I'm learning WCF. I've created a WCF service which uses a local SQL Server database. I've configured the database server to use Windows authentication. When I use the WCF service with a WPF application, everything works.
When I use the WCF service with a WPF browser application, however, I get an error which, I believe, means I don't have security configured properly. The specific error is: "That assembly does not allow partially trusted callers."
I'm trying to figure out how to configure the security properly, starting with the security in SQL Server, but I'm having trouble finding answers. Can anyone help me with these questions?
1) Do I need to reconfigure SQL Server to use SQL Server authentication instead of Windows authentication? If so, are there recommended guidelines for naming the user and configuring the privileges of the account created for the WCF service?
2) The database is on the local machine now only so I can experiment. Down the road, I'm going to move the database to a server. Will the security configuration required by WCF change when I do that?
-TC
do you host your WCF in IIS (which version) or self hosted? If IIS then probably need to run IIS it in Full Trust mode
try not to use SQL Server Authentication if you don't have to.
Related
I am new to SQL Server, I am planning to build a distributed application in Java for SQL Server. I am curious to know that if there is a way to handle the following scenarios:
UserA logs in on MachineA and chooses Windows authentication as credentials in app. My application's 2nd component is on MachineB (components communicate using RESTful web services) and MachineB has SQL Server installed on it. MachineB has the code to connect to SQL Server.
I want to know what are the steps to make this happen, is it possible to use windows authentication here?
UserA logs in on MachineA and uses Windows authentication, code to connect is on MachineB and SQL Server is on MachineC. What are the required steps here to make this happen, connection string and if I need to make any domain etc.
Assuming all machines are on the same DOMAIN, yes it will work. You may need to configure Kerberos (SetSPN) to make sure the service is trusted. You should check Microsoft® Kerberos Configuration Manager for SQL Server® from Microsoft. If Java is used from a Web site, you will also need to configure a SPN for this service as well. When it's all configured, To connect using Java, your ConnectionString should look like this:
jdbc:sqlserver://localhost;databaseName=AdventureWorks;integratedSecurity=true;
Hope it help.
I am trying to find code examples of:
1. Remote MVC App on IIS
2. Data is on the customers SQL Server and on the windows domain they are using their web browser from.
I have a MVC app that works well with IIS and SQL Server being on the same domain.
However, I am trying to figure out how to extend the MVC App to multiple customers by hosting the site on a remote IIS server and having the remote MVC application on IIS query the customers SQL Server database.
I am comfortable with MVC, Entity Framework, & SQL Server but have had a hard time finding examples for this scenario.
You can certainly change the connection string of your application to work with any remote SQL Server instance you please. Obviously being outside the domain poses some additional challenges and security risks that you should consider, however, to get them talking to each other you can simply specify the server address in your connection string like so:
Data Source=192.168.10.1,1433;Network Library=DBMSSOCN;Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword;
The Network Library parameter forces the use of TCP/IP as a network protocol. Note that the customer will have to set up a SQL Server Authentication user on their database to simplify this scenario - using a trusted connection will be impossible unless you integrate your Windows domains, which could be a significant amount of work for little benefit.
I have a situation where clients connecting to my webservice(that exists on another server) must access SQL Server databases and SSAS servers.
It must use the credentials of the client that is calling the service when accessing the SQL Servers and SSAS cubes.
For this to work I do
var winId = HttpContext.Current.User.Identity as WindowsIdentity;
var ctx = winId.Impersonate();
//Access Database/SSAS
ctx.Undo();
in my service which works fine when accessing SQL Server databases.
However when I access the SSAS servers I get
"The connection either timed out or was lost"
There are a number of posts like
http://denglishbi.wordpress.com/2009/03/31/windows-server-2008-kerberos-bug-%E2%80%93-transport-connection-issues-with-ssas-data/
http://sqlblogcasts.com/blogs/drjohn/archive/2009/03/28/kerberos-kills-large-mdx-queries-on-windows-server-2008-ssas.aspx
on this but I am using Windows Server 2008 R2
where my service lives so this should not be a problem as this bug should have been fixed by Microsoft.
Any information as to how to best diagnose this problem would be appreciated.
To clarify the SSAS servers do have SPNs. This was actually working at one point but has now stopped. Appears no sign of duplicate SPNs or anything.
