This project is read-only.

Configuring AD integrated security

Topics: Technical Questions
Feb 2, 2010 at 12:23 AM

I’m trying to configure MSE to do AD Role Based Authorisation on operation version level.  When I’m trying to test published operation by MSE Tester the next reply received:

<?xml version="1.0" encoding="utf-16"?>

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">

  <s:Body>

    <s:Fault>

      <faultcode xmlns:a="http://services.microsoft.com/MSE">a:MseRuntimeMessageProcessingException</faultcode>

      <faultstring xml:lang="en-AU">RoleProvider service extension not found.  Unable to perform role authroization checks.</faultstring>

    </s:Fault>

  </s:Body>

</s:Envelope>

 

Following error inserted to Microsoft MSE Runtime Event Log:

Communication Error in InnerProcessMessage: RoleProvider service extension not found.  Unable to perform role authroization checks.stack trace:

Server stack trace:

   at Microsoft.MSE.Behaviors.Security.RoleProviderAuthorizationParameterInspector.BeforeCall(String operationName, Object[] inputs)

   at System.ServiceModel.Dispatcher.ProxyOperationRuntime.BeforeRequest(ProxyRpc& rpc)

   at System.ServiceModel.Channels.ServiceChannel.PrepareCall(ProxyOperationRuntime operation, Boolean oneway, ProxyRpc& rpc)

   at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.Begin()

   at System.ServiceModel.Channels.ServiceChannel.BeginCall(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, TimeSpan timeout, AsyncCallback callback, Object asyncState)

   at System.ServiceModel.Channels.ServiceChannel.BeginRequest(Message message, TimeSpan timeout, AsyncCallback callback, Object state)

   at System.ServiceModel.Channels.ServiceChannel.BeginRequest(Message message, AsyncCallback callback, Object state)

 

Exception rethrown at [0]:

   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

   at System.ServiceModel.Channels.IRequestChannel.BeginRequest(Message message, AsyncCallback callback, Object state)

   at Microsoft.MSE.Runtime.Services.Broker.BrokerServiceInstance.InnerProcessMessage[TChannel](Message message, AsyncCallback cb, Object state)

 

 

What I’ve done:  

  1. Read through security guide  and source code examples;
  2. Configured MSE Viewer to use Security Guide Assertion Types UI;
  3. Imported RoleProviderAuthorisation assertion type;
  4. Created Assertion;
  5. Created Policy;
  6. Applied policy to operation;
  7. Add following sections to Microsoft.MSE.Runtime.ServiceHost.exe:

                <system.web>

                                <roleManager enabled="true" defaultProvider="RoleManagerADProvider">

                                <providers>

                                <add name="RoleManagerADProvider" type="System.Web.Security.AuthorizationStoreRoleProvider,

                                                                System.Web, Version=2.0.0.0, Culture=neutral, publicKeyToken=b03f5f7f11d50a3a" connectionStringName="RoleManagerADProviderConnectionString"/>

                                </providers>

                                </roleManager>

                </system.web>

                <connectionStrings>

                <add name="RoleManagerADProviderConnectionString" connectionString= "LDAP://virginmobile.com.au"/>

                </connectionStrings>

 

 

Con you please help me with configuration?

Feb 2, 2010 at 12:59 AM
Edited Feb 2, 2010 at 12:59 AM

The dynamic nature of how the MSE enforces policies warrants a more flexible approach that doesn't require updating app.config files and allows different policies to be applied at many layers.  Because of this, the standard .net role management configuration settings aren't used by the sample assertions in the security guide.  If you want to use the Role Authorization policy in the security guide as-is, you'll need to take a look at how the SqlProviderSecurity policy is implemented.  The key thing about it's implementation is the following:

 

// store as service extension

RoleProviderServiceHostExtension ext = new RoleProviderServiceHostExtension(sqlRoleProvider);

 serviceHostBase.Extensions.Add(ext);

Whatever role provider you create or want to use must be wrapped in by a RoleProviderServiceHostExtension object and added to the endpoint's service host extensions collection.  This extensions collection is what the RoleAuthorization behavior looks for (i.e. it doesn't rely on the static Roles object).  If it isn't found, it logs the exception you are seeing.

Note however, that you could modify the RoleProvider behavior to use the app.config, but you'll have less flexibility.  For example, if you were to use the static method Roles.GetAllRoles() in the behavior, all endpoints hosted by MSE Runtime would be forced to use the same role provider.  If this is acceptable for your scenario it would be an option.

 

Feb 2, 2010 at 4:04 AM

Botto,

Thanks for your reply. I’ve checked out source for SQLProviderSecurity  and AzMan. Is that true that I have to code myself an AD role provider? Do you have a pre-done code to connect to AD? I can’t believe I’m the first person who considered using MSE with AD.

 

Many thanks

Feb 2, 2010 at 4:55 PM

Hello Botto,

 

Is true the examples not include the most real used provider AD, we work in a project that wolud use AD Role Based Authorization, I will trying to code this Authorization an share with the comunnity, my scenario is AD authenticacion with AD Authorization, salex11 we are two that considered using MSE with AD.

 

 

Feb 24, 2010 at 6:46 AM

Hello Salex,

I post about AD role provider, I Called Windows Role Provider 

View post http://servicesengine.codeplex.com/Thread/View.aspx?ThreadId=155592