YZlat
asked on
Limiting access to WCF service using Windows authentication
I have a WCF service that can only be accessed by domain users. I used the following config:
I also tried:
But it did not make any difference at all. What can i do to limit the access to a user or group?
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
The service is hosted on IIS 6, where Windows authentication is enabled and anonymous - disabled. the above worked fine for me but now i want to limit access to only a single uers. i tried the following: <system.web>
<authentication mode="Windows" />
<authorization>
<allow users="DOMAIN\user1" />
<deny users="*" />
</authorization>
</system.web>
but that did not work - all the domain users have access, not just user1. I also tried:
<authorization>
<allow users="DOMAIN\Group1"/>
<deny users="DOMAIN\Domain Users"/>
</authorization>
I also tried to utilize PrincipalPermission attribute to limit access to a method: [PrincipalPermission(SecurityAction.Demand, Role = "Group1")]
But it did not make any difference at all. What can i do to limit the access to a user or group?
ASKER
@DanMcFadden, per my code above, I am already using techniques described in the articles but it is not working.
None of the links you have provided helped me, plus most of them are on Forms authentication while I am using Windows authentication
None of the links you have provided helped me, plus most of them are on Forms authentication while I am using Windows authentication
OK, have you read thru the followng article which explains the various strategies for using Authentication and Authorization is .NET apps?
Link: https://msdn.microsoft.com/en-us/library/ff649337.aspx#secnetch08_authstrategies
It was released a while back, but the concepts remain essentially the same.
Also, what OS version are you using?
Have you only tried modifying the web.config? Have you tried building the rules thru the IIS Manager?
Have you tried your config like this"
Dan
Link: https://msdn.microsoft.com/en-us/library/ff649337.aspx#secnetch08_authstrategies
It was released a while back, but the concepts remain essentially the same.
Also, what OS version are you using?
Have you only tried modifying the web.config? Have you tried building the rules thru the IIS Manager?
Have you tried your config like this"
<authorization>
<allow roles="DOMAIN\Group1"/>
<deny roles="DOMAIN\Domain Users"/>
</authorization>
Dan
ASKER
Hi Dan. Yes, i have tried the above but found that when it comes to WCF services, authorization is a bit complicated. i am currently looking into creating custom WCF authorization using ServiceAuthorizationManage r. Are you familiar with it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Link: https://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config
Here is the MSDN reference: https://msdn.microsoft.com/en-us/library/wce3kxhd.aspx
An IIS Forum thread over issues with Authorization: https://forums.iis.net/p/1173012/1961218.aspx
I've also answered a similar question recently here on EE:
https://www.experts-exchange.com/questions/28974384/IIs-block-files-web-config.html
Dan