WCF service without SSL but with Windows Group authentication

Question

We are trying to create a WCF service that is only accesible by specified windows groups. How can this be configured in the server web.config and the client configuration?

Note: We want to be able to control the windows groups who are allowed access in the server web.config not in code. Also, we dont want/need SSL at all.

Ive googled around and then best examples I can find are all like this...

WCF Service, Windows Authentication

But that doesnt explain how to limit access only to a specific group or groups.

Answer 1

If this is intranet application you can use netTcpBinding:

<services>
   <service name="YourService"
      behaviorConfiguration="YourServiceBehavior">
      <endpoint 
         binding="netTcpBinding"
         bindingConfiguration="SecureTransportWindows"
         contract="YourContract" />
   </service>
</services>

<bindings>
   <binding name="SecureTransportWindows">
      <security mode="Transport">
          <transport clientCredentialType="Windows" />
      </security>
   </binding>
</bindings>

<behaviors>
   <serviceBehaviors>
      <behavior name="YourServiceBehavior">          
          <serviceAuthorization principalPermissionMode="UseWindowsGroups" />
      </behavior>
   </serviceBehaviors>
</behaviours>

And then in service code you can demand windows role:

class YourService : YourContract
{
    [PrincipalPermission(SecurityAction.Demand, Role="MYDOMAIN\Administrators")]
    public string SecuredOperation(string name)
    {
       return "secured operation";
    }
}

If you need to set it in config then you must implement custom authorization:

<behavior name="YourServiceBehavior">          
   <serviceAuthorization principalPermissionMode="Custom">            
      <authorizationPolicies>
         <add policyType="YourCustomAuthorizationPolicy"/>
      </authorizationPolicies>          
   </serviceAuthorization>
</behavior>

And in code implement IAuthorizationPolicy interface:

public class YourCustomAuthorizationPolicy : IAuthorizationPolicy
{
   //you need to check msdn 
}

Answer 2

Ok this is the solution we came up with. Although it does involve a code change (adding the AspNetCompatibilityRequirements attribute) we can now acheive configuration of the groups/roles in the web.config file rather than hardcoding.

There are a number of steps to this...

1) Add the aspNetCompatibilityEnabled attribute into the serviceHostingEnvironment element and set to true, eg...

<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />

This tells the WCF service to running in ASP.NET Compatibility Mode and participate fully in the ASP.NET HTTP request lifecycle. See this MSDN article for full details.

2) In the WCF code add AspNetCompatibilityRequirements attribute to the service class as per the link above and as specified in this MSDN article ...

<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Allowed)>

3) Now we can add the usual ASP authorization element in to restrict access to the specified groups/users (without the settings (1) and (2) above, this would be ignored by WCF)...

<system.web>
    <authorization>
        <allow roles="MYDOMAIN\WCFAuthenticatedUsers" /> <-- allows access to users in this group
        <deny users="*" /> <-- denies access to all other users
    </authorization>
</system.web>