Internet – Web to Remote WCF Using Message Security (Original Caller)

Internet – Web to Remote WCF Using Message Security (Original Caller)

- J.D. Meier
, Jason Taylor
, Prashant Bansode
, Carlos Farre, Madhu Sundararajan, Steve Gregersen

Applies To

WCF 3.5

Scenario

In this scenario, your users do not have Windows accounts and use a web
client to connect over the Internet to an ASP.NET application on an IIS
server. The business logic called by the WCF service requires
fine-grained authorization and is backed by a SQL Server data store. The
basic model for this application scenario is shown in the following
figure.

Key Characteristics

This scenario applies to you if:

Your users have web clients

Your user accounts are stored in SQL

Your user roles are stored in SQL

The business logic behind your WCF service requires fine-grained authorization

Your application transmits sensitive data over the network that needs to be protected

A high performance connection between the ASP.NET application and
the WCF service is more important than the ability to host the WCF
service in IIS

Solution

Solution Summary Table

In this solution you will:

Use username and password to authenticate users against the SQL Server Membership Provider

Impersonate the original caller when calling methods on the WCF service from the ASP.NET application

Use a service account to call the SQL Server from WCF

Use SSL to protect sensitive data between the web client and IIS

Use message security to protect sensitive data between the ASP.NET application and the WCF service

Use netTcpBinding to support the TCP transport for improved performance

Host WCF in a Windows Service since IIS does not support the TCP transport

Web Server

What	Checks	Example	More Info
IIS
Configuration	A dedicated application pool is created and configured to run under a custom service account.		Use a domain account if possible.
	The web application is configured to run under the service account.		Assign the web application to the custom application pool.
Authentication	The IIS virtual directory is configured to use Anonymous access.		Users will be allowed to access pages and if required will be redirected to forms authentication page.
ASP.NET
Configuration	Aspnet database is created to be used with SQL Membership Provider and SQL Role provider.	aspnetregsql -S ./SQLExpress -E -A r m	Aspnetregsql.exe creates the sql database to store the user and role information.
	Connection string configured to point to the user and role store in SQL Server.	<add name="MyLocalSQLServer" connectionString="Initial Catalog=aspnetdb;data source=localhost;Integrated Security=SSPI;" />	The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes for Windows authentication.
	Web Application process identity is given access permissions on the ASPNET database.	spgrantlogin 'NT AUTHORITY/Network Service'; USE aspnetdb GO sp grantdbaccess 'NT AUTHORITY/Network Service', 'Network Service'; spaddrolemember 'aspnet MembershipFullAccess', 'Network Service'; sp addrolemember 'aspnetRoles FullAccess', 'Network Service'	Your Web Application process identity requires access to the Aspnetdb database. If you host the Web Application in Internet Information Services (IIS) 6.0 on Microsoft Windows Server® 2003, the NT AUTHORITY/Network Service account is used by default to run the Web Application.
Authentication	ASP.NET is configured for Forms authentication	<authentication mode = "Forms" >	The web application will authenticate the users.
	SqlMembershipProvider is configured to use with Membership feature for forms authentication	<add name="MySqlMembershipProvider" connectionStringName="MyLocalSQLServer" type="System.Web.Security.SqlMembershipProvider, ..." ... />	The membership feature helps protect credentials, can enforce strong passwords, and provides consistent APIs for user validation and secure user management. The membership feature also automatically creates the authentication ticket for you.
Authorization	Role Manager feature is enabled and SqlRoleProvider is configured for roles authorization.	<roleManager enabled="true" defaultProvider="MySqlRoleProvider" > <providers> <add name="MySqlRoleProvider" connectionStringName="MyLocalSQLServer" applicationName="MyAppName" type="System.Web.Security.SqlRoleProvider" /> </providers> </roleManager>	Role manager feature allows you to look up users' roles without writing and maintaining code. Additionally, the role providers offer a consistent way for you to check the role membership of your users, regardless of the underlying data store.
	Use URL authorization to control access to pages and folders	<authorization> <allow roles="Manager" /> <deny users="*" /> </authorization>	The authorized users have access to specific pages
	Role-checks are performed using role manager APIs	Roles.IsUserInRole("TestRole")...
WCF Proxy
	ASP.NET has a proxy reference to the WCF service.		The application has access to the WCF metadata to create a service reference.
	Root CA certificate for the service is installed in “Trusted Root Certification Authorities”		All certificates that are signed with this certificate will be trusted by the client machine.
	Proxy invokes services with the security context of service account and passes user credentials for to WCF service	WCFTestService.ServiceClient myService = new WCFTestService.ServiceClient(); myService.ClientCredentials.UserName.UserName = "username"; myService.ClientCredentials.UserName.Password = "p@ssw0rd"; myService.GetData(123); myService.Close();	A proxy will invoke a WCF method within the service contained on the application server using the Service Accounts security context.

