Recipe4.2.2:(Intranet Security) TransportWithMessageCredential Security with UserName authen.

I: using basicHttpBinding.


About Me
·         TransportWithMessageCredential uses means message protection(Integrity, confidentiality) is provided at Transport level but client authentication is done at Message-level.
·         TransportWithMssageCredential allows Message-level authentication:
a)        UserName authentication with all validators (Windows, Membership and custom).
b)        Windows authentication both NTLM/Kerberos.
c)        Mutual Certificate authentication.
·         This Recipe4.2.1, uses UserName authentication with Windows Validator  and  UseWindowsGroups (or UseAspNetRoles ) Validator for authorization.

Security Criteria
Client 
Authentication
Windows Validator against AD/WG clients.
Service Authentication
By SSL certificate Validating at client-side.
Service Authorization / Impersonation
WindowsGroups Validator / AspNetRoles Validator with respective Ado.net providers
Message Protection
SSL /TLS (Transport Layer Security)
Transport / Binding
HTTP/ basicHttpBinding
Hosting / Interoperability
Self-Hosting  / WCF interoperable.
IIS authentication
None
ASP.NET configuration
None

Step 1: Enable SSL and configure IIS / Virtual directory.
·          SSL requires certificate to be location=localMachine and store=My (i.e, Personal).
·          SSL certificate can be created with(ChainTrust) or without RootCA(PeerTrust). Typically, SSL validated as ChainTrust. Hence, use certificate with RootCA
·         RootCA is nothing but a Certificate Authority that identifies all its issued certificates.

Step1.1: Create & install SSL certificate at respective location.

1: Create self-signed Root CA with private key.
sdkCmd> makecert -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.cer

2: Install Root CA in Trusted Root CA folder at both (service/client) machines
OPEN MMC:  StartèRunèEnter MMCèFileèAdd/Remove Snap-in èAddè
                    Add Standalone Snap-inè CertificatesèAdd èComputer Account (available to all users).
IMPORT RootCA:  Right click on Trusted Root CA folderèAll TasksèImportèBrowse (path of .cer file)

3:  Create and install self-signed certificate for SSL as issued certificate.        
sqlCmd> makecert -sk yousufKey -iv RootCATest.pvk -n "CN=homepc-9c7a749d" -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe
Note: Don’t copy above command instead type with same switch order. Because characters replace “-“ è “–“   & " è
                  Machine name = homepc-9c7a749d (See MyComputerèPropertiesèComputerName tab)
Step1.2: Enable SSL over IIS.
ASSIGN SSL CERTIFICATE TO WEB-SITE(typically default Web-site):
StartèRunèInetMgr.msc; è Right click on default web-siteèProperties èDirectory Services
èSecure Communication è   Server Certificateè Next èAssign Exiting Certificate è www.MyDomain.Com

ENABLE SSL OVER Virtual.
Right click on Login file/site èpropertiesè Directory servicesèSecure Communication
èEdit è Require Secure Channel(SSL)
Step1.3: Enable anonymous Authentication over IIS
Right click on default web-site è properties èDirectory Services èAuthentication & Access Control è
Edit è Check in Enable Anonymous Access.
Step1.4: Reset IIS to update changes; Start èRun èReset iis

Step 2: Create WCF service with IIS hosting (Not in ASP.NET Development Server)
·         Create new Web-site in location=HTTP location with scheme= https;

Step 2.1. Create WCF Service:
VS è File è New Website è WCF Service è Location=HTTP; name= https://localhost/TransporCredentialOnlySecurity/
Step 2.2. Implement your Service:
[ServiceContract]
public interface IService
{
   [OperationContract]  string GetData1(int value);
   [OperationContract]  string GetData2(int value);
}

public class Service : IService
{
    public string GetData1(int value)  { return "GetData1:" + value.ToString(); }
    public string GetData2(int value)  { return "GetData2:" + value.ToString();}
}





Step 3: Configure WCF for SSL (and then Test)




