9.9 Authentication

Currently, the ServerInfo virtual directory is configured to allow anonymous access and Integrated Windows authentication (IWA). In spite of this configuration, no authentication takes place because the anonymous connection is always attempted first (which explains why things happen relatively quickly).

To authenticate users, leave IIS in its current configuration ( with anonymous access and IWA turned on) and use the Web.config file to control who has access to the resource.

To prevent anonymous users from accessing the assembly, use:

 <configuration> <system.runtime.remoting>   <!--remoting settings are up here </system.runtime.remoting>  <system.web>   <authentication mode="Windows" />   <authorization>   <deny users="?" />   </authorization>   </system.web>  </configuration> 

Specific users can be granted access by initially denying everyone and then specifying who has permission:

 <authorization>   <deny users="*" />   <allow users="Administrator, ServerInfoClient" /> </authorization> 

Or, permissions can be assigned based on roles (or a permutation of all of the above):

 <authorization>   <deny users="*" />   <allow users="ServerInfoClient" roles="Administrators, Remote Objects" /> </authorