Secure WCF Service When Calling from Azure

A Win for WCF Configuration

I was able to provide a pragmatic authorisation problem with week and thought it worth documenting.

Scenario

We have an existing on-prem WCF service that was previously called by BizTalk. The service endpoint was http (port only) with no authentication. We wanted to make the service available to an Azure Function app but tighten up on the security.

This has now been enhanced to give a single endpoint that:

• demands an https connection
• authenticates to ensure request is made by a specific Windows service account

To achieve this, changes have been made to the WCF Server

Changes to WCF Server

The available binding was changed to give a single option that demands Transport security:

<bindings>
	<basicHttpBinding>
		<binding name="secureHttpsBasic" sendTimeout="00:05:00" >
			<security mode="Transport">
				<transport clientCredentialType="Basic" />
			</security>
		</binding>
	</basicHttpBinding>
</bindings>

Authentication and authorization elements were introduced:

<system.web>
	<authentication mode="Windows" />
	<authorization>
		<allow users="domain\service_account_name" />
		<deny users="*" />
	</authorization>
	<compilation debug="true" targetFramework="4.9" />
	<httpRuntime targetFramework="4.9" />
</system.web>

I think the ability to configure authentication and authorisation so simply is quite neat. This is saying, “I’ll let you in only if you provide credentails for the given domain user”.

Client Configuration

This works with the WCF client proxy that’s generated from Visual Studio or svcuti.

var binding = new BasicHttpBinding
  {
      Security =
      {
          Mode = BasicHttpSecurityMode.Transport,
          Transport = { ClientCredentialType = HttpClientCredentialType.Basic }
      }
  };

  var client = new CaseWorkWcfClient(binding, new EndpointAddress(endpoint));
  client.ClientCredentials.UserName.UserName = options.Value.WcfUSername;
  client.ClientCredentials.UserName.Password = options.Value.WcfPassword;