I want to enable the windows authentication for my existing WCF web service as follows:
Pre-Requisite:
The WCF Service application already deployed in the IIS.
1. Wcf Service Application
1.1 web.config
The following changes needs to be done to enable the windows authentication for wcf service application:
Configure Basic Http Binding:
Go to the web.config file under <configuration><system.serviceModel> section add your basic http binding.
<bindings>
<basicHttpBinding>
<binding name="BasicHttpEndpointBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
This binding name needs to be included in the Service Endpoint binding configuration.
Configure Service Endpoint
Go to the web.config file under <configuration><system.serviceModel><service> section add your endpoint configuration.
<endpoint address="" binding="basicHttpBinding" contract="Service.AppService" bindingNamespace="http://example.edu/Service/" bindingConfiguration="BasicHttpEndpointBinding" >
I have highlighted the font in red color to modify the binding configuration.
2. IIS Configuration
2.1 Application Pool
This configuration is required because to delegate the authenticated kerberos token to target application:
Open the IIS Manager Console --> Host Name --> Application Pools --> Select WCF Deployed Application Pool --> Right Click --> Advanced Settings --> Process Model --> Identity --> Select Custom Account --> Click Set Button.
Enter Your Service Account User Name, Password, and Confirm Password.
After Configuring the Application Pool Identity, you should restart the Application Pool
2.2 WCF Service Application
This configuration is required because to enable the windows authentication for wcf service application.
Configuring the Windows Authentication:
Open the IIS Manager Console --> Host Name --> Web Site --> WCF Service Application --> Click Authentication --> Right Click Windows Authentication --> Select Enable
It will enable the windows authentication.
Configure the Use Pool Identity
Open the IIS Manager Console --> Host Name --> Web Site --> WCF Service Application --> Click Configuration Editor --> system.webServer/security/authentication/windowsAuthentication > UseAppPoolCredential value false to true.
Configure the Use Pool Identity
Open the IIS Manager Console --> Host Name --> Web Site --> WCF Service Application --> Click Configuration Editor --> system.webServer/security/authentication/windowsAuthentication > UseAppPoolCredential value false to true.
2.3 Configuring the SPN
Open the command prompt as a windows administrator and configure the spn for host name as follows:
setspn -S "HTTP/Hostname" <Application Pool Identity>
setspn -S "HTTP/host fqdn" <Application Pool Identity>
The <Application Pool Identity> configured at the step 2.1
3. Restart IIS
Open the IIS Manager Console --> Host Name --> Right Click --> Stop
It will stop the IIS server
Open the IIS Manager Console --> Host Name --> Right Click --> Start
It will start the IIS server
4. Active Directory Configuration
This configuration is required to delegate the kerberos token to the application.
Open the Active Directory Users and Computer --> Search the Application Pool Identity (2.1 Configured Application Pool Identity or IIS Service Account) and Click Delegation --> Select "Trust this user for delegation to Any Service Kerberos Only.
Open the Active Directory Users and Computer --> Search the Application Pool Identity (2.1 Configured Application Pool Identity or IIS Service Account) and Click Delegation --> Select "Trust this user for delegation to Any Service Kerberos Only.
5. Test the application
5.1 Create the krb.conf file
Create the krb.conf file and add the following content inside the file.
[libdefaults]
default_realm = EXAMPLE.EDU
[realms]
EXAMPLE.EDU = {
kdc = dcs01example.edu
}
Replace default_realm and kdc values with your ad domain realm and ad kdc.
5.2 Create the JAAS login.conf file
Create the login.conf file and add the following content inside the file.
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=false useTicketCache=true;
};
5.3 Execute the Java Code
Execute the following code to test the Windows Authentication.
import java.net.Authenticator;
import java.net.PasswordAuthentication;
import java.net.URL;
import edu.example.Service;
import edu.example.Service_Service;
public class ClientService {
private static String USER_NAME="<Replace Your User Name>";
private static String USER_PWD="<Replace Your User Password>";
public ClientService() throws Exception {
}
public static void main(String args[]) throws Exception
{
System.setProperty("java.security.krb5.conf","c:/ClientService/src/krb.conf");
System.setProperty("java.security.auth.login.config","C:/ClientService/src/login.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump", "true");
System.setProperty("com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.dump", "true");
System.setProperty("com.sun.xml.ws.transport.http.HttpAdapter.dump", "true");
Authenticator myAuth = new Authenticator()
{
@Override
protected PasswordAuthentication getPasswordAuthentication()
{
System.err.println("Feeding username and password for "
+ getRequestingScheme());
return new PasswordAuthentication(USER_NAME, USER_PWD.toCharArray());
}
};
Authenticator.setDefault(myAuth);
Service_Service service= new Service_Service();
Service binding=service.getBasicHttpBindingService();
String result= binding.verify("");
System.out.println(result);
}
}
