WCF Authentication: Custom Username and Password Validator

Techy News Blog » WCF Authentication: Custom Username and Password Validator

Techy News Blog » WCF Authentication: Custom Username and Password Validator — Fri, 05 Oct 2007 19:53:34 GMT

PingBack from http://www.artofbam.com/wordpress/?p=5519

re: WCF Authentication: Custom Username and Password Validator

JanW — Wed, 24 Oct 2007 15:51:20 GMT

Thanks for the guide. However, one of the issues here is that any exceptions thrown in the Validate() method will not be reported back to the client properly. All you will get is a MessageSecurityException. This has been reported several times (e.g. here: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=575748&SiteID=1) Unfortunatley Microsoft did not come up with an adequate response yet.

re: WCF Authentication: Custom Username and Password Validator

Jon — Wed, 28 Nov 2007 11:31:30 GMT

I created a certificate "CN=SignedByCA" and updated the App.Config files to refer to its thumbprint. Now when I try to start the host, I get the following exception on host.Open():

The certificate 'CN=SignedByCA' must have a private key that is capable of key exchange. The process must have access rights for the private key.

I'm not sure how to give the host access to the private key. I'm starting the host process using VS 2008.

Regards,

Jon

re: WCF Authentication: Custom Username and Password Validator

Diego — Thu, 10 Jan 2008 22:43:27 GMT

I'm having the same issue Jon mentioned. I'm also getting the message:

The certificate 'CN=SignedByCA' must have a private key that is capable of key exchange. The process must have access rights for the private key.

Please.... help :S

re: WCF Authentication: Custom Username and Password Validator

Dimitris-Ilias Gkanatsios — Fri, 01 Feb 2008 05:04:44 GMT

To the two above: Use the FindPrivateKey utility located in the WCF samples to find the location of the private key, and then set the permissions accordingly.

I spent many hours today while having the same problem, and I came up with the following solution

To install a self signed certificate

makecert.exe -sr LocalMachine -ss MY -a sha1 -n CN=%SERVER_NAME% -sky exchange -pe

certmgr.exe -add -r LocalMachine -s My -c -n %SERVER_NAME% -r LocalMachine -s TrustedPeople

To use the FindKeyUtility

FindPrivateKey.exe TrustedPeople LocalMachine Private key directory: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys Private key file name: 756e9ecb7bb8ed83bf80031497479997_8a4ee4f0-1f8d-4d2e-b1bf-fff1d5b15e61

And then, you can go to the specified folder and change the permissions...

Moreover, I needed to set this in the client's config file

</serviceCertificate>

</clientCredentials>

</behavior>

</endpointBehaviors>

</behaviors>

and add this to the endpoint configuration

behaviorConfiguration="ClientCertificateBehavior"

Finally, pay attention to the

</identity>

element, in the client.

The dns value must much the one in the certificate.

Good luck!!

re: WCF Authentication: Custom Username and Password Validator

Thiarley Fontenele — Fri, 01 Feb 2008 17:00:30 GMT

Hi,

If I authenticate the user using peertrust, How can I get his certificate inside the Operation Contract ?

I need the certificate to get others informations.

re: WCF Authentication: Custom Username and Password Validator

Jernej Logar — Tue, 11 Mar 2008 17:19:27 GMT

Hi!

I was also getting the message:

The certificate 'CN=SignedByCA' must have a private key that is capable of key exchange. The process must have access rights for the private key.

I solved that by importing the certificate together with the private key, using a pfx fiel which I generated wtih pvk2pfx.

WCF Security Resources

alik levin's — Sun, 20 Apr 2008 07:28:21 GMT

This is a digest of WCF Security resources I was collecting for some time. Drop me a comment in case

re: WCF Authentication: Custom Username and Password Validator

Fernando Alves — Sun, 11 May 2008 18:25:47 GMT

In some of my implemented OperationContract methods i need to log with others method informations, and console output the validated credentials (username/password), how can i get the respective instanciated credential values?

re: WCF Authentication: Custom Username and Password Validator

Fernando Alves — Sun, 11 May 2008 19:18:30 GMT

Nevermind, ServiceSecurityContext.Current.PrimaryIdentity.Name

WCF Security Resources(转)

江南白衣 — Sun, 11 May 2008 19:22:14 GMT

This is a digest of WCF Security resources I was collecting for some time. Drop me a comment in case it is useful.

re: WCF Authentication: Custom Username and Password Validator

Arjan Hordijk — Thu, 17 Jul 2008 12:08:25 GMT

I had the same problem.

