WcfProxy not passing credentials...or something

WcfProxy not passing credentials...or something

Old forum URL: forums.lhotka.net/forums/t/11260.aspx


lacota posted on Monday, March 26, 2012

I am running a web server on a DMZ and an APP server on an AD domain to support an N-Tier architecture using a remote dataportal. The DMZ is a stand alone server without AD or DNS. There is an ISA server between the DMZ and AD domain.

In my web app I have created a custom WcfProxy class as follows;

public class WcfProxy : Csla.DataPortalClient.WcfProxy
{
 protected override ChannelFactory<Csla.Server.Hosts.IWcfPortal> GetChannelFactory()
 {
  var channelFactory = base.GetChannelFactory();
  channelFactory.Credentials.Windows.ClientCredential = new System.Net.NetworkCredential("myAccount", "myPassword", "myDomain");
  channelFactory.Credentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
  return channelFactory;
 }
}

And have referenced it in the web app;

<add key="CslaDataPortalProxy" value="WebApp.WcfProxy, WebApp"/>

<add key="CslaDataPortalUrl" value ="http://192.168.1.11/WcfPortal.svc"/>

But when the web server calls the app server my firewall is rejecting the request because it is coming from anonymous.

The app server is setup with wsHttpBinding and when I call it directly from a browser it works fine. So it looks like the credentials are not being passed, but of course it could be something else.

Has anyone else tried this configuration? If so, any suggestions?

Thanks

 

 

JonnyBee replied on Monday, March 26, 2012

I assume that you application has WindowsAuthentication in IIS config?

In that case you cannot use NetworkCredential for Transport Security. You should read carefully Part II in

http://wcfsecurityguide.codeplex.com/

lacota replied on Monday, March 26, 2012

The application server authentication settings are set to anonymous and basic. The web server is anonymous and forms. The binding on the app server is as follows:

    <bindings>
      <wsHttpBinding>
        <binding name="wsHttpBinding_IWcfPortal" maxReceivedMessageSize="2147483647">
       <security mode="Transport">
       </security>
          <readerQuotas maxBytesPerRead="2147483647" maxArrayLength="2147483647" maxStringContentLength="2147483647" maxDepth="1024" />
        </binding>
      </wsHttpBinding>
    </bindings>

I've tried using WindowsAuthentication but same result. I looked through the samples but couldn't find an example of how to do this. I've read the wcfsecurityguide but it all seems in order. Of course I'm no expert so it is probably some small setting that I'm overlooking.

 

JonnyBee replied on Monday, March 26, 2012

To start with, you must specify which type of transport security to use:  None, Basic, Ntlm, Windows, Certificate

Then make sure that the IIS is configured accordingly and that the client supplies the proper type of credentials.

Exerpt from WcfSecurityGuide:

"Transfer Security
In WCF the authentication options depends upon the transfer security mode being used. So first select the appropriate transfer security mode for your WCF application.

WCF offers two security modes: Transport and Message. If you are using transport security you cannot use Negotiate, Username or Kerberos direct authentication. If you are using message security you cannot use Basic or Digest authentication. "

lacota replied on Tuesday, March 27, 2012

I am using Basic Transport security. My app server is set up with basic. My web server has both basic and forms. And my firewall listener is set for basic. I don't know where else I can set it.

JonnyBee replied on Tuesday, March 27, 2012

Use WcfConfigEditor. This will help you see the available settings.

Your configuration has TransportCredentialType set to None (the default value). Example for Ntlm is:

        <binding name="basic">
          <security mode="Transport">
            <transport clientCredentialType="Ntlm" />
          </security>
        </binding>

lacota replied on Tuesday, March 27, 2012

I tried Basic and Ntlm. Same result. I'm going to have to cut-bait on this. I've spent a week at it and am no further than when I started. I really appreciate your efforts. When I get back to this in a few months I will put a split dns server on the dmz with AD trusts and use SSL. This was supposed to be a quick hack so we could get a demo up and running. It would be a great sample app as I am sure others are hosting their apps this way. Perhaps when (and if) I get mine working I'll send it to Rocky to include in his collection.

Thanks

Copyright (c) Marimer LLC