Step4: Work with Validators & Providers for Windows Clients (Authentication/Authorization)
Step4.1: UserNameAuthenticationValidator
·         For username authentication against Windows clients, WCF provides predefined validator called Windows UserNamePasswordValidator.
·         Simply use it by configuring userNamePasswordValidationMode="Windows" (see Step5)

Step4.2: AuthorizationValidator
·         For username authorization use UseWindowsGroups or UseAspNetRoles" validator along with
ADO.NET Role provider either of:
a)       System.Web.Security.WindowsTokenRoleProvider / AuthorizationStoreRoleProvider for WorkGroup / ActiveDirectory Data Source respectively for role management.
        //OR //
b)       System.Web.Security.SqlRoleProvider if you want to work with SQL data source by explicitly assign roles in db.

(a) : Working with WindowsTokenRoleProvider / AuthorizationStoreRoleProvider (for WG/AD)
Enable Role Provider as follows:
<system.web>
<roleManager enabled="true" defaultProvider="MyWindowsTokenRoleProvider">
   <providers>
       <clear />
         <add name="MyWindowsTokenRoleProvider" applicationName="MyAppName"
type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
      </providers>
    </roleManager>
Note: Copy these settings form Machine.config.comments then paste and edit it.
//OR//
  (b): Working with SqlRoleProvider 
  Step-(b1): Create and Assign Roles to Windows Accounts.
//Create Role-provider database(default name=aspnetdb otherwise use –d switch)
     Sdkcmd> aspnet_regsql –S .\SQLExpress –E –A r       // - A r: Add only role-provider features; -E: Integrated Security.
// Open the database in Visual studio THEN
// Add new Role:
     Execute sp aspnet_CreateRole ‘MyApplicationName’, ‘Managers’ // name should be as in Providers.
// Assign user to role:
     Execute sp aspnet-UsersInRoles_AddUsersToRoles ‘MyAppName’, “HOMEPC-9C7A749D\nayeem’



Step5: Configure the Service behavior to use Validators for authentication and authorization.
<behaviors/serviceBehaviors>
        <behavior name="ServiceBehavior">
              <serviceCredentials>
                                                      <userNameAuthentication userNamePasswordValidationMode="Windows"
                                                                       cacheLogonTokens="true"
                                                                       cachedLogonTokenLifetime="00:01:00"
                                                                       maxCachedLogonTokens="10"/>
               </serviceCredentials>
               <serviceAuthorization principalPermissionMode="UseWindowsGroups"
                                                    roleProviderName="MyWindowsTokenRoleProvider" />
            
                       <serviceMetadata httpGetEnabled="false" httpsGetEnabled="True"/>
</behavior>

Step6: Implement the Client Application and Test Service with valid/invalid credentials
·         Solution explorer èRight Click è Add new Website è”WCFTestClient”.
·         Add service reference; https:// homepc-9c7a749d/TransportWithMessageSecurity/; instead localhost use server name.

protected void Page_Load(object sender, EventArgs e)
{
        var proxy = new ServiceReference1.ServiceClient();
        //Provide windows credentials
        proxy.ClientCredentials.UserName.UserName = "nayeem";
        proxy.ClientCredentials.UserName.Password = "pass123";
        Response.Output.Write("{0}",proxy.GetData1(123));
        Response.Output.Write("{0}",proxy.GetData2(123));
        proxy.Close();
}
          Note(1)    While adding service reference; no need to enter client credentials. But while consuming service over proxy
                         credentials needed.
(2)      No need of configuring as it is required only for Message level security not for Transport security.
(3)      No need of certificate validation neither programmatically nor declaratively  e.g., / . or handing System.Net.ServicePointManager.ServerCertificateValidationCallback event

Step7: Grant permissions on service operations with respective privileges to clients/roles.(See Recipe4.2.1)
Use [PrincipalPermission(SecurityAction.Demand, Role="Admin")] over Operation contract interface  //OR //
if(!System.Threading.Thread.currentPrincipal.IsUnerInRole("Admin"))
        throw new SecurityTokenValidationException("not Authorized" );

Rebuild Service and execute host application. Execute client application.


