Solved

Limiting access to WCF service using Windows authentication

Posted on 2016-10-12
5
107 Views
Last Modified: 2016-11-02
I have a WCF service that can only be accessed by domain users. I used the following config:
    <system.web>
        <authentication mode="Windows" />
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>

Open in new window

The service is hosted on IIS 6, where Windows authentication is enabled and anonymous - disabled. the above worked fine for me but now i want to limit access to only a single uers. i tried the following:

    <system.web>
        <authentication mode="Windows" />
        <authorization>
            <allow users="DOMAIN\user1" />
            <deny users="*" />
        </authorization>
    </system.web>

Open in new window

but that did not work - all the domain users have access, not just user1.

I also tried:
    <authorization>
            <allow users="DOMAIN\Group1"/>
            <deny users="DOMAIN\Domain Users"/>
    </authorization>

Open in new window

I also tried to utilize PrincipalPermission attribute to limit access to a method:

 [PrincipalPermission(SecurityAction.Demand, Role = "Group1")]

Open in new window


But it did not make any difference at all. What can i do to limit the access to a user or group?
0
Comment
Question by:YZlat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41841468
Here is an article that explains Authorization & Authentication.

Link:  https://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config

Here is the MSDN reference:  https://msdn.microsoft.com/en-us/library/wce3kxhd.aspx

An IIS Forum thread over issues with Authorization:  https://forums.iis.net/p/1173012/1961218.aspx

I've also answered a similar question recently here on EE:

https://www.experts-exchange.com/questions/28974384/IIs-block-files-web-config.html

Dan
0
 
LVL 35

Author Comment

by:YZlat
ID: 41846905
@DanMcFadden, per my code above, I am already using techniques described in the articles but it is not working.

None of the links you have provided helped me, plus most of them are on Forms authentication while I am using Windows authentication
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41857020
OK, have you read thru the followng article which explains the various strategies for using Authentication and Authorization is .NET apps?

Link:  https://msdn.microsoft.com/en-us/library/ff649337.aspx#secnetch08_authstrategies

It was released a while back, but the concepts remain essentially the same.

Also, what OS version are you using?

Have you only tried modifying the web.config?  Have you tried building the rules thru the IIS Manager?

Have you tried your config like this"

<authorization>
    <allow roles="DOMAIN\Group1"/>
    <deny roles="DOMAIN\Domain Users"/>
</authorization>

Open in new window


Dan
0
 
LVL 35

Author Comment

by:YZlat
ID: 41857189
Hi Dan. Yes, i have tried the above but found that when it comes to WCF services, authorization is a bit complicated. i am currently looking into creating custom WCF authorization using ServiceAuthorizationManager. Are you familiar with it?
0
 
LVL 27

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 41857195
I have read about it and played in DEV with the developers, but not implemented any production web services with it.

I do have an interesting article, its old but most likely still relevant.

Link:  https://pieterderycke.wordpress.com/2011/04/07/implementing-restricted-access-to-a-wcf-service-with-the-serviceauthorizationmanager/

Seems in line with the current MSDN article:  https://msdn.microsoft.com/en-us/library/ms731774(v=vs.110).aspx

Dan
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While working on Silverlight and WCF application, I faced one issue where fault exception occurred at WCF operation contract is not getting propagated to Silverlight client. So after searching net I came to know that it was behavior by default for s…
Today I had a very interesting conundrum that had to get solved quickly. Needless to say, it wasn't resolved quickly because when we needed it we were very rushed, but as soon as the conference call was over and I took a step back I saw the correct …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question