Tom Frey

Hi,

I have a server with NetTcpBinding enpoint and I want to use custom username authentication on a session level. So, credentials are only transmitted once when the session is established and not with every message sent. Can someone help me out here

Thanks,

Tom


Re: Windows Communication Foundation (Indigo) NetTcpBinding -> UsernameAuthentication

Pedro Felix

Hello:

If you set the (NetTcpBinding) binding's security mode to message, then it will establish a secure session using the WS-SecureConversation spec:
1) A Username token will be used in the establishment of the session to authenticate the client. If you are using a custom validator, the the Validate method will be called in this phase. The authenticated claims (the username in this case) will be cached at the service side.

2) After the session is established, each message sent by the client to the service contains a SecurityContextToken reference. The service uses this reference to fetch the cached authenticated claims. These claims will be available in the OperationContext.ServiceSecurityContext.AuthorizationContext.

Concluding:
1) The username and password are only sent once
2) The username and password are only validated once
3) The username will be available in every call (via the operation context)

Hope it helps
Pedro Felix






Re: Windows Communication Foundation (Indigo) NetTcpBinding -> UsernameAuthentication

Tom Frey

Hi Pedro,

thanks for your reply. Am I understanding this correct that by using security mode = message, no additional data will be attached to each message, so message sizes remain the same

Thanks,

Tom




Re: Windows Communication Foundation (Indigo) NetTcpBinding -> UsernameAuthentication

Tom Frey

btw., how can I set the security mode in code I know how it works with the config file but doing it in code doesn't seem to work:

NetTcpBinding binding = new NetTcpBinding();
binding.Security.Mode = SecurityMode.Message;

host.AddServiceEndpoint(typeof(IQuoteServiceContract), binding, "net.tcp://localhost:8000/QuoteService");
host.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = new CustomUserNameValidator();
host.Credentials.UserNameAuthentication.UserNamePasswordValidationMode = System.ServiceModel.Security.UserNamePasswordValidationMode.Custom;




Re: Windows Communication Foundation (Indigo) NetTcpBinding -> UsernameAuthentication

Pedro Felix

Hello:

1) Regarding the first post:
>Am I understanding this correct that by using security mode = message, no additional data will be attached to each message, so message sizes remain the same
No, a security context token will be attached to message. A digital signature will also be attached to each sent message.

2) Regarding the second post
You must define the client credential type:
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;

Hope it helps
Pedro Felix




Re: Windows Communication Foundation (Indigo) NetTcpBinding -> UsernameAuthentication

Tom Frey

Well, that's what I don't want. Performance is very critical for this service and therefore message sizes should be kept as small as possible. I don't see why a token attached to each message is necessary for NetTcpBinding.
Is there a way to do username authentication without incurring additional overhead per message




Re: Windows Communication Foundation (Indigo) NetTcpBinding -> UsernameAuthentication

Pedro Felix

Hello:

Sorry, but my previous statement is not completely correct. The messages only have a security context token (SCT) reference and not the full SCT. However, there will be a new signature for each message since you are using message level security.

You could use SecurityMode.TransportWithMessageCredential and SSL transport security. If this mode also uses WS-SecureConversation (I'm not sure of this), then the messages will only have a SCT reference. All the protection will be done at the transport layer (minimizing the space overhead).

Hope it helps
Pedro Felix