These were the steps I took to solve the problem:

I removed the generated personal key from the store and issued the following request: makecert -sk SignedByCA -iv TempCA.pvk -n "CN=localhost" -ic TempCA.cer SignedByCA.cer -sr LocalMachine -ss My -sky exchange -pe

The created certificate was added to the personal certifcate store of the local computer.

After placing this certificate in the personal certificate store of the current user (drag and drop) the error was gone.

Hope this will help.....

We are not the only ones (Also see this post: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1180892&SiteID=1)

re: WCF Authentication: Custom Username and Password Validator

Mathew Upchurch — Wed, 23 Jul 2008 23:39:41 GMT

Great article but my problem is I'm authenticated on my web site already (setting the generic principal)... not I need to call my services layer... but I no longer have password available... any best practices for how to deal with this?

re: WCF Authentication: Custom Username and Password Validator

VG — Thu, 24 Jul 2008 20:55:55 GMT

My Service is hosted under IIS with SSL enabled.

This works without SSL enabled, but doesn't work with SSL on.

Any tips?

re: WCF Authentication: Custom Username and Password Validator

John Doe — Thu, 14 Aug 2008 11:40:21 GMT

Good post.

Complemented with http://www.digwin.com/view/howto-use-makecert-for-trusted-root-certification-authority-and-ssl-certificate-issuance , it made for an easy implementation of UserName validation. : )

re: WCF Authentication: Custom Username and Password Validator

angeltq — Tue, 23 Sep 2008 11:22:06 GMT

Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindByThumbprint', FindValue '8e f9 c6 6f 4e a0 0c 49 4f 84 69 fb de c6 a7 e1 79 01 5b 6e'.

Help me!

re: WCF Authentication: Custom Username and Password Validator

Gr1nch — Tue, 18 Nov 2008 20:27:54 GMT

Anyone know how to catch any exception we throw in our Validate() function so we might have some means of returning a code for why validation failed? It would seem that regardless of what SecurityTokenException I throw, the only exception actually caught on the client side is the generic one. I can see my exception if I run diagnostics, but I need the client to see it to detect such things as lockout and other failure reasons...

re: WCF Authentication: Custom Username and Password Validator

Mike — Tue, 28 Apr 2009 20:59:42 GMT

2 Gr1nch

1) Throw a FaultException from Validate(...)

2) Catch MessageSecurityException on the client.

3) In the InnerException property you will find the FaultException you threw.

Keep in mind: generic FaultExceptions don't work here as a filter on client side, but you can, for example, use FaultCode during FaultException initialization to be sure that an InnerException the client got from MessageSecurityException is indeed the exception you threw in Validate(...).

#.think.in infoDose #28 (29th Apr - 8th May)

#.think.in — Fri, 15 May 2009 11:32:22 GMT

#.think.in infoDose #28 (29th Apr - 8th May)

#.think.in — Sun, 31 May 2009 01:12:37 GMT

#.think.in infoDose #28 (29th Apr - 8th May)

re: WCF Authentication: Custom Username and Password Validator

Thankful — Wed, 14 Oct 2009 21:28:02 GMT

Exactly what I needed!!!

Thanks a whole lot for the post.

re: WCF Authentication: Custom Username and Password Validator

Karan — Tue, 03 Nov 2009 07:28:33 GMT

Hi, I am getting this exception as described in the test above.

“Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'X' but the remote endpoint provided DNS claim 'Y'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'Y' as the Identity property of EndpointAddress when creating channel proxy.”

I am using an endpoint identity as SPN. Any idea how to get this to work with endpoint Identity set as SPN.

Thanks.