Impersonate FormsAuthenticated user in HttpHandler for WCF call - asp.net

I'm using HttpHandlers to generate PDF report files "on-the-fly" using the authenticated user context.
However, to create the report PDF file I need to call a method on a secure WCF service with the context of the caller (the authenticated user).
I saw plenty of answers for the Windows authentication but I'm using plain old Forms authentication so the answers don't apply.
The authentication on the service side is done using ASP.NET membership (same server that hosts the HttpHandler).
There should (I hope) be a way for me to just pass on the caller context to the service.
I'm afraid I didn't make myself clear enough.
What I have is a WCF service and an HttpHandler. The user is authenticated with the WCF service with ASP membership.
What I want to do is, in the HttpHandler, be able to do
SetContextAsCaller();
myWCFService.MyMethodCall();
and have MyMethodCall() called using the HttpCaller's context to pass on its ASP ticket/username etc.

You could - depending on what binding and thus transport protocol you use - use UserName/Passwort authentication, and instruct the WCF server side to use ASP.NET membership provider for authenticating the incoming callers.
Check out the Fundamentals of WCF Security and this blog post series on WCF security scenarios - they contain a lot of very useful information on how to use and set up WCF security.
Does that help, or do you need additional info? If so: what do you need?
Marc
UPDATE:
OK, after you commented, here are a few more articles that deal specifically with a WCF service impersonating the caller - hope these help:
WCF security guidance - How To Impersonate the original caller
Delegation and Impersonation with WCF
Setting up WCF to Impersonate Client credentials
Caller impersonation for WCF services

Related

WCF/ASP.NET Authentication

My scenario is a 3-Tier app where the data tier is a SQL Server database, the middle tier is a WCF application hosted in a Windows Service and finally the presentation is an Asp.Net MVC application.
As usual, the middle tier is the one that performs all of the business logic. Access database, define business rules.. etc.
Okay, so far so good! BUT now here's question: How do you handle security in such a scenario? I mean, the user has to log in on the ASP.NET application, but I want to authenticate it not only in ASP but in the WCF middle tier as well, since a WCF service is supposed to be accessed by more apps.
I want the user to log in on the Asp.Net application and let WCF know the credentials as well. Is there some kind of session in WCF in which to specify a logged in user?
How do pros handle security in this case? I know you can secure the WCF services with message security, but how do Asp.Net and WCF sync on a single logged user? I want to secure WCF operations depending on the user for authorization means.
I would suggest looking into using an approach like HMAC (Hash Message Authentication Code) for your security, or a similar token-based approach. The idea would be to sign your requests to your WCF layer which can be used to authenticate the request and identify the user making the request.
The essential elements would be a token and a shared secret of some sort used for signing each request. The token would allow you to identify the user on the WCF end, and lookup the shared secret to verify the request. You can also added timestamps / nonces to prevent replay attacks and such.
I've used this approach for some REST services built on WCF - with the added benefit that clients do not need to store usernames and passwords, just the security tokens used for communication. In your case you'll need to sort out how to exchange the tokens between the ASP.NET layer and the WCF layer, but it would provide you a unified authentication method for any consumer of your WCF services.
Have look here for UserName Password authentication.
ASP.NET Web Site + Windows Forms App + WCF Service: Client Credentials //for insights

Impersonate user in WCF from multiple callers

I'm using WCF services ensuring that UserName/Password must be provided for each request. I need use same service from many clients, but I need impersonate the call to access the appropriate resources for each client. When I call the service directly from the client there is no problem, because I use for each client a pair UserName/Password defined in theirs web.config. The problem came when I need to call a second Web service from a call to the first-one using the same identity. This second Web service requires UserName/Password, but I only know who is the caller (UserName) but not the password.
How I can impersonate this second call without knowing the password for the corresponding username?
EDIT: The app (Web App and Services) is running in a shared hosting environment where I can't use Windows Authentication to configure Kerberos for Delegation. I have defined a UserNameValidator to process on each call the pair UserName/Password against a custom SQLServer database. Moreover, the intended customers of this app will use it from Internet, without requiring a windows account, that is because I need a more flexible, SQL-based, authentication schema.
You need to look at using Kerberos to handle the passing of authentication onwards to other services from your first WCF service.
Have you taken a look at the declarative security options? The linked article by Juval Lowy includes an internet application scenario as well.

