What is the recommended way to do WCF username/password authentication in DMZ

Question

I am looking to host a WCF service accessible to a limited set of clients over the internet, as described here:

Best way to secure a WCF service on the internet with few clients

I intend to use Username/Password auth (using existing membership infrastructure) at this stage, with transport security (i.e. SSL).

I'm wondering what the recommended approach would be to processing the authentication request, when the membership database is obviously internal to the corporate network.

Options I'm considering are:

• the public firewall would do SSL offload, and then the DMZ server would reverse proxy the request to the internal WCF server - I'm assuming credentials would be retained and passed through with this method, and the internal service could appropriately make use of the Membership provider to authenticate the user.
• Write a dumb WCF service to sit externally which will make use of custom username/password authentication. This will call an Authentication Service internal to the network with access to membership details. Once the credentials are validated the call will then basically be passed through to the internal service that implements the required functionality.

Are both of these options possible? Are there any major pros/cons with either of them? (obviously reverse proxy is a lot less code...)

Answer 1

I have decided to use the second option. I already had a membership service internal to the firewall, so I will create the service to sit in the DMZ and implement a custom UsernamePasswordValidator and use it to call the membership service to validate credentials (and down the track I can then implement a custom ServiceAuthorizationManager to check roles/permissions).

Assuming credentials validate appropriately, the service will then call the main service internal to the firewall to carry out the functionality.