Understanding WCF Windows Authentication

Question

I have a service with windows authentication. Using the following code, I can get the Windows Identity of the user who (by using the client) consumes the service.

String currentUser = OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name;

The configuration in the server is:

<binding name="messageSecurity">
<security mode="Message">
<message clientCredentialType="Windows"/>
</security>
</binding>

I also read that in the server, it is using Kerberos for this to work.

Now, I am trying to understand its significance in our corporate network. In the office, users will be logging into their desktops using their active directory credentials. Our service is hosted in a windows server named “SERV1” .

1. Is only users who have access (to login) to “SERV1” can access the service? Or all users who are able to login to the office network (suing active directory credentials) will be able to consume the service?

2. Is there a way to ensure that only CIO approved applications will be accessing the service, keeping the service as windows authenticated?

3. Does this authentication check happen for each service operation call or only for the first call?

4. Is there any way the service will be able to know the windows credentials of the user?

Note: What I understand is WindowsAuthentication can be compared to a Membership provider - providing username and password from a centralized location. It can be compared to ASP.Net Membership Provider or Active Directory Membership Provider.

Further reading:

1. ASP.NET Active Directory Membership Provider and SQL Profile Provider

2. wcf data contracts authorization

3. http://www.theserverside.net/tt/articles/showarticle.tss?id=ClaimsBasedSecurityModel

Answer 1

Can only users who have access (to login) to “SERV1” access the service?

Yes - that's the point of using Windows credentials in a WCF service. Only users which have a domain account in that Active Directory domain (or a separate domain which has a bidirectional full-trust relationship with your domain) will be able to access the service.

Or all users who are able to login to the office network (suing active directory credentials) will be able to consume the service?

The WCF security boundary is the Active Directory Domain - not a particular server.

Is there a way to ensure that only CIO approved applications will be accessing the service, keeping the service as windows authenticated?

How are those "CIO-approved" applications different from others? WCF is accessed by accounts - typically user accounts. You can limit which accounts have access to your service (by e.g. requiring those accounts to be member of a given AD group or something). You cannot really "limit" based on applications (only if those applications use specific application-level accounts to access your WCF service)

Does this authentication check happen for each service operation call or only for the first call?

Depends on your service - if you use a per-call WCF service, then the check happens for each call. If you use a per-session WCF service with "security negotiation" turned on, then the check happens once at the beginning of the session and not anymore until the session ends.

Is there any way the service will be able to know the windows credentials of the user?

Yes - OperationContext.Current.ServiceSecurityContext.WindowsIdentity IS the Windows credentials (the Windows identity) used to call your service. It's a lot more than just the user name.....