Topics: Usage Scenarios
Nov 7, 2007 at 3:15 PM
does MSE support wrapping a Web Service that requires authentication by using Certificates, Transport Security or something similar? What if the Web Service requires to know the identity of the original caller?

Nov 9, 2007 at 3:27 PM
Since the MSE leverages WCF behaviors and bindings, we take advantage of all the security options for authentication and authorization available to us. For one specific implementation we did recently, the customer required us to wrap a secure, ntlm-only service and project it outside the firewall using a basic https binding. The outside callers could be employees (credentials available in their internal AD forest) or customers and partners (credentials available in a DMZ forest configured with one way trust).

At a high-level the message processing flow is this: when the messenger receives the call it authenticates the credentials passed against AD. Both Messenger and Broker are configured (using a WCF Operation Behavior) to impersonate the original caller, thus flowing the caller’s Windows credentials all the way to the ntlm-only service. Furthermore, the Broker uses a custom WCF ServiceAuthorization behavior to check the caller’s credentials against authorization manager (AzMan). This step ensures that the caller is allowed to invoke the service operation before the Broker hands the request to the channel.

We are planning on making this one fo the many capabilities we will make available on CodePlex over time in the form of new behaviors and documentation on how to configure them. We do not have a specific date when these will be available. Of course, our hope is that over time, people knowledgeble of WCF and gain a deep understanding of the MSE can also add this type of behavior on their own.