Updated Security Guide & Sample Walkthrough

Topics: Usage Scenarios
Dec 19, 2008 at 6:15 PM
Thanks to feedback on the discussion groups, we have udpated the Security Guide and associated source code with a few corrections.  In addition we have posted a sample walkthrough showing how to apply security behaviors to flow windows credentials and perform authorization based on the credentials.
Dec 19, 2008 at 8:00 PM
That's good botto & team...look forward to test it with
TokenSecurity as well.

Jan 9, 2009 at 8:05 PM
The Security Sample Walkthrough document contains good detail on Flowing Windows Credentials and Applying authorization behaviour to MSE endpoint.

Is there another documentation that discusses in details including walkthrough and testing SQL Membership and Role providers scenario (assuming that I have already implemented my Application Services Database for SQL Server and MSE runtime app config file modified as suggested in the MSE_Security_Guide doc)?  The MSE_Security_Guide document somehow discusses SQL Membership and Role providers but it does not have walkthrough, etc., similar to the Security Sample Walkthrough doc.

Jan 9, 2009 at 9:35 PM
The sample walkthroughs don't cover the Sql Membership & Role providers, however the security guide should be pretty explicit about how to configure it.  The only real steps are to apply an endpoint policy that includes the SqlProviderSecurityElement behavior that specifies the connectionString that you've put in the MSE runtime server's app.config file for the membership provider and role provider along with the application name used to contain the users/roles in the database.  That will cover authentication at the endpoint and prepare you for using the RoleProviderAuthorizationElement in the same endpoint policy or in a channel policy.

The source code project also includes an example file of what the runtime app.config should look like (see below).  Please post any additional problems or questions you're having.  Thanks!

    <roleManager enabled="true"/>
    <add name="SqlRolesConnection"
         connectionString="Initial Catalog=aspnetdb;data source=.\SQLEXPRESS;Integrated Security=SSPI;"/>
Jan 12, 2009 at 2:48 PM
Aren't you planning to put up a proper document for the SQL Membership scenario, just like what is available for the Flowing Windows credential scenario?
Jan 14, 2009 at 3:16 PM
We aren't planning on it.  Our hope is that the walkthroughs provide examples of how use some of the behaviors  in the security guide.  With this knowledge applying the other behaviors in the security guide shouldn't be too difficult and any issues encountered can be resolved through the discussion forum.
Jan 14, 2009 at 7:45 PM
Thanks botto and for your responses in my other postings.

I'm having an issue right now testing a web service and hosted it in MSE with the following information:

1. The physical web service is hosted in IIS with Basic Authentication. The service requires a credential userid/password as part of its authentication challenge. The credential is actually windows (AD)
2. I was able to host the above ws in MSE, created an ep, associated the ep with runtime server. I've imported the services operations through the MSE Service Import wizard and pass the required credential w/o problem.
3. Following the provided Security_Sample_Walkthrough doc - Flowing Windows Credentials through MSE, I've created the below binding --

<bindings xmlns="">
 <basicHttpBinding><binding name="windowsCredentialBinding"><security mode="TransportCredentialOnly"><transport clientCredentialType="Windows"></transport></security></binding></basicHttpBinding>

and associated it with my ep.

5. I created a "Flow Windows Credential" policy --

<PolicyModel xmlns="http://microsoft.com/mse/2007/runtime/policyModel" xmlns:mse="clr-namespace:Microsoft.MSE.Runtime.Services.Behaviors;assembly=Microsoft.MSE.Runtime.Services" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:sec="clr-namespace:Microsoft.MSE.Behaviors.Security.Configuration;assembly=Microsoft.MSE.Behaviors.Security"> <sec:IdentityAwareChannelElement IdentityFlowType="Windows"/> <mse:ChannelEndpointBehaviorExtension/>

and associated it with the imported Channel created during the MSE Service Import wizard.

6. I'm using the MSETestTool (from the MSE security walkthrough samples download) to test it. MSETestTool successfully discovered the wsdl. I provided the User Credentials from the Action/Credentials/Session tab. I changed the Binding XML as suggested in the Security_Sample_Walkthrough doc to -- 

<bindings xmlns=""><basicHttpBinding><binding name="windowsCredentialBinding"><security mode="TransportCredentialOnly"><transport clientCredentialType="Windows"></transport></security></binding></basicHttpBinding></bindings>

7. When I test the operation, the Output Message I got is --

<?xml version="1.0" encoding="utf-16"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><s:Fault xmlns:s="http://www.w3.org/2003/05/soap-envelope"><s:Code><s:Value>s:Receiver</s:Value><s:Subcode><s:Value xmlns:a="http://services.microsoft.com/MSE">a:MSE Runtime Message Processing Exception</s:Value></s:Subcode></s:Code><s:Reason><s:Text xml:lang="en-US">The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Basic realm=""'.</s:Text></s:Reason></s:Fault></s:Body></s:Envelope>

My questions are:

1. Can the MSE test tool be used for this, I know the doc is using it for the provided WCF services. 
2. Why is it returning that the HTTP request is unauthorized with client authentication scheme 'Anonymous' where the binding I'm using is  basicHttpBinding.
3. How was it that the MSE Service Import Wizard able to connect to the service and discover it and when I'm testing the operation, I'm getting the above error in the Output Message.
4. Not sure what I'm missing here.


Jan 14, 2009 at 11:21 PM
I suspect the problem is that your service is configured in IIS with Basic Authentication... this isn't Windows authentication so the binding you've configured would be incorrect.  The binding you configured passes windows credentials over a secured transport connection.  To flow windows credentials, you'd need to make sure the IIS virtual directory security is compatible with your WCF service settings (assuming your service is WCF).  Try setting the IIS security to Windows Authentication.
Jan 15, 2009 at 5:14 PM
Edited Jan 15, 2009 at 8:22 PM
The service is not WCF but a ASP.Net web service (asmx). Setting IIS Authentication to Windows Authentication is not an option since most calls to this web service are from ASP.Net web apps through a proxy client as web reference, as we know Windows authentication does not work over HTTP proxy connections. Also consumers of the web service may not be in the same domain.

One thing that really puzzles me here is how was the MSE Service Import Wizard able to access the web service wsdl and discover the operations in it. On the Select WSDL step of the wizard, where you can put the services' uri, and a checkbox to input a credential needed to access the uri. What's happening behind the scene of this step where there's no authentication issue and when I'm already trying an operation after the service has been hosted in a MSE endpoint, where now I have a problem.

I'm kind of stuck on what to do to make this thing working, that is to perform whatever customization on MSE side without changing existing environment. If someone had similar problem that perhaps have solved it already, I would appreciate tips or working code if it can be shared.