II: using wsHttpBinding.


About Me
·         TransportWithMessageCredential uses  means message protection(Integrity, confidentiality) is provided at Transport level but client authentication is done at Message-level.
·         TransportWithMssageCredential allows Message-level authentication:
Ø       UserName authentication with all validators (Windows, Membership and custom).
Ø       Windows authentication both NTLM/Kerberos.
Ø       Mutual Certificate authentication.
·         This variation Recipe is same as Recipe 4.3.1, but uses wsHttpBinding instead of basicHttpBinding.

·         wsHttpbinding needs some additional requirements when working with TransportWithMessageCredential / Transport security.
1)       You must have to configure http port with ssl certificate.
2)       You must validate the ssl certificate at client by handling
        System.Net.ServicePointManager.ServerCertificateValidationCallback event.
Note: These are 2 additional configurations are not required when binding is either basicHttpBinding / netTcpBinding.

Step 1: Configure http port with ssl certificate.
  • SSL configuration are required for WsHttpBinding + transport security+[Username authentication | certificate authentication]
1.1: Get SSL certificate hash
§         StartèRunèenter MMCèFileèAdd/Remove snap-inèAddèCertificateèComputerAccountèFinish
§         Open Personal certificate folder è Open installed ssl certificate.
§         Copy thumbprint i.e, (certificate Hash) to a Text file è Remove spaces è again copy it.(use it in next step)
1.2:  Configure HTTP for HTTPS
§         Use utility httpcfg.exe (for Win2k3/Xp) / netsh.exe (vista/Win2k8).
§         These utilities are available as ServicePack support tools; and needs to be download explicitly.
For Win 2003 Server / XP
(a)      To bind SSL certificate to a HTTP port number.
httpcfg set ssl -i 0.0.0.0:8005 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6
(b)      To view/determine bind certificate when HTTP port.
httpcfg query ssl  //or//
httpcfg query ssl>myMachinePorts.txt
(c)      To delete SSL certificate form a port number
httpcfg delete ssl -i 0.0.0.0:8005 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6

For Win 2008 Server / Vista
(a)      To bind SSL certificate to a HTTP port number.
netsh http add sslcert ipport=0.0.0.0:8005 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 

appid={00112233-4455-6677-8899-AABBCCDDEEFF} 
Note: To generate appid ( VS èTools ècreate GUID èSelect registry format è Copy èExit.
(b)      To view/determine bind certificate when HTTP port.
netsh http show sslcert
(c)      To delete SSL certificate form a port number
netsh http delete sslcert ipport=0.0.0.0:8005
 

Step 2: Change binding(basicHttpBindingèWsHttpBinding) at and elements.
2.1: <endpoint address="https://localhost:8005/service" binding="wsHttpBinding" contract="IService" bindingConfiguration="wsEndpointBinding">

2.2:   <bindings>/HttpBinding><binding name="basicEndpointBinding">
          <security mode="TransportWithMessageCredential">
                        <transport clientCredentialType="None"/>
                        <message clientCredentialType="UserName"/>
          </security>     
Step 3: Validate the ssl certificate at client side while consuming service:
using System.Security.Cryptography.X509Certificates;  using System.Net;  using System.Net.Security;
public partial class _Default : System.Web.UI.Page
{
        protected void Page_Load(object sender, EventArgs e)
        {
        ServicePointManager.ServerCertificateValidationCallback +=
                                    new System.Net.Security.RemoteCertificateValidationCallback(CertificateNoCheckHandler);
        var proxy = new ServiceReference1.ServiceClient();
        proxy.ClientCredentials.UserName.UserName = "user1";
        proxy.ClientCredentials.UserName.Password = "password#1";
        Response.Output.Write("{0}",proxy.GetData1(123));
        Response.Output.Write("{0}",proxy.GetData2(123));
        proxy.Close();
        }
     public static bool CertificateNoCheckHandler(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    {  return true;  }
}

