the test site. The error message shown in 11-37 is displayed.

Figure 11-37 windows authentication failed

The error message shown in Figure 11-37 is because the client does not provide the correct authentication information. In fact, the client and the server have been negotiated three times. The last server response information is shown in the code list 11-87.

Code List 11-87 Server Response Header for verification failure

HTTP/1.1 401 Unauthorized

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

X-Powered-By: ASP.NET

Date: Sat, 25 Jun 2011 10:44:49 GMT

Content-Length: 6331

Proxy-Support: Session-Based-Authentication

The system returns information about 401 failed permission verification. The verification header is Negotiate and NTLM.

The Negotiate authentication protocol package is a Security Support Provider (SSP) in Windows that provides authentication and encryption. It serves as the authentication protocol to be used for authentication requests based on protocol negotiation supported by client computers and servers. In Windows Versions earlier than Windows 7 and Windows Server 2008 R2, the Negotiate package supports NTLM and Kerberos. For Windows 7 and Windows Server 2008 R2, the Negotiate package has been updated to support more SSPs.

The error message above is actually because Windows Authentication of IIS is provided as Negotiate and NTLM by default. Of course, we can also add Kerberos authentication methods.

How does one append Windows authentication information on the client? The code list 11-88 is the modified client code.

Code List 11-88 set windows Account Information

public ActionResult Index()

        {

            client.ClientCredentials.Windows.ClientCredential.Domain = "corp.beisen.com";

            client.ClientCredentials.Windows.ClientCredential.UserName = "yangwenhai";

            client.ClientCredentials.Windows.ClientCredential.Password = "xuan$%^hun456";

string helloString = client.GetHello();

            ViewData["Message"] = helloString;

return View();

 }

In code list 11-88, we set Domain information by setting the Domain attribute of client. ClientCredentials. Windows. ClientCredential, set the user name through the UserName attribute, and set the Password through the Password attribute.

Note:

Normally, the client and server are in the same domain environment and do not need to pass the user name and password.

Running result 11-38.

Figure 11-38 Windows Verification