Pages

Friday, January 29, 2016

Enabling Windows Authentication WCF Web Service in IIS


I want to enable the windows authentication for my existing WCF web service as follows:

Pre-Requisite:

     The WCF Service application already deployed in the IIS.

1. Wcf Service Application

     1.1 web.config 

      The following changes needs to be done to enable the windows authentication for wcf service   application:

      Configure Basic Http Binding: 

     Go to the web.config file under <configuration><system.serviceModel> section add your basic http binding.   

<bindings>
      <basicHttpBinding>
        <binding name="BasicHttpEndpointBinding">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings> 
    This binding name  needs to be included in the Service Endpoint binding configuration. 

    Configure Service Endpoint 

      Go to the web.config file under <configuration><system.serviceModel><service>  section add your endpoint configuration.

    
<endpoint address="" binding="basicHttpBinding" contract="Service.AppService" bindingNamespace="http://example.edu/Service/" bindingConfiguration="BasicHttpEndpointBinding"  >

I have highlighted the font in red color to modify the binding configuration.
      

2.  IIS Configuration

      2.1 Application Pool

        This configuration is required because to delegate the  authenticated kerberos  token to target application:
  
   Open the IIS Manager Console --> Host Name --> Application Pools --> Select WCF Deployed Application Pool -->  Right Click --> Advanced Settings -->  Process Model --> Identity --> Select Custom Account --> Click Set Button.
        Enter Your Service Account User Name, Password, and Confirm Password.

    After Configuring the Application Pool Identity, you should restart the Application Pool 

      2.2 WCF Service Application

           This configuration is required because to enable the windows authentication for wcf service application.

          Configuring the Windows Authentication:


          Open the IIS Manager Console --> Host Name -->  Web Site --> WCF Service Application --> Click Authentication --> Right Click Windows Authentication --> Select Enable

          It will enable the windows authentication.
         
          Configure the Use Pool Identity

Open the IIS Manager Console --> Host Name -->  Web Site --> WCF Service Application --> Click Configuration Editor --> system.webServer/security/authentication/windowsAuthentication > UseAppPoolCredential value false to true.

      2.3 Configuring the SPN

       Open the command prompt as a windows administrator and configure the spn for host name as follows:

setspn -S "HTTP/Hostname"  <Application Pool Identity>
setspn -S "HTTP/host fqdn"  <Application Pool Identity>

The <Application Pool Identity> configured at the step 2.1


3. Restart IIS

     Open the IIS Manager Console --> Host Name --> Right Click --> Stop 
      It will stop the IIS server 
     Open the IIS Manager Console --> Host Name --> Right Click --> Start
     It will start the IIS server

4. Active Directory Configuration

     This configuration is required to delegate the kerberos token to the application.
      Open the Active Directory Users and Computer --> Search the Application Pool Identity (2.1 Configured Application Pool Identity or IIS Service Account) and Click Delegation --> Select "Trust this user for delegation to Any Service Kerberos Only.

5. Test the application


      5.1 Create the krb.conf file

       Create the krb.conf file and add the following content inside the file.

      [libdefaults]
    default_realm = EXAMPLE.EDU
[realms]
    EXAMPLE.EDU = {
        kdc = dcs01example.edu
    }  

      Replace default_realm and kdc values with your ad domain realm and ad kdc.

      5.2 Create the JAAS login.conf file

       Create the login.conf file and add the following content inside the file.

com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
 doNotPrompt=false useTicketCache=true;
};

      5.3 Execute the Java Code


      Execute the following code to test the Windows Authentication.


import java.net.Authenticator;
import java.net.PasswordAuthentication;
import java.net.URL;
import edu.example.Service;
import edu.example.Service_Service;


public class ClientService {

    private static String USER_NAME="<Replace Your User Name>";
private static String USER_PWD="<Replace Your User Password>";
public ClientService() throws Exception {
}
public static void main(String args[]) throws Exception
{
System.setProperty("java.security.krb5.conf","c:/ClientService/src/krb.conf");
System.setProperty("java.security.auth.login.config","C:/ClientService/src/login.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump", "true");
System.setProperty("com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.dump", "true");
System.setProperty("com.sun.xml.ws.transport.http.HttpAdapter.dump", "true");
Authenticator myAuth = new Authenticator() 
{
   @Override
   protected PasswordAuthentication getPasswordAuthentication()
   {
    System.err.println("Feeding username and password for "
               + getRequestingScheme());
       return new PasswordAuthentication(USER_NAME, USER_PWD.toCharArray());
   }
};
Authenticator.setDefault(myAuth);
Service_Service service= new Service_Service();
Service binding=service.getBasicHttpBindingService();
String result= binding.verify("");
System.out.println(result);
}

}



2 comments:

  1. This article offers a comprehensive guide on enabling Windows Authentication for WCF web services in IIS, making it easier for developers to secure their applications. For gamers out there, using rocksdb can help you keep your game library organized while you work on your web services!

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete