Hello all!
We have a WCF server based on CSLA running on IIS and a Silverlight client for it. The client has to authenticate itself using Windows (NTLM/Negotiate) authorization procedure. I need a simple WCF client for testing purposes so I wrote one.
My client is able to authenticate on IIS with provided credentials but I have an exception from CSLA framework:
"Attempted to perform an unauthorized operation."
...
at System.Security.Principal.Win32.LsaOpenPolicy(String systemName, PolicyRights rights)
at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)
at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)
at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)
at Csla.Silverlight.Security.WindowsIdentity.PopulateWindowsIdentity()
at HCFB.UFO.Infrastructure.UfoWindowsIdentity.DataPortal_Fetch()
at lambda_method(Closure , Object , Object[] )
at Csla.Reflection.MethodCaller.CallMethod(Object obj, DynamicMethodHandle methodHandle, Object[] parameters)
...
I also tried service invocation using SOAP UI and it works fine. The request bodies are the same when I use SOAP UI and .NET client. All that differ is the NTLM headers of http message:
-[NTLM Type1: Negotiation]------------------------------
Provider: NTLMSSP
Type: 1
OS Version: 6.1:7601
Flags: 0xe2188297
Unicode supported in security buffer.
OEM strings supported in security buffer.
Request server's authentication realm included in Type2 reply.
Sign (integrity)
NTLM authentication.
Negotiate Always Sign.
Negotiate NTLM2 Key.
Supports 56-bit encryption.
Supports 128-bit encryption.
Client will provide master key in Type 3 Session Key field.
Domain_Offset: 0; Domain_Length: 0; Domain_Length2: 0
Host_Offset: 0; Host_Length: 0; Host_Length2: 0
Host:
Domain:
------------------------------------
-[NTLM Type3: Authentication]------------------------------
Provider: NTLMSSP
Type: 3
OS Version: 6.1:7601
Flags: 0xe2988215
Unicode supported in security buffer.
Request server's authentication realm included in Type2 reply.
Sign (integrity)
NTLM authentication.
Negotiate Always Sign.
Negotiate NTLM2 Key.
Target Information block provided for use in calculation of the NTLMv2 response.
Supports 56-bit encryption.
Supports 128-bit encryption.
Client will provide master key in Type 3 Session Key field.
lmresp_Offset: 136; lmresp_Length: 24; lmresp_Length2: 24
ntresp_Offset: 160; ntresp_Length: 370; ntresp_Length2: 370
Domain_Offset: 88; Domain_Length: 6; Domain_Length2: 6
User_Offset: 94; User_Length: 16; User_Length2: 16
Host_Offset: 110; Host_Length: 26; Host_Length2: 26
msg_len: 530
Domain: std
User: VBazarov
Host: DIREVIUS-DELL
lm_resp: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
nt_resp: 87 71 9D 9C 6A CD 4B 20 8C 5F 63 1D C6 A8 9B 8B 01 01 00 00 00 00 00 00 8A 52 CB ED 52 71 CC 01 BE 49 32 D2 68 B5 FD FA 00 00 00 00 02 00 06 00 53 00 54 00 44 00 01 00 0E 00 4F 00 53 00 2D 00 30 00 31 00 37 00 31 00 04 00 22 00 73 00 74 00 64 00 2E 00 68 00 6F 00 6D 00 65 00 63 00 72 00 65 00 64 00 69 00 74 00 2E 00 72 00 75 00 03 00 32 00 4F 00 53 00 2D 00 30 00 31 00 37 00 31 00 2E 00 73 00 74 00 64 00 2E 00 68 00 6F 00 6D 00 65 00 63 00 72 00 65 00 64 00 69 00 74 00 2E 00 72 00 75 00 05 00 22 00 73 00 74 00 64 00 2E 00 68 00 6F 00 6D 00 65 00 63 00 72 00 65 00 64 00 69 00 74 00 2E 00 72 00 75 00 07 00 08 00 8A 52 CB ED 52 71 CC 01 06 00 04 00 02 00 00 00 08 00 30 00 30 00 00 00 00 00 00 00 01 00 00 00 00 20 00 00 10 21 18 D2 B5 89 8D 69 0F 02 80 E8 C1 48 B8 4C EC 8C 72 7F 73 3C 2A F6 5F A6 C5 8E 5A 7A B7 64 0A 00 10 00 BA A3 F8 63 17 5A 5D B3 6D E3 D8 6A 14 60 84 F4 09 00 3C 00 68 00 6F 00 73 00 74 00 2F 00 4F 00 53 00 2D 00 30 00 31 00 37 00 31 00 2E 00 73 00 74 00 64 00 2E 00 68 00 6F 00 6D 00 65 00 63 00 72 00 65 00 64 00 69 00 74 00 2E 00 72 00 75 00 00 00 00 00 00 00 00 00 00 00 00 00
------------------------------------
You need to override Csla.DataPortalClient.WcfProxy to pass client credentials through WCF to the server. The default proxy assumes a pretty simple WCF connection to the data portal endpoint on the server.
This is discussed in some depth in the Using CSLA 4: Data Portal Configuration ebook available from http://store.lhotka.net.
Copyright (c) Marimer LLC