CSLA authorization problem

CSLA authorization problem

Old forum URL: forums.lhotka.net/forums/t/10675.aspx

Direvius posted on Monday, September 12, 2011

Hello all!

We have a WCF server based on CSLA running on IIS and a Silverlight client for it. The client has to authenticate itself using Windows (NTLM/Negotiate) authorization procedure. I need a simple WCF client for testing purposes so I wrote one.

My client is able to authenticate on IIS with provided credentials but I have an exception from CSLA framework:

"Attempted to perform an unauthorized operation."

...

   at System.Security.Principal.Win32.LsaOpenPolicy(String systemName, PolicyRights rights)

   at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)

   at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)

   at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)

   at Csla.Silverlight.Security.WindowsIdentity.PopulateWindowsIdentity()

   at HCFB.UFO.Infrastructure.UfoWindowsIdentity.DataPortal_Fetch()

   at lambda_method(Closure , Object , Object[] )

   at Csla.Reflection.MethodCaller.CallMethod(Object obj, DynamicMethodHandle methodHandle, Object[] parameters)

...

I also tried service invocation using SOAP UI and it works fine. The request bodies are the same when I use SOAP UI and .NET client. All that differ is the NTLM headers of http message:

.NET Client (does NOT work):

-[NTLM Type1: Negotiation]------------------------------

Provider: NTLMSSP

Type: 1

OS Version: 6.1:7601

Flags: 0xe2188297

Unicode supported in security buffer.

OEM strings supported in security buffer.

Request server's authentication realm included in Type2 reply.

Sign (integrity)

NTLM authentication.

Negotiate Always Sign.

Negotiate NTLM2 Key.

Supports 56-bit encryption.

Supports 128-bit encryption.

Client will provide master key in Type 3 Session Key field.

Domain_Offset: 0; Domain_Length: 0; Domain_Length2: 0

Host_Offset: 0; Host_Length: 0; Host_Length2: 0

Host: 

Domain: 

------------------------------------

-[NTLM Type3: Authentication]------------------------------

Provider: NTLMSSP

Type: 3

OS Version: 6.1:7601

Flags: 0xe2988215

Unicode supported in security buffer.

Request server's authentication realm included in Type2 reply.

Sign (integrity)

 

NTLM authentication.

Negotiate Always Sign.

Negotiate NTLM2 Key.

Target Information block provided for use in calculation of the NTLMv2 response.

Supports 56-bit encryption.

Supports 128-bit encryption.

Client will provide master key in Type 3 Session Key field.

 

 

 

lmresp_Offset: 136; lmresp_Length: 24; lmresp_Length2: 24

ntresp_Offset: 160; ntresp_Length: 370; ntresp_Length2: 370

Domain_Offset: 88; Domain_Length: 6; Domain_Length2: 6

User_Offset: 94; User_Length: 16; User_Length2: 16

Host_Offset: 110; Host_Length: 26; Host_Length2: 26

msg_len: 530

Domain: std

User: VBazarov

Host: DIREVIUS-DELL

lm_resp: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

nt_resp: 87 71 9D 9C 6A CD 4B 20 8C 5F 63 1D C6 A8 9B 8B 01 01 00 00 00 00 00 00 8A 52 CB ED 52 71 CC 01 BE 49 32 D2 68 B5 FD FA 00 00 00 00 02 00 06 00 53 00 54 00 44 00 01 00 0E 00 4F 00 53 00 2D 00 30 00 31 00 37 00 31 00 04 00 22 00 73 00 74 00 64 00 2E 00 68 00 6F 00 6D 00 65 00 63 00 72 00 65 00 64 00 69 00 74 00 2E 00 72 00 75 00 03 00 32 00 4F 00 53 00 2D 00 30 00 31 00 37 00 31 00 2E 00 73 00 74 00 64 00 2E 00 68 00 6F 00 6D 00 65 00 63 00 72 00 65 00 64 00 69 00 74 00 2E 00 72 00 75 00 05 00 22 00 73 00 74 00 64 00 2E 00 68 00 6F 00 6D 00 65 00 63 00 72 00 65 00 64 00 69 00 74 00 2E 00 72 00 75 00 07 00 08 00 8A 52 CB ED 52 71 CC 01 06 00 04 00 02 00 00 00 08 00 30 00 30 00 00 00 00 00 00 00 01 00 00 00 00 20 00 00 10 21 18 D2 B5 89 8D 69 0F 02 80 E8 C1 48 B8 4C EC 8C 72 7F 73 3C 2A F6 5F A6 C5 8E 5A 7A B7 64 0A 00 10 00 BA A3 F8 63 17 5A 5D B3 6D E3 D8 6A 14 60 84 F4 09 00 3C 00 68 00 6F 00 73 00 74 00 2F 00 4F 00 53 00 2D 00 30 00 31 00 37 00 31 00 2E 00 73 00 74 00 64 00 2E 00 68 00 6F 00 6D 00 65 00 63 00 72 00 65 00 64 00 69 00 74 00 2E 00 72 00 75 00 00 00 00 00 00 00 00 00 00 00 00 00 