25 comments:


  1. It is very good blog and useful for students and developer ,Thanks for sharing
    .Net Online Training
    Dot Net Online Training Bangalore
    .Net Online Course

    ReplyDelete

  2. It is very good blog and useful for students and developer ,Thanks for sharing
    .Net Online Training
    Dot Net Online Training Bangalore
    .Net Online Course

    ReplyDelete
  3. Really great post, I simply unearthed your site and needed to say that I have truly appreciated perusing your blog entries. I want to say thanks for great sharing.

    Data Science training in Chennai
    Data science training in Bangalore
    Data science training in pune
    Data science online training
    Data Science Interview questions and answers
    Data science training in bangalore

    ReplyDelete
  4. Nice blog,I understood the topic very clearly,And want to study more like this.
    Data Scientist Course

    ReplyDelete
  5. Attend The Data Science Courses Bangalore From ExcelR. Practical Data Science Courses Bangalore Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Data Science Courses Bangalore.
    Data Science Courses Bangalore

    ReplyDelete
  6. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!

    Data Science Training In Chennai

    Data Science Online Training In Chennai

    Data Science Training In Bangalore

    Data Science Training In Hyderabad

    Data Science Training In Coimbatore

    Data Science Training

    Data Science Online Training

    ReplyDelete
  7. Very nice blogs!!! i have to learning for lot of information for this sites…Sharing for wonderful information.Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing, data sciecne course in hyderabad

    ReplyDelete
  8. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.Best data science courses in hyerabad

    ReplyDelete
  9. Attend The Data Analyst Course From ExcelR. Practical Data Analyst Course Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Data Analyst Course.
    Data Analyst Course

    ReplyDelete
  10. Thanks for posting the best information and the blog is very helpful.Data science course in Faridabad

    ReplyDelete
  11. A good blog always comes-up with new and exciting information and while reading I have feel that this blog is really have all those quality that qualify a blog to be a one.
    digital marketing courses in hyderabad with placement

    ReplyDelete
  12. I am a new user of this site, so here I saw several articles and posts published on this site, I am more interested in some of them, will provide more information on these topics in future articles.
    data science course in london

    ReplyDelete
  13. I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success in your business.
    data scientist course in hyderabad

    ReplyDelete
  14. Very awesome post! I like that and very interesting content.
    pega testing online training
    pega testing course

    ReplyDelete
  15. I am truly getting a charge out of perusing your elegantly composed articles. It would seem that you burn through a ton of energy and time on your blog. I have bookmarked it and I am anticipating perusing new articles. Keep doing awesome.machine learning course in gurgaon

    ReplyDelete
  16. Nice blog and absolutely outstanding. You can do something much better but i still say this perfect.Keep trying for the best.
    data science classes in hyderabad

    ReplyDelete
  17. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!data analytics course in bhubaneswar

    ReplyDelete
  18. Your post is very great. I read this post. It’s very helpful. I will definitely go ahead and take advantage of this. You absolutely have wonderful stories. Cheers for sharing with us your blog. For more learning about data science visit at data science course in Bangalore

    ReplyDelete
  19. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work
    full stack web development course in malaysia

    ReplyDelete
  20. Great very helpful blog. Thanks For Sharing Such A Wonderful Blog. I will definitely go ahead and take advantage of this. Your Blog Is Very Informative. Again Thanks For Sharing This Blogs With Us. For more learning go through Skillslash.
    For Data Science Course Data Science Course In Bangalore

    ReplyDelete
  21. I want to leave a little comment to support and wish you the best of luck.we wish you the best of luck in all your blogging enedevors
    data science course in trivandrum

    ReplyDelete
  22. This is a really very nice post you shared, i like the post, thanks for sharing..
    data scientist course

    ReplyDelete
  23. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon. data science certification course in chennai

    ReplyDelete