48373

WCF - Preventing Unauthorized Clients

I have a WCF service that I only want my applications to have access to. My applications consist of a traditional web interface that uses JQuery and a Silverlight interface. Neither of these interfaces require the user to login.

Is there a way that I can tell a WCF service to only allow clients that originated from my domain? If so, how?

Thank you!

Answer1:

Yes, of course you can - just require Windows credentials (i.e. an Active Directory account in your domain) from your callers.

Anyone not authenticated against your domain will be rejected.

You can do this by specifying either netTcpBinding with transport security (if everything is behind a corporate firewall), or wsHttpBinding with message security:

<bindings> <netTcpBinding> <binding name="DomainUsersOnly"> <security mode="Transport"> <transport clientCredentialType="Windows" /> </security> </binding> </netTcpBinding> <wsHttpBinding> <binding name="HttpDomainUsersOnly"> <security mode="Message"> <message clientCredentialType="Windows" /> </security> </binding> </wsHttpBinding> </bindings>

Now, all you need to do is reference one of those binding configurations in your endpoints:

<endpoint name="whatever" address="......" binding="netTcpBinding" bindingConfiguration="DomainUsersOnly" contract="IYourservice" />

and you should be good to go.

Answer2:

If all of your legitimate users are supposed to be on your internal corporate LAN (on the same subnet), then you could lock it down by IP address using an approach like this. You could also clamp it down to several specific IP masks that way if you wanted to.

But if you want to allow legitimate users to hit it from anywhere, then this is not a good approach. Authentication would be better in that case.

Answer3:

You could add a security restriction in IIS to only allow calls from the domain to the webservice.

Answer4:

Unless you consider windows auth (since requests are coming from your domain), the preferred way to do this would be at a different level, via firewalls. At that level, you can restrict incoming traffic to a known set of IP addresses. This will only go so far, since IPs can be spoofed, but this is an open service, so there you go. A better alternative would be both firewalls and windows auth.

Alternatively, you could check client IP addresses in WCF by querying OperationContext.Current.IncomingMessageProperties.

Recommend

  • WCF: How to diagnose faulted channels?
  • How to implement IsOneWay=true in WCF nettcpBinding
  • How to set endpoint in runtime
  • Set the port number in windows service
  • WCF Multiple channels for one service instance
  • WCF Udp Discovery in mono
  • Can't get WCF service's operations list with Web Service Studio client
  • Mail::IMAPClient->new hangs in Windows
  • Communicate between asyncio protocol/servers
  • Cannot log in using SQL authentication ONLY from a remote server
  • Is it sufficient just to have the Custom Username validator in the web.config endpoint BindingConfig
  • Change version php on OVH
  • Internet explorer and google chrome frame can support webRTC?
  • Mule ESB connecting to RabbitMQ
  • send mails via sendgrid
  • How can I fast-forward a branch without checking it out
  • phpMyAdmin Access denied [closed]
  • Remote debugging of a Java application launched as a Windows service
  • How can I do a 301 redirect from http to https in Wildfly 8.2?
  • Configure WAF Application Gateway in front of App Services [closed]
  • Gerrit will not push. Error: No common ancestry
  • Where to save the local DB created for iphone app?
  • Paramiko SSHException Channel Closed
  • OpenCV Python: Draw minAreaRect ( RotatedRect not implemented)
  • How secure are apple APNS push notifications?
  • Is there a Windows socket API call / option to “block” a range of ports à la SO_EXCLUSIVEADDRUSE
  • Can I use AllJoyn Framework for Wifi Direct in iOS?
  • Silverlight DependencyProperty.SetCurrentValue Equivalent
  • NHibernate Validation Localization with S#arp Architecture
  • How can I send an e-mail from a vbs script
  • Accessing IRQ description array within a module and displaying action names
  • Getting Messege Twice Using IMvxMessenger
  • Easiest way to encapsulate a HTML5 webpage into an android app?
  • Busy indicator not showing up in wpf window [duplicate]
  • costura.fody for a dll that references another dll
  • Observable and ngFor in Angular 2
  • How to Embed XSL into XML
  • UserPrincipal.Current returns apppool on IIS
  • Conditional In-Line CSS for IE and Others?
  • java string with new operator and a literal