What is interesting is it works intermittently on one SSAS server but seems to work all the time for the other.
They both have named SPNs as mentioned by this document
https://support.pyramidanalytics.com/entries/22056243-Configuring-Kerberos-Delegation-for-Named-Instances-of-SSAS-with-Active-Directory-and-additional-pro
My production environment is a load-balanced (and under heavy load) on a very large corporate Active Directory network. The following took a lot of testing to finally nail down settings that work.
I also run on Windows 2008 Server R2
My web services are in ASP.NET in IIS. For authentication I enabled "Windows Auth" and "ASP.NET Impersonation". Kernel mode is disabled and provider is "Negotiate:Kerboros"
SPNS and Trusted Delegation are setup for an AD account. My AD account looks like sys_myservice (sys_ is just a naming convention at my company)
The Application Pool identity is set to use the sys_myservice
After you make all these changes in your dev env, restart the entire server. For some odd reason this is always necessary when we bring on new servers and configure them.
With this setup my web services access SSAS, SQL Server, and more that use Windows Kerboros auth and all queries are performed correctly under the user's credentials.
The difference in my setup from yours is ASP.NET Impersonation is enabled at the IIS level. I had trouble doing the impersonation in code which is what you are trying to do. If you get code-level impersonation to work with your workflow I would be really interested in seeing you post an update.
Forgot to mention. My services are in a MVC application, I apply a global filter to all Action methods to force the application to authenticate all connections.
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new System.Web.Mvc.AuthorizeAttribute());
}
and in my web.config system.web section
<authentication mode="Windows" />
<identity impersonate="true" />
I agree that the intermittently 'successful' SSAS instance is suspicious. I wonder if it's really using Kerberos all the time. Could be using a combination of negotiate/NTLM and Kerberos, with one auth method actually working and the other approaching failing. Might be worth another look at the SPN. This link might help: http://msdn.microsoft.com/en-us/library/dn194200.aspx
Did you try using Wireshark or any other Network Analysis tools to see anything red happening at that point of failure? Probably its better if you provide more troubleshooting observations from your end.
Also, does your web services has a Load balancer?
Regards,
Sasi.
A WCF project consist of all the logic behind a desktop application (WPF) and it works well when I run it on VS 2008 with WCF selfhost. The desktop application consume services expose by the WCF and desktop application users have to login to the app using his username and password. WCF is connect with SQL Server 2008 database through LINQ and user account details also save in that database.
But after I host that WCF in IIS 7, when I login to the desktop application, it says username and password are not match. But It worked perfect in VS 2008 with self host before I host WCF in IIS 7. What is the reason for this behavior?
Please help me to solve this problem
Connection string for SQL Server database:
<add name="iSponsor.Data.Properties.Settings.test_dbConnectionString"
connectionString="Data Source=LMR-HERO\SQLSP1INS;Initial Catalog=test_db;Integrated Security=True"
providerName="System.Data.SqlClient" />
You're using integrated security. That means that the WCF service will attempt to log into the database using the IIS application pool identity.
You will either need to
grant the default app pool users (or more conveniently the local group IIS_IUSRS) permissions to access your database - needs carefully locked-down access, though, but very difficult for an attacker to impersonate this user
run the application pool as a local or domain user who does have access to the database - again need to carefully lock down this user
use SQL server authentication instead (username / password) - simplest to set up but easiest to attack
I've been developing a site using ASP.NET MVC, and have decided to use the new SQL Server 2008 FILESTREAM facility to store files 'within' the database rather than as separate entities. While initially working within VS2008 (using a trusted connection to the database), everything was fine and dandy. Issues arose, however, when I shifted the site to IIS7 and changed over to SQL authentication on the database.
It seems that streaming a FILESTREAM doesn't work with SQL authentication, only with Windows authentication. Given this, what is the best practice to follow?
Is there a way to force this sort of thing to work under SQL authentication?
Should I add NETWORK SERVICE as a database user and then use Trusted authentication?
Should I create another user, and run both the IIS site and the database connection under this?
Any other suggestions?
Take a look at this article. I don't know a whole lot about FileStreaming and security, but there are a couple of interesting options in the FileStreaming setup such as allowing remote connections and allow remote clients to access FileStreaming