Pockect PC WCF implement Windows authentication - wcf-security

I need to implement windows authentication on a windows Pocket PC 5.0 when connecting to the WCF service. Is it possible to let the user enter their credentials which can then be passed to the WCF service for it to authenticate against?
I realize that pocket PC applications do not have an app.config where impersonation details can be put in

Figured this out. Had to change the security type in the WCF to Windows (from NTLM)
In the pocket pc application, I had to specify the service URL and create a network credential passing in the user details.
Works now :)
proxy.Url = "http://sds-ws65/MicrosoftDynamicsAXAif50/table1service.svc";
proxy.Credentials = new System.Net.NetworkCredential("username", "password", "domain");

Related

ASP.NET Windows Authentication using server-local accounts?

I'm trying to set up an ASP.NET application to use Windows Authentication.
But the IIS server is not part of a domain, it is a sole server hosted in our Rackspace account.
I'd like to have the Windows Authentication module validate against the list of local Windows users on the IIS server. Is this possible?
Anonymous Authentication is off
Basic Authentication is off
Windows Authentication is on
But when I enter credentials for a local machine account as
machinename\user
password
it doesn't seem to work. It just prompts me again.
Is possible make a local machine validation, like this:
var bool valid = false;
using (var context = new PrincipalContext(ContextType.Machine))
{
valid = context.ValidateCredentials(username, password);
}
It appears that you can use local accounts, but I'm getting some kind of server error when the account tries to authenticate.
Once I found the error in the event logs, and got the status code, I was able to track it down, and find this answer, which worked exactly!

SignalR - get prompted for username and password on connect

I've got a self-hosted SignalR server which has IntegratedWindowsAuthentication turned on.
During the negotiate phase of the connection (from Chrome) the browser throws up a username/password prompt. If I click Sign In without filling in any details then it connects me to the hub as ANONYMOUS LOGON.
How can I configure things so that my Windows identity is seamlessly passed through so the hub knows who am I and that the browser doesn't prompt me?
This is a non-Core implementation of the SignalR server.
Thanks!
On your Main method try this:
connection.Credentials = CredentialCache.DefaultCredentials;
Read more about this here.

WCF Service User Identification

I am creating a .NET 4.5 WCF web service for deployment on Windows Server 2008 running IIS 7.0. I want my web service to identify the users who access the service by authenticating a Kerberos token string that is passed through the web service. I can't use Integrated Windows Authentication (some of my clients are using Linux machines) so, I must pass the token string. Does anyone know how I can do the following:
Generate a Kerberos token string in C# .NET 4.5 based a users current identity.
Validate a Kerberos token string in C# .NET 4.5 and get the associate username.
Thanks!
You could maybe expose the service with two bindings, one for Windows-users with Windows-authentication and one for others using user name authentication. Is it an intranet or internet scanario? How are the Linux users identified?

SQL Server Integrated Authentication Mode

I was wondering when using Windows Authentication mode in a connection string from a web application. Application itself is using Windows Authentication for authorization. Which account will be used to login to SQL Server.
Is't the web application pool account?
User account who logged in to web application using windows auth?
Any other account?
Application is running under Win Ser 2008 64 bit and IIS 7. Application pool account is Network Service.
It depends on how you configure it. From http://msdn.microsoft.com/en-us/library/ms998292.aspx and http://msdn.microsoft.com/en-us/library/bsz5788z.aspx ...
ASP.NET applications do not impersonate by default. As a result, when they use Windows authentication to connect to SQL Server, they use the Web application's process identity. With this approach, your front-end Web application authenticates and authorizes its users and then uses a trusted identity to access the database. The database trusts the application's identity and trusts the application to properly authenticate and authorize callers. This approach is referred to as the trusted subsystem model.
The alternative model referred to as the impersonation/delegation model uses the original caller's Windows identity to access the database. This approach requires that your ASP.NET application is configured to use impersonation. See the section "Impersonation / Delegation vs. Trusted Subsystem" in this document.
So depending on how you have configured it, it could use either the app pool account (not when not using impersonation) or the account of the logged-in user that is using the web application (when using impersonation).
See http://msdn.microsoft.com/en-us/library/134ec8tc.aspx for impersonation information.
It's the application pool user who connects to the database, if you specified Integrated Security in your connection string.
The problem that i was having was that my application pool account in SQL Server needed to be set to the db_owner role before it worked. I spent a long time trying to figure this out.
I was using Windows Authentication, Windows 7 home premium, and IIS all on the same computer. I'm posting this in case someone else run into a similar problem. The book i used did not say to use db_owner but the reader and writer accounts instead.

End-to-end kerberos delegated authentication in ASP.NET

I'm trying to setup an internal website that will contact another backend service within the network on behalf of the user using a HttpWebRequest.
I have to use Integrated Windows Authentication on the ASP.NET application as the backend system only supports this type of authentication.
I'm able to setup IWA on the ASP.NET application, and it's using kerberos as I expect it to. However when the authentication is delegated to the backend system it doesn't work anymore. This is because the backend system only supports kerberos IWA, but the delegation for some reason - even though the incoming request is kerberos authenticated - converts the authentication to NTLM before forwaring to the backend system.
Does anybody know what I need to do on the ASP.NET application in order to allow it to forward the identity using kerberos?
I've tried the following but it doesn't seem to work
CredentialCache credentialCache = new CredentialCache();
credentialCache.Add(request.RequestUri, "Negotiate", CredentialCache.DefaultCredentials.GetCredential(request.RequestUri, "Kerberos"));
request.Credentials = credentialCache;
I've also tried to set "Kerberos" where it now says "Negotiate", but it doesn't seem to do much.
In your application, you only need to use DefaultCredentials:
request.UseDefaultCredentials = true;
However, there is some work to do on Active Directory:
Set up a SPN on your application pool account for your front end application
Set up a SPN on your application pool account for your back end application
Set up delegation from the first application pool to the second SPN

Resources