I am running a web server on a DMZ and an APP server on an AD domain to support an N-Tier architecture using a remote dataportal. The DMZ is a stand alone server without AD or DNS. There is an ISA server between the DMZ and AD domain.
In my web app I have created a custom WcfProxy class as follows;
public class WcfProxy : Csla.DataPortalClient.WcfProxy And have referenced it in the web app;
protected override ChannelFactory<Csla.Server.Hosts.IWcfPortal> GetChannelFactory()
var channelFactory = base.GetChannelFactory();
channelFactory.Credentials.Windows.ClientCredential = new System.Net.NetworkCredential("myAccount", "myPassword", "myDomain");
channelFactory.Credentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
And have referenced it in the web app;
<add key="CslaDataPortalProxy" value="WebApp.WcfProxy, WebApp"/>
<add key="CslaDataPortalUrl" value ="http://192.168.1.11/WcfPortal.svc"/>
But when the web server calls the app server my firewall is rejecting the request because it is coming from anonymous.
The app server is setup with wsHttpBinding and when I call it directly from a browser it works fine. So it looks like the credentials are not being passed, but of course it could be something else.
Has anyone else tried this configuration? If so, any suggestions?
I assume that you application has WindowsAuthentication in IIS config?
In that case you cannot use NetworkCredential for Transport Security. You should read carefully Part II in
The application server authentication settings are set to anonymous and basic. The web server is anonymous and forms. The binding on the app server is as follows:
<binding name="wsHttpBinding_IWcfPortal" maxReceivedMessageSize="2147483647">
<readerQuotas maxBytesPerRead="2147483647" maxArrayLength="2147483647" maxStringContentLength="2147483647" maxDepth="1024" />
I've tried using WindowsAuthentication but same result. I looked through the samples but couldn't find an example of how to do this. I've read the wcfsecurityguide but it all seems in order. Of course I'm no expert so it is probably some small setting that I'm overlooking.
To start with, you must specify which type of transport security to use: None, Basic, Ntlm, Windows, Certificate
Then make sure that the IIS is configured accordingly and that the client supplies the proper type of credentials.
Exerpt from WcfSecurityGuide:
In WCF the authentication options depends upon the transfer security mode being used. So first select the appropriate transfer security mode for your WCF application.
WCF offers two security modes: Transport and Message. If you are using transport security you cannot use Negotiate, Username or Kerberos direct authentication. If you are using message security you cannot use Basic or Digest authentication. "
I am using Basic Transport security. My app server is set up with basic. My web server has both basic and forms. And my firewall listener is set for basic. I don't know where else I can set it.
Use WcfConfigEditor. This will help you see the available settings.
Your configuration has TransportCredentialType set to None (the default value). Example for Ntlm is:
<binding name="basic"> <security mode="Transport"> <transport clientCredentialType="Ntlm" /> </security> </binding>
I tried Basic and Ntlm. Same result. I'm going to have to cut-bait on this. I've spent a week at it and am no further than when I started. I really appreciate your efforts. When I get back to this in a few months I will put a split dns server on the dmz with AD trusts and use SSL. This was supposed to be a quick hack so we could get a demo up and running. It would be a great sample app as I am sure others are hosting their apps this way. Perhaps when (and if) I get mine working I'll send it to Rocky to include in his collection.
Copyright (c) Marimer LLC