------------------------------------

SOAP UI (DOES work):

-[NTLM Type1: Negotiation]------------------------------
Provider: NTLMSSP
Type: 1
OS Version: 79.83:12333
Flags: 0x5206
OEM strings supported in security buffer.
Request server's authentication realm included in Type2 reply.
NTLM authentication.
Client workstation domain provided.  Server can determine if the client eligible for local authentication.
Server and client are same machine. Client may use local credentials rather than calculating challenge-response.
Domain_Offset: 57; Domain_Length: 3; Domain_Length2: 3
Host_Offset: 32; Host_Length: 25; Host_Length2: 25
Host: OS-0171.STD.HOMECREDIT.RU
Domain: STD
------------------------------------
-[NTLM Type3: Authentication]------------------------------
Provider: NTLMSSP
Type: 3
OS Version: 83.84:22084
Flags: 0x5206
OEM strings supported in security buffer.
Request server's authentication realm included in Type2 reply.
NTLM authentication.
Client workstation domain provided.  Server can determine if the client eligible for local authentication.
Server and client are same machine. Client may use local credentials rather than calculating challenge-response.
lmresp_Offset: 100; lmresp_Length: 24; lmresp_Length2: 24
ntresp_Offset: 124; ntresp_Length: 0; ntresp_Length2: 0
Domain_Offset: 64; Domain_Length: 3; Domain_Length2: 3
User_Offset: 67; User_Length: 8; User_Length2: 8
Host_Offset: 75; Host_Length: 25; Host_Length2: 25
msg_len: 124
Domain: 呓�
User: 䉖婁剁噏
Host: 协〭㜱⸱呓⹄佈䕍剃䑅呉刮�
lm_resp: 2B BF 43 D1 A9 B9 87 77 60 AA B5 AE 02 CA 39 BE 2E 17 6E C8 9B F9 72 8E 
nt_resp: empty
------------------------------------

The code of my client:

ServicePointManager.ServerCertificateValidationCallback =
new RemoteCertificateValidationCallback((o, cert, chain, error) => true);
WcfPortalClient client = new WcfPortalClient();
            client.ClientCredentials.Windows.ClientCredential = new NetworkCredential("user", "password", "std");
client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
Csla.Server.Hosts.Silverlight.CriteriaRequest critRequest = new Csla.Server.Hosts.Silverlight.CriteriaRequest();
            critRequest.ClientContext = critRequest.GlobalContext = Convert.FromBase64String("QBhBcnJheU9mU2VyaWFsaXphdGlvbkluZm8IQW...");
            critRequest.Principal = Convert.FromBase64String("QBhBcnJheU9mU2VyaWFsaXphdGlvbkluZm8IQW...");
            critRequest.TypeName = "HCFB.UFO.Infrastructure.UfoWindowsIdentity, HCFB.UFO.Business, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null";
            Csla.Server.Hosts.Silverlight.WcfResponse response = client.Fetch(critRequest);
            logger.Error(response.ErrorData.Message);

RockfordLhotka replied on Monday, September 12, 2011

You need to override Csla.DataPortalClient.WcfProxy to pass client credentials through WCF to the server. The default proxy assumes a pretty simple WCF connection to the data portal endpoint on the server.

This is discussed in some depth in the Using CSLA 4: Data Portal Configuration ebook available from http://store.lhotka.net.

 

Copyright (c) Marimer LLC