Need recommendations and help with ASP.NET + WCF + Security

i'd like to recieve comments on the way i'm trying to build an asp.net web application which uses a WCF service that is hosted in another asp.net application. Both applications will live on the same machine, but the app with the WCF service will not be accessible from the outside. there will be two web servers sharing the load behind a load balancer.
The app pool of both applications will use the same local user account (web server is not part of a domain) and so i was thinking to use WsHttpBinding with windows security for communication between client and internal wcf service.
The fron-end asp.net app uses forms authentication through a custom membership/role provider to athenticate and authorize users. The user database is in a sql server database.
i need to somehow pass to the wcf service the user details (username + roles) so that in the wcf it will be possible to validate and authorize according to the roles of who is logged in the front-end. I read i need to use "support tokens", but i haven't figured out how to use this.
I read also something about claims and WIF, which seems interesting but have no idea how i could use these in my scenario.
is there anyone who can give me recommendations about the architecture and maybe also show me how to pass the username to the wcf service and also show me if possible to use claims based authorization?
First of all, if both servers are behind the corporate firewall on a corporate LAN, I would strongly suggest using netTcpBinding instead of any http based binding. NetTcpBinding is much faster due to encoding the message in a binary format.
As for username / password: your ASP.NET front-end server could set the client credentials for the user calling for the WCF service - after all, the ASP.NET servers do have access to the ASP.NET membership database, don't they?
Or if you cannot pass on the user's credentials, you could pass on some headers to your WCF service that would describe the user - actually, you probably only ever need the user's unique ID - since the WCF service could fish out the rest of the info from the ASP.NET user database again, if really needed.
As for claims - I don't think they'd be a good idea here - you don't really have to deal with a multitude of different authorization schemes, and you're not using any federation (e.g. allowing users from a different company or domain to use your services) - so those obvious benefits probably won't really be applicable to your case.

Calling a WCF from ASP.NET with same the single-signon user LogonUserIdentity

I have a ASP.NET MVC page, which call WCF logic.
The system is single-signon using NTML.
Both the ASP page and the WCF will use the UserIdentity to get user login information.
Other then NTML, I will also have a Form based authorization (with AD) in same system.
The ASP page, is it simple and I can have it from HttpContext.Current.Request.LogonUserIdentity.
However, it seem it is missing from the WCF which call by the ASP, not from browser.
How to configure to pass the ID pass from the ASP to the WCF?
It sounds to me like you need to perform 'Impersonation' of the original user which will allow you to pass on the original caller's identity to the WCF service.
See this guide: Impersonation and Delegation in WCF
Although you have configured ASP.NET to authenticate your callers via NTLM, the worker process is still running with a machine identity (depending on your configuration in IIS). You would need to explicitly impersonate the caller by having the process adopt the callers identity, perhaps just temporarily.
UPDATE: see also Delegation - WCF Gotcha #2
If you want to avoid impersonation anothe option is to use the IdentityModel and a WindowsClaimSet

WCF Service - ASP.net hosting - single sign on, how to pass credentials

My scenario is this - I have two ASP.net websites. Both sites run on the same machine and I have implemented single sign on relatively simply using the default asp.net membership provider (Forms based authentication).
I have a new WCF service on one site, which will be called from the other site. A user will be logged into the site, but the call to the service will be made from the codebehind following a postback.
Can somebody point me in the right direction so that I can pass through the Forms based credentials of the logged in user to the WCF service on the other site? Presently it's passing the NETWORKSERVICE windows credentials.
Check out the WCF Security Guidance on CodePlex, and most notably:
How To – Use Username Authentication with the SQL Server Membership Provider and Message Security in WCF from Windows Forms
It shows quite nicely, step by step, what config you need on the server to make your WCF service use message security with user authentication against an ASP.NET membership store.
Also check out the article Fundamentals of WCF Security - page 3 shows the options about authentication and authorization - quite informative as well!
Hope this helps!
Sounds like you're after Impersonation, which would allow you to pass on the original caller's identity to the second service call.
See the CodePlex Link - Impersonation in WCF

Resources