We are trying to create a WCF service that is only accesible by specified windows groups. How can this be configured in the server web.config and the client configuration?
Note: We want to be able to control the windows groups who are allowed access in the server web.config not in code. Also, we dont want/need SSL at all.
Ive googled around and then best examples I can find are all like this...
WCF Service, Windows Authentication
But that doesnt explain how to limit access only to a specific group or groups.
Ok this is the solution we came up with. Although it does involve a code change (adding the AspNetCompatibilityRequirements attribute) we can now acheive configuration of the groups/roles in the web.config file rather than hardcoding.
There are a number of steps to this...
1) Add the aspNetCompatibilityEnabled attribute into the serviceHostingEnvironment element and set to true, e.g....
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
This tells the WCF service to running in ASP.NET Compatibility Mode and participate fully in the ASP.NET HTTP request lifecycle. See this MSDN article for full details.
2) In the WCF code add AspNetCompatibilityRequirements attribute to the service class as per the link above and as specified in this MSDN article...
<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Allowed)>
3) Now we can add the usual ASP authorization element in to restrict access to the specified groups/users (without the settings (1) and (2) above, this would be ignored by WCF)...
<system.web>
<authorization>
<allow roles="MYDOMAIN\WCFAuthenticatedUsers" /> <-- allows access to users in this group
<deny users="*" /> <-- denies access to all other users
</authorization>
</system.web>