Adding Authentication/Authorization

These directions are based on chsakell's Blog Post

Step 1: Database Setup

• Install Sql Server Express
  • Make sure to use both Windows and SQL authentication
  • Instance = [servername]\SQLEXPRESS).
• Install Sql Server Management Studio (SSMS) on the server
• Start SSMS and connect to [servname]\SQLEXPRESS
  • Right click on the server and select properties
  • Select the connections page
  • Click allow remote connections and select ok.
• Start Sql Server Configuration Manager

  • Set the following elements SqlConfig.png

  • Under "SQL Server Services" Right click on "SQL Server (SQLEXPRESS)" and click restart.
• Add a Windows firewall rule to allow incoming connections to port 1433. (if you are not sure how to do this, ask an IT major or google it)
  • You can now remotely connect to the server using just the IP address. Try it on SSMS
• Create a database
  • In SSMS, right click on the databases folder, select New Database...

  • Give it a name "MovieUsers"

• Run C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regsql.exe

  • Choose the Configure SQL Server for application services option and select next.
  • Fill in the server name and append "\SQLEXPRESS" e.g. CPTR446\SQLEXPRESS

  • Leave Windows authentication selected and Drop down the database selection. You should see MovieUsers. Select it and click next, next, finish.

That should finish the database setup.

Step 2: Configure your service to use the database for authentication

One of the most important things is that, when working with the latest technology, we use the latest documentation. I didn’t give you links to the latest documentation, I gave you a link to a tutorial that shows the process. Always look at the date for such tutorials, they may (and indeed often do) require you to expand your search to find current, canonical documentation.

1. You have your WCF service App project (hereafter referred to as your “service” project). This is what gets deployed and this is where I’ll be making the majority of edits (almost all in the web.config file).
2. Deploy the service to your remote IIS server.
   1. Test this! If it doesn't work now, it doesn't have a prayer of working later.
3. At this point, I looked at the project called Membership and Role Provider in the link below:

   1. Membership and Role Provider

   2. Although this does show you how to change the web.config file, it does not show you much code. So to save you downloading a massive file and finding the right project in it, I’ve included the folder for this project here.

   3. NOTE: Your Membership and Role Provider is untrusted! That is, even though this is a standard normal forms authentication provider, IIS will complain. So follow the directions here to fix that problem. BUT BE WARNED, DON’T EVER DO THIS ON A PRODUCTION SERVER.

4. The first thing you should look at in code is the web.config file! This and the link above should give you all you need to implement authentication and authorization.
5. There were several caveats that I had to work out.

   1. A certificate is required and you need to create one and put it in LocalHost\Personal Certificate store. I’ll leave you to your own devices on that task. But you can create the certificate in IIS manager and export it, then import it to your Certificate store. This must be done on your server. Since it is self signed, you will also need to include the following code in your client. (Notice my reference to the wcf service is called “proxy”). proxy.ClientCredentials.ServiceCertifcate.Authentication.CertificateValidationMode = X509CertifcateValidationMode.None;

   2. The certificate may not allow access to the private key, which your wcf service needs! This is manifested by an exception stating: “keyset does not exist”. I found this website to be very useful. As part of the process, you will need a compiled program from the examples called FindPrivateKey.exe. For your benefit, I have compiled it and uploaded it here.

   3. If you have other Certificate issues, it is probably because you didn’t put it in the right place.
6. After you have created the configuration and deployed the service then, and only then, can you go and create the .NET Users and .NET roles in IIS. If you have trouble make sure you have enabled forms authentication.

Step 3: Configure your service/client to require/use Authorization

Authorization is one of the easiest parts to this project. If you have the parts in place, you can simply add some attributes to your methods in code to require authorization. Let’s look at the parts.

1. You must have the web.config deployed first to the website first. It has the membership and role configuration, and if that is wrong, you won’t be able to continue.
2. At this point you should now be able to use IIS Management tool to add both users and roles. (In IIS manager, navigate to the service application you created and click on ".NET Users" or ".NET Roles".) Don’t forget to add the users to the appropriate roles.
3. Add the required authorization requirements to the service and you should be ready to test again. I recommend testing from your client (like I did in class) so that you can get good feedback on errors.

   1     [PrincipalPermission(SecurityAction.Demand, Role = "Users")]
   2     [PrincipalPermission(SecurityAction.Demand, Role = "Managers")]
   3     public List<Movie> GetMovies() { …