Tags

, , ,

Table of Contents

  • Introduction
  • Deciding Authentication Schema
  • Windows Authentication over the message security
  • Custom username- and password –Based Mutual authentication What is Mutual authentication?
  • Implementation in WCF
  • Refer the code attached for the further details
  • Summary

Introduction

Before reading this article I recommend you read my last article “Basics on WCF Security” if you are not good at the basics of WCF Security. In this article we will see how authentication can be done using Windows Authentication over message security, custom username and password authentication over the message security and finally the Mutual X509 authentication over the message security.

Deciding Authentication Schema

Authentication Schema

“It Determines the type of credentials expected for authenticating the client”

The available types of credentials are None, Windows, Username, Certificate and Token. Yes, a few services will expect only the windows credentials to get it authorized and a few will expect only the certificate to authorize the client. Depending upon the project requirements, the service can set the authentication schema to attain the message security. Also the mutual authentication can also be done using the type of credentials listed below

None Clients are not authenticated by the service
Windows Clients are authenticated by the service using the Windows Authentication
Username Clients are authenticated by the service using the username and password
Certificate Clients are authenticated by the service using the information provided in an X509 certificate
Token Clients are authenticated by the service with the token issued by a third party

Authentication schema determines the complete authentication mechanism in a service. Let’s discuss these options in detail.

Windows Authentication over the message security

Just try to give a blind guess by looking at the following image:

                     Windows Authentication over the message security

I hope you got it; I believe, yes the Windows credentials that were presented to the service will be sent to the domain controller that will validate the credentials and confirm the authentication. The authentication process will be done using the Kerberos or NTLM protocol. Let’s see the procedure you need to do in WCF to get this authentication.

Step 1

Once you have defined your ABC (Address, Binding and Contract) in the service, you need to create the security mode and client credential type in the Host or Service project.

                  Windows Authentication1

 

With this step, we have defined that clients are authenticated by the service using the Windows credentials of the client that is supplying.

Step 2

As a next step you need to create the same mode and client credentials type in the client side as in the following snapshot.

             Windows Authentication2

That’s it; there is nothing complex here, just refer to the attached source code and run it, your service will validate the client requests based on Windows credentials.

Mutual authentication

The following describes custom mutual authentication based on username and password.

Clients and servers authenticate each other before doing anything. The client must prove its identity to the server and the server must prove its identity to the client, because before making any security operations, it is not only important to authorize the client, but it is very important to authorize the server, because the client should provide his secure information like credit card credentials only to the right server.

               Mutual authentication

Let us see how the client and server authenticate themselves before doing anything. The client makes a request to the service for a protected resource, the service then presents his certificate to the client. The client verifies the certificate and sends his username and password that will be protected using a X509 Certificate provided by the service. The server then verifies the client credentials and grants access to the protected resource to the client when the verification is done.

Implementation in WCF

Let’s think about how the same concepts can be implemented using WCF.

Step 1

Once you have defined your ABC (Address, Binding and Contract) in the service, you need to create the security mode and client credentials type in the Host or Service project.

               Implementation in WCF

With this step, we have defined that clients are authenticated by the service using the custom username and password of the client that is supplying.

Step 2

The next step is to create the service credentials that are validated by the clients to identify his server. In our example, the service credentials will be an X509 certificate, which is a digital certificate having the public key infrastructure (PKI) standard to verify that a public key belongs to the user or computer. The following is the syntax to define the service certificate.

              Implementation in WCF1

The preceding tag will exist under the service behavior, the findValue attribute holds the name of the certificate that is available on the localmachine. The local machine certificate store is local to the computer and is global to all users on the computer. This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root, X509FindType identifies the type of value provided in the findValue parameter. Kindly refer to the attachment to find the tool for creating certificates on your computer.

Step 3

As a next step you need to write code for verifying the client credentials on the service side. Since the client credentials we have been supplying should be verified in the server side to secure the exchange we should have a validation mechanism. The following is the syntax to enable the validation part:

              Implementation in WCF2

This portion of the code must be written in the service credentials. We need to use username validation mode as the custom since what we are supplying here are custom user name passwords, in the customusername password validator type just specify the namespace and assembly name of class where you have written your username and password validation.

The mechanism for authenticating the user credentials against an identity store is implemented through the abstract class System.IdentityModel.Selectors.UsernamePasswordValidator in the System.IdentityModel.Selectors assembly.

               Implementation in WCF3

Step 4

The final step is in the client side, in which you just need to provide the username and the password to get the protected resource from the client.

              Implementation in WCF4

Refer to the code attached for the further details.

Source Code

Summary

In Message security, the security details were attached to every message. The service can confirm their identity by showing his certificate, whereas the clients can confirm their identity using the Windows Authentication or custom username password authentication

           

Advertisements