Comments on: Web Services Security – HTTP Digest Authentication without Active Directory http://www.rassoc.com/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/ Musings on just about everything. Fri, 27 Jan 2012 16:23:04 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Olivier Voutat http://www.rassoc.com/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132920 Olivier Voutat Thu, 20 Oct 2011 07:49:07 +0000 http://www.gregrphoto.com/rassoc/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132920 and if you want to use Soap12 instead of Soap11 which is the default for BasicHttpBinding <bindings> <customBinding> <binding name="BindingSoap12"> <textMessageEncoding messageVersion="Soap12" /> <httpTransport /> </binding> </customBinding> </bindings> but you will have to configure the service section too <services> <service name="WcfAdministrationFederale.AssuranceVieillesse"> <endpoint binding="customBinding" bindingConfiguration="BindingSoap12" contract="WcfAdministrationFederale.IAssuranceVieillesse" /> </service> </services> Source http://www.pvle.be/2008/10/soap-12-message-format-with-basichttpbinding/ and if you want to use Soap12 instead of Soap11 which is the default for BasicHttpBinding








but you will have to configure the service section too





Source
http://www.pvle.be/2008/10/soap-12-message-format-with-basichttpbinding/

]]> By: Olivier Voutat http://www.rassoc.com/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132917 Olivier Voutat Wed, 19 Oct 2011 12:23:16 +0000 http://www.gregrphoto.com/rassoc/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132917 Magic part <system.serviceModel> <serviceHostingEnvironment aspNetCompatibilityEnabled="true" /> </system.serviceModel> Magic part

<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled=”true” />
</system.serviceModel>

]]> By: Olivier Voutat http://www.rassoc.com/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132916 Olivier Voutat Wed, 19 Oct 2011 12:21:55 +0000 http://www.gregrphoto.com/rassoc/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132916 I love your module and have been using for some time now. But unfortunately at my work they want to migrate do WCF. What a shock, the module didn't work...WCF uses security separated from the IIS authentication system. WCF accepts custom security but only if certificates or https is used. Apparently the credentials are sent in clear mode... What a crap... I understand why, but leave the choice to the developers. Only they know their environments. After a complete week of intensive research I found the solution thanks to this project http://custombasicauth.codeplex.com/ I didn't like it very much because it implies that you create a new authentication mode and the program is not the same if it is used for IIS 6 or IIS 7. But it lead me to the necessary changes so I can continue using your incredible module. The magic is: And in your Service class add the following above your class declaration [AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)] public class Service So simple, and yet so hard to find out. I love your module and have been using for some time now. But unfortunately at my work they want to migrate do WCF.

What a shock, the module didn’t work…WCF uses security separated from the IIS authentication system.

WCF accepts custom security but only if certificates or https is used. Apparently the credentials are sent in clear mode…

What a crap… I understand why, but leave the choice to the developers. Only they know their environments.

After a complete week of intensive research I found the solution thanks to this project

http://custombasicauth.codeplex.com/

I didn’t like it very much because it implies that you create a new authentication mode and the program is not the same if it is used for IIS 6 or IIS 7. But it lead me to the necessary changes so I can continue using your incredible module.

The magic is:

And in your Service class add the following above your class declaration

[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]
public class Service

So simple, and yet so hard to find out.

]]> By: Frank http://www.rassoc.com/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132294 Frank Tue, 05 Oct 2010 11:35:29 +0000 http://www.gregrphoto.com/rassoc/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132294 Solved. (I did not see the previous answer, Thanks to Greg): Dim req3 As HttpWebRequest req3 = CType(WebRequest.Create(uri), HttpWebRequest) req3.Credentials = New NetworkCredential("myuser", "mypass") Solved.
(I did not see the previous answer, Thanks to Greg):

Dim req3 As HttpWebRequest
req3 = CType(WebRequest.Create(uri), HttpWebRequest)

req3.Credentials = New NetworkCredential(“myuser”, “mypass”)

]]> By: Frank http://www.rassoc.com/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132293 Frank Tue, 05 Oct 2010 11:19:43 +0000 http://www.gregrphoto.com/rassoc/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132293 Hi, I need a client making the authentication programmatically (not via browser). So, create the 1st request and I catch the WebException.Response. Now I have access to the nonce and to all parameters. In order to authenticate, I need to send the authenticated request, according to the RFC (I mean I've to create the header using nonce, user, pass, MD5,..). Do you have any working code to create this response ? thanks in advance. Frank Hi,

I need a client making the authentication programmatically (not via browser).

