Kirk Evans Blog

.NET From a Markup Perspective

Security Guidance for WCF Available


Just released: patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF.

Yah, I know that security can be a dry subject, but this book has some really interesting nuggets of information.  For instance, they pose various scenarios and show how to configure everything from end to end. There is quite a bit of discussion on impersonation and delegation in here, with useful tips like:

public string GetData(int value)
    using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
       // Execute under security context of the original caller

Important: Revert the impersonation when you are done; in the above example, the using
statement does this for you.

image This guide is particularly interesting to me as I have been fighting a security issue with a WCF bridge service calling another service.  I was trying to use NTLM, and discovered that NTLM only allows 1 hop impersonation, the scenario I was targeting requires constrained delegation.  This guide discusses what’s necessary in situations like this, and has a section at the end, “HowTos” that shows the steps necessary complete with sample code.  They even show how to use the MMC snap-in for Active Directory to configure the account to be trusted for delegation.

Before this project’s release, there was another CodePlex project that included video material related to this guidance.  These are incredibly valuable… I’d love to see the video content brought forward to the new project as well:

  • Video: How To – Create and Install Temporary Certificates in WCF for Message Security During Development (Length: 3:40 – Size: 2.3MB)
  • Video: How To – Create and Install Temporary Certificates in WCF for Transport Security During Development (Length: 3:45 – Size: 2.3MB)
  • Video: How To – Host WCF in a Windows Service (Length: 2:45 – Size: 1.2MB)
  • Video: How To – Impersonate the Original Caller in WCF Calling from a Windows Form (Length: 2:15 – Size: 1MB)
  • Video: How To – Use basicHttpBinding with Certificate Authentication from Windows Forms (Length: 2:38 – Size: 1.1MB)
  • Video: How To – Use netTcpBinding with Windows Authentication and Message Security (Length: 1:55 – Size: 1.5 MB)
  • Video: How To – Use SQL Role Provider with Username Authentication in WCF Calling from Windows Forms (Length: 3:28 – Size: 1.8MB)
  • Video: How To – Use WsHttpBinding with Certificate Authentication with Message Security (Length: 1:01 – Size: 757KB)
  • Video: How To – Use WsHttpBinding with Windows Authentication with Transport Security (Length: 2:35 – Size: 1.2MB)
  • Contents at a Glance

    · Part I – Security Fundamentals for Web Services gives you a quick overview of fundamental security concepts as they relate to services, service-oriented design, and Service-Oriented Architecture (SOA.)

    · Part II – WCF Security Fundamentals gives you a firm foundation in key WCF security concepts, with special attention on authentication, authorization, and secure communication, as well as WCF binding configurations.

    · Part III – Intranet Application Scenarios shows you a set of end-to-end Intranet application scenarios that you can use to jumpstart your application architecture designs with a focus on authentication, authorization, and communication from a WCF perspective for your intranet.

    · Part IV – Internet Application Scenarios shows a set of end-to-end Internet application scenarios that you can use to jumpstart your application architecture design for the Internet.

    Guidelines, Practices, How Tos, Q&A shows self-contained nuggets of information that present both developers and architects digestible pieces of specific guidance. Often code is included to illustrate important concepts and answer specific questions.     

    Download it here.