0

I have a web project that used to use Forms Authentication. I have new requirements to support Windows Authentication. This project contains two web services, one for a Silverlight page (MapService) and one for various ajax calls (AsyncService) Everything is now working, but there are 2 things I don't quite understand.

The configuration from Web.Config is as follows:

<bindings>
      <basicHttpBinding>
        <binding name="WindowsClientOverTcp">
          <security mode="Transport">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
      <webHttpBinding>
        <binding name="AsyncWindowsOverTcp">
          <security mode="Transport">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </webHttpBinding>
    </bindings>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
    <services>
      <service name="Project.MapService.MapService">
        <endpoint address="" binding="basicHttpBinding" bindingConfiguration="WindowsClientOverTcp" name="WindowsClientOverTcp" contract="Project.MapService.MapService" />
      </service>
      <service name="Project.AsyncService.AsyncService">
        <endpoint address="" binding="webHttpBinding" bindingConfiguration="AsyncWindowsOverTcp" name="AsyncWindowsOverTcp" behaviorConfiguration="Project.AsyncService.AsyncServiceAspNetAjaxBehavior" contract="Project.AsyncService.AsyncService" />
      </service>
  </services>

  1. With this setup, is it basically required to use SSL? I've read that using Transport Security with Windows ClientCredentialType forces an HTTPS endpoint, which seems to be the case. I just want to know if it is reasonable to state generally to a client or management "If they want Windows authentication, our application must use https"

  2. For the AsyncService, it clearly requires Windows credentials from the client, but I didn't have to change my JS/Ajax code at all and it still works fine. Is there some magic being done by the client browser? Since there's no client configuration, I don't get how the calls are authenticated.

Thanks

Erix
  • 7,059
  • 2
  • 35
  • 61

1 Answers1

3

  1. No, you don't need HTTPS in order to use Windows Authentication. You do need to configure IIS to use Integrated Security, and if the caller is from the same Windows domain or a trusted Windows domain, IIS will be able to authenticate the user.

  2. If the browser is running using credentials of your Windows domain, or a trusted domain, and your Web app is configured to use Windows authentication, then the browser includes the credentials it runs under to IIS.

EDIT: Some additional information. If you're using BasicHttpBinding as above and want to secure it, a good option is to use TransportWithMessageCredential as your security mode. This secures the message using the Transport layer (HTTPS) and includes the Windows credentials in the message. See also "Programming WCF Security" at http://msdn.microsoft.com/en-us/library/ms731925.aspx.

Roy Dictus
  • 32,551
  • 8
  • 60
  • 76
  • Regarding 1. Is it unsafe to use Windows Authentication without https? – Erix Feb 07 '12 at 14:11
  • No, not really. I would suggest using NTLM Negotiation, then surely no passwords are sent over the wire. See also http://technet.microsoft.com/en-us/library/cc754628(WS.10).aspx. – Roy Dictus Feb 07 '12 at 14:15
  • Ok, Now I'm confused. The settings in the OP cause the services to exist only at https://..... Specifially, the Transport security mode will not work with http. – Erix Feb 07 '12 at 14:25
  • This seems to support what I'm saying http://stackoverflow.com/questions/4481131/what-are-the-differences-between-security-mode-transport-and-security-mode-tr – Erix Feb 07 '12 at 14:26
  • Of course, Transport security implies security on the IP layer -- i.e., HTTPS (HTTPS = HTTP + scrambled IP layer). My answer on (1) refutes the statement _"If they want Windows authentication, our application must use https"_ that you mention. – Roy Dictus Feb 07 '12 at 14:28
  • ahh ok. I understand what you're saying. So, which security mode would I choose here? "None" or "TransportCredentialOnly"? – Erix Feb 07 '12 at 14:33