So, create the 1st request and I catch the WebException.Response. Now I have access to the nonce and to all parameters. In order to authenticate, I need to send the authenticated request, according to the RFC (I mean I’ve to create the header using nonce, user, pass, MD5,..). Do you have any working code to create this response ?
thanks in advance.
Frank

]]> By: Olivier Voutat http://www.rassoc.com/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132291 Olivier Voutat Tue, 05 Oct 2010 07:04:53 +0000 http://www.gregrphoto.com/rassoc/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132291 Great, thanks to a post in the BasicAuthenticationModule article, I get this to work. First, name it CustomDigestAuthenticationModule in the web.config. Second, to make it works with Integrated pipeline, add this section: <system.webServer> <validation validateIntegratedModeConfiguration="false"/> <modules> <add name="CustomeDigestAuthenticationModule" type="Rassoc.Samples.DigestAuthenticationModule, DigestAuthMod"/> </modules> </system.webServer> This way it will work as well with integrated pipeline as without it. If you only want to make it work in integrated pipeline mode, erase httpmodule section and add only <system.webServer> <modules> <add name="CustomeDigestAuthenticationModule" type="Rassoc.Samples.DigestAuthenticationModule, DigestAuthMod"/> </modules> </system.webServer> The section <validation validateIntegratedModeConfiguration="false"/> is only there to avoid validation by IIS between the configuration and the integrated mode which doesn't accept an httpModule section. ------------------------------------------ # Chinh said: August 24th, 2009 at 2:09 pm For anyone trying to get this to work with IIS7, you need to do this: - In web.config, change the name of the httpModule to “CustomBasicAuthenticationModule”. In IIS7, there’s already a built-in module named “BasicAuthenticationModule”. - Follow the instructions here http://bdotnet.in/blogs/navaneeth/archive/2008/07/06/2056.aspx Chinh Great, thanks to a post in the BasicAuthenticationModule article, I get this to work.

First, name it CustomDigestAuthenticationModule in the web.config.

Second, to make it works with Integrated pipeline, add this section:

<system.webServer>
<validation validateIntegratedModeConfiguration=”false”/>
<modules>
<add name=”CustomeDigestAuthenticationModule” type=”Rassoc.Samples.DigestAuthenticationModule, DigestAuthMod”/>
</modules>
</system.webServer>

This way it will work as well with integrated pipeline as without it. If you only want to make it work in integrated pipeline mode, erase httpmodule section and add only

<system.webServer>
<modules>
<add name=”CustomeDigestAuthenticationModule” type=”Rassoc.Samples.DigestAuthenticationModule, DigestAuthMod”/>
</modules>
</system.webServer>

The section <validation validateIntegratedModeConfiguration=”false”/> is only there to avoid validation by IIS between the configuration and the integrated mode which doesn’t accept an httpModule section.

——————————————
# Chinh said:
August 24th, 2009 at 2:09 pm

For anyone trying to get this to work with IIS7, you need to do this:

- In web.config, change the name of the httpModule to “CustomBasicAuthenticationModule”. In IIS7, there’s already a built-in module named “BasicAuthenticationModule”.
- Follow the instructions here http://bdotnet.in/blogs/navaneeth/archive/2008/07/06/2056.aspx

Chinh

]]> By: Olivier Voutat http://www.rassoc.com/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132290 Olivier Voutat Tue, 05 Oct 2010 06:40:11 +0000 http://www.gregrphoto.com/rassoc/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132290 sigh, yeah, I see that DigestAuthenticationModule inherits from IHttpModule. Maybe we should inherit something else instead? sigh, yeah, I see that DigestAuthenticationModule inherits from IHttpModule. Maybe we should inherit something else instead?

]]> By: Olivier Voutat http://www.rassoc.com/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132289 Olivier Voutat Tue, 05 Oct 2010 06:09:02 +0000 http://www.gregrphoto.com/rassoc/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132289 <system.webServer> <validation validateIntegratedModeConfiguration="false"/> </system.webServer> <system.webServer>
<validation validateIntegratedModeConfiguration=”false”/>
</system.webServer>

]]> By: Olivier Voutat http://www.rassoc.com/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132288 Olivier Voutat Tue, 05 Oct 2010 06:02:53 +0000 http://www.gregrphoto.com/rassoc/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132288 tried To make it accept the module in integrated module. Don't get the 500 error message anymore but it doesn't ask my login and password. Instead it throws a "401 Refused Access" directly. tried

To make it accept the module in integrated module. Don’t get the 500 error message anymore but it doesn’t ask my login and password. Instead it throws a “401 Refused Access” directly.

]]> By: Olivier Voutat http://www.rassoc.com/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132287 Olivier Voutat Mon, 04 Oct 2010 14:58:22 +0000 http://www.gregrphoto.com/rassoc/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/#comment-132287 Another thing that I noticed. If the application pool is pipeline integrated, it doesn't work. What is pipeline integrated useful for? Another thing that I noticed. If the application pool is pipeline integrated, it doesn’t work. What is pipeline integrated useful for?

]]>