Table of Contents
- Deciding Authentication Schema
- Windows Authentication over the message security
- Custom username- and password –Based Mutual authentication What is Mutual authentication?
- Implementation in WCF
- Refer the code attached for the further details
Before reading this article I recommend you read my last article “Basics on WCF Security” if you are not good at the basics of WCF Security. In this article we will see how authentication can be done using Windows Authentication over message security, custom username and password authentication over the message security and finally the Mutual X509 authentication over the message security.
Deciding Authentication Schema
“It Determines the type of credentials expected for authenticating the client”
The available types of credentials are None, Windows, Username, Certificate and Token. Yes, a few services will expect only the windows credentials to get it authorized and a few will expect only the certificate to authorize the client. Depending upon the project requirements, the service can set the authentication schema to attain the message security. Also the mutual authentication can also be done using the type of credentials listed below
|None||Clients are not authenticated by the service|
|Windows||Clients are authenticated by the service using the Windows Authentication|
|Username||Clients are authenticated by the service using the username and password|
|Certificate||Clients are authenticated by the service using the information provided in an X509 certificate|
|Token||Clients are authenticated by the service with the token issued by a third party|
Authentication schema determines the complete authentication mechanism in a service. Let’s discuss these options in detail.
Windows Authentication over the message security
Just try to give a blind guess by looking at the following image:
I hope you got it; I believe, yes the Windows credentials that were presented to the service will be sent to the domain controller that will validate the credentials and confirm the authentication. The authentication process will be done using the Kerberos or NTLM protocol. Let’s see the procedure you need to do in WCF to get this authentication.
Once you have defined your ABC (Address, Binding and Contract) in the service, you need to create the security mode and client credential type in the Host or Service project.
With this step, we have defined that clients are authenticated by the service using the Windows credentials of the client that is supplying.
As a next step you need to create the same mode and client credentials type in the client side as in the following snapshot.
That’s it; there is nothing complex here, just refer to the attached source code and run it, your service will validate the client requests based on Windows credentials.
The following describes custom mutual authentication based on username and password.
Clients and servers authenticate each other before doing anything. The client must prove its identity to the server and the server must prove its identity to the client, because before making any security operations, it is not only important to authorize the client, but it is very important to authorize the server, because the client should provide his secure information like credit card credentials only to the right server.
Let us see how the client and server authenticate themselves before doing anything. The client makes a request to the service for a protected resource, the service then presents his certificate to the client. The client verifies the certificate and sends his username and password that will be protected using a X509 Certificate provided by the service. The server then verifies the client credentials and grants access to the protected resource to the client when the verification is done.
Implementation in WCF
Let’s think about how the same concepts can be implemented using WCF.
Once you have defined your ABC (Address, Binding and Contract) in the service, you need to create the security mode and client credentials type in the Host or Service project.
With this step, we have defined that clients are authenticated by the service using the custom username and password of the client that is supplying.
The next step is to create the service credentials that are validated by the clients to identify his server. In our example, the service credentials will be an X509 certificate, which is a digital certificate having the public key infrastructure (PKI) standard to verify that a public key belongs to the user or computer. The following is the syntax to define the service certificate.
The preceding tag will exist under the service behavior, the findValue attribute holds the name of the certificate that is available on the localmachine. The local machine certificate store is local to the computer and is global to all users on the computer. This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root, X509FindType identifies the type of value provided in the findValue parameter. Kindly refer to the attachment to find the tool for creating certificates on your computer.
As a next step you need to write code for verifying the client credentials on the service side. Since the client credentials we have been supplying should be verified in the server side to secure the exchange we should have a validation mechanism. The following is the syntax to enable the validation part:
This portion of the code must be written in the service credentials. We need to use username validation mode as the custom since what we are supplying here are custom user name passwords, in the customusername password validator type just specify the namespace and assembly name of class where you have written your username and password validation.
The mechanism for authenticating the user credentials against an identity store is implemented through the abstract class System.IdentityModel.Selectors.UsernamePasswordValidator in the System.IdentityModel.Selectors assembly.
The final step is in the client side, in which you just need to provide the username and the password to get the protected resource from the client.
Refer to the code attached for the further details.
In Message security, the security details were attached to every message. The service can confirm their identity by showing his certificate, whereas the clients can confirm their identity using the Windows Authentication or custom username password authentication