How do I authenticate user between ASP.NET and WCF?

5
votes

We are developing a browser based intranet application. All users have active directory account, so obvious choice would be use Integrated Windows Authentication. But there will be multiple users accessing same client machine so we decided to use form based authentication (but authenticated against AD).

In this scenario what is the best way to authenticate between my ASP.NET application (IIS) and WCF Services (another server IIS 7). I don't want to use asp.Net Compatibility mode or certificate.

I am thinking to create another domain account to authenticate ASP.NET and WCF. I am also passing the information about the current ASP.NET user to WCF as header info. Is this the right way to do? The following code will call from ASP.NET to access and get each service method.

 // Call WCF service from ASP.NET Application using a new domain account for each call.
 proxy.ClientCredentials.Windows.ClientCredential.Domain = "mydomain";
 ServiceReference.HelloWorldClient proxy = new ServiceReference.HelloWorldClient();
 proxy.ClientCredentials.Windows.ClientCredential.UserName = "new_domain_account";
 proxy.ClientCredentials.Windows.ClientCredential.Password = "password";

Is there any better way to authenticate WCF from ASP.NET?

Thanks, Ash.

4
asp.netwcfactive-directorywcf-security

4 Answers

3
votes

There is nothing special about authenticating an ASP.NET app to WCF service. All normal auth options are available (username, X.509, windows).

The interesting here is that you want to pass the browser-based client credentials also. This is a known pattern called a trusted sub system. And yes you can pass these in the header as long as the message is protected (encrypted).

1
votes

This sounds like it's not a WCF problem but a problem with the browser transparently authenticating.

Try disabling Windows-integrated authentication in IIS for the ASP.NET app, and switching to either Basic or Digest authentication. Both of these will still authenticate against AD, but the browser will not transparently authenticate the logged-on user.

Then in your ASP.NET app, just have it use impersonation and pass whatever credentials IIS is aware of to the WCF service that you're calling.

1
votes

I don't know ASP.NET at ALL, but I have done WCF some, and I think what you need to do is to get the "form login" to then impersonate the user in the current thread, and then initiate the WCF connection to the other server. Take a look at this article on msdn for a quick overview of some of this purely within WCF. I don't know how you'll integrate this into the ASP.NET side (like I said, I know zero about that technology), but conceptually I think this is what you'll have to do.

0
votes

umm... if you have AD and they log in with their credentials it does not matter what machine they are on, just use AD. So what if they use the same machine.

In any case, microsoft has a lot of information on this issue here:

http://wcfsecurity.codeplex.com/wikipage?title=Application%20Scenarios&referringTitle=Home

Check it out.