Application Server

What	Checks	Example	More Info
Windows Service
Configuration	Windows Service is configured to run under a custom domain service account		Use a domain account if possible.
	WCF service is hosted in a Windows Service.
WCF Service
Configuration	Connection string configured to point to the user and role store in SQL Server.	<add name="MyLocalSQLServer" connectionString="Initial Catalog=aspnetdb;data source=localhost;Integrated Security=SSPI;" />	The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes for Windows authentication.
	WCF Service process identity is given access permissions on the ASPNET database.	spgrantlogin '<<Custom Service Account>>'; USE aspnetdb GO sp grantdbaccess '<<Custom Service Account>>', '<<Custom Service Account>>'; spaddrolemember 'aspnet MembershipFullAccess', '<<Custom Service Account>>'; sp addrolemember 'aspnetRoles FullAccess', '<<Custom Service Account >>’	Your WCF service process identity requires access to the Aspnetdb database.
	WCF Service is configured to use netTcpBinding binding	<endpoint address="" binding="netTcpBinding" bindingConfiguration="" name="" contract="WCFHostService.IMyService"/>	The NetTcpBinding uses the TCP protocol and provides full support for SOAP security, transactions, and reliability. As client and WCF service both are in intranet this is a good choice from performance perspective.
	A mex endpoint is created for publishing the metadata	<endpoint address="Mex" binding="mexTcpBinding" bindingConfiguration="" name="MexEndpoint" contract="IMetadataExchange"/>	This is required so that client can add reference to the WCF Service using SvcUtil utility.
Authentication	The netTcpBinding is configured to use Username Authentication and Message security.	... <netTcpBinding> <binding name="NetTcpBindingEndpointConfig"> <security mode="Message"> <message clientCredentialType="UserName"/> </security> </binding> </netTcpBinding>
	SqlMembershipProvider is configured to use with Username authentication	<add name="MySqlMembershipProvider" connectionStringName="MyLocalSQLServer" type="System.Web.Security.SqlMembershipProvider, ..." ... />	The membership feature automatically authenticates and creates the authentication ticket for you.
	Service behavior is configured to use membership provider for using with username authentication.	<behaviors> <serviceBehaviors> <behavior name="ServiceBehavior"> ... <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="MySqlMembershipProvider" /> </serviceCredentials> ... </behavior> </serviceBehaviors> </behaviors>
	Service certificate is installed on the WCF Service machine. The service behavior is configured to use the service certificate.	... <behaviors> <serviceBehaviors> <behavior name="ServiceBehavior"> <serviceCredentials> <serviceCertificate findValue="CN=tempCert" /> ... </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> ...	This is required for protecting the user credentials in the message.
Authorization	Role Manager feature is enabled and SqlRoleProvider is configured for roles authorization.	<roleManager enabled="true" defaultProvider="MySqlRoleProvider" > <providers> <add name="MySqlRoleProvider" connectionStringName="MyLocalSQLServer" applicationName="MyAppName" type="System.Web.Security.SqlRoleProvider" /> </providers> </roleManager>	Role manager feature allows you to look up users' roles without writing and maintaining code. Additionally, the role providers offer a consistent way for you to check the role membership of your users, regardless of the underlying data store.
	WCF Operations are configured to do role checks. Role checks can be done either declaratively or imperatively	[PrincipalPermission(SecurityAction.Demand, Role="Managers")]	Use imperative check to do fine grain role check, avoiding the demand on the entire method execution
SQL	The connection string for database is configured to use windows authentication	The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes
	Database connection is opened using the WCF process identity’s security context.

Database Server

What	Check	Example	More Info
Configuration	A SQL Server login is created for the WCF’s service account (process identity).
	The login is mapped to a database user for the Web application.
Authentication	SQL Server is configured to use Windows authentication.
Authorization	The database user is placed in a database role for the WCF service.		SQL Server authorizes the role rather than the user login.
	Database permissions are granted to the database role.		Only grants execute permissions on necessary stored procedures.

Communication Security

What	Check	Example	More Info
Browser to Web Server	SSL is used between browser and Web server to protect sensitive data on the wire.		Certificate will need to be installed in the Web site. The virtual directory of the web application will need to be configured to use SSL
App server to Database	IPSec or SSL can be used between App server and database server to protect sensitive data on the wire.

Contributors and Reviewers

External Contributors and Reviewers:

Microsoft Consulting Services and PSS Contributors and Reviewers:

Test team:
Rohit Sharma, Chaitanya Bijwe, Parameswaran Vaideeswaran.

Edit team:
Dennis Rea.

SEO team:
Rob Boucher.