none
How to use WCF services non-anonymously from within a SharePoint web application and from WPF?

    질문

  • Hello,

    We have a CRM/ERP web application (ASP.Net Forms) running on top of SharePoint (WSS and 201x).
    On the other hand we have add-ins for Office (WPF) closely integrated to the web application via WCF services.

    Both rely heavily on a WCF services project, in three ways:

    1. WCF services called from code behind
    2. AJAX-enabled client web services using webhttpbinding / enablewebscript
    3. WCF services called from the add-ins.

    However, there is a security concern.
    In our current set-up, the WCF services need to be set to Anonymous authentication.
    Otherwise our web application and add-ins won't work using the current configuration.

    Our goal: to disable the anonymous access to the WCF services somehow, without breaking either the web application or add-ins.

    This proved much less straight-forward than expected.

    This is our typical set-up:

    • Extended SharePoint site (WSS / 201x). Alternate Access Mapping configuration:
      - Default: Active Directory, NTLM.
      - Intranet: Membership Provider, Anonymous access.
    • ASP.Net web application runs within the main SharePoint web application (no sub web application in IIS).
    • WCF services project is configured in IIS as a 'sub' web application beneath the SharePoint web application.

    This is what we came up with so far:

    • Added <authorization><deny users="?" /></authorization> in the WCF services web.config
    • Changed Windows Authentication -> Advanced Settings to the following:
      - Extended Protection: Accept
      - [X] Enable Kernel-mode authentication
    • Changed client binding configuration of add-ins and web application to Security Mode TransportCredentialOnly with clientCredentialType Ntlm.

    Above solution works in our SharePoint 2007 test environment in all three aforementioned places.

    However in SharePoint 201x we can't get the WCF calls from within the web application to work.
    At least not using the same client bindings as the add-ins (while the WCF calls from the add-ins also work in SharePoint 2013).

    The error message we’re getting is: No credentials are available in the security package.
    Another one we encountered is: Provider type not defined. (Exception from HRESULT: 0x80090017)

    Question: How can we use WCF services non-anonymously from within a SharePoint web application and from WPF?

    Any idea's on how to configure and call these in this scenario? (one way or another)

    Any thoughts on this are greatly appreciated!

    • 편집됨 Eddy Z 2018년 7월 12일 목요일 오후 12:23 Unreadable formatting
    2018년 7월 12일 목요일 오후 12:20

모든 응답

  • Hi,

    Please check the following blog to create WCF with Authentication Mode in SharePoint 2010/2013:

    WCF Services in SharePoint 2013

    Step by Step – Building and Consuming Custom WCF Services hosted in SharePoint

    And here is a demo to call WCF service from WPF Application:

    Consuming WCF Service in WPF Application

    Thanks

    Best Regards


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    2018년 7월 13일 금요일 오전 9:31
  • Thanks for your response Jerry.

    We ran into problems with our set-up especially with Claims-based Authentication, so the first article explains a thing or two.

    We will review these articles and I'll update this thread afterwards.

    Thanks,

    Eddy

    2018년 7월 16일 월요일 오전 6:28
  • Hi,

    About Claims-based Authentication, please check the following article:

    Create claims-based web applications in SharePoint Server

    Thanks

    Best Regards


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    2018년 7월 16일 월요일 오전 7:18
  • Thanks for your reply.

    Update
    :

    The past week we've looked into Step by Step – Building and Consuming Custom WCF Services hosted in SharePoint and (briefly) WCF Services in SharePoint 2013.

    First we tried this with a new SharePoint 2010 Site using Classic Authentication instead of Claims-based.
    We did this because we already got everything working with WSS 2007 (which only supports classic), to assure ourselves that the same configuration works on SP2010 too, and it did.

    Next we switched to a SharePoint 2010 site with Claims-based Authentication, but we haven't managed to get it to work, at least not using the steps of the tutorial.

    We keep getting No credentials are available in the security package as before. At least it's consistent with our experiences when we tried to get it to work by configuring the endpoints manually.

    WCF services via ADFS?
    We've looked into securing WCF services via ADFS, which looked promising at first. But unfortunately, this is not a viable option, because it involves a lot of configuration on the Domain Controller, and that is not something we can do easily in the environments of our customers.

    Our best lead at the moment is an article on WCF services with claims-based authentication and authorization.
    Of course we wouldn't want to use our own custom STS, but use the SecurityTokenService of SharePoint instead.

    But of course many roads lead to Rome...Are there about other ways to prevent anonymous access to WCF services that we can consider?
    It seems to me that there should be a rather straight-forward solution for this somehow.
    We're certainly not the first ones to want to secure our custom WCF services in claims-based SharePoint from anonymous access, that's for sure.

    Could we be missing something trivial but crucial?

    Thanks, Eddy
    2018년 7월 19일 목요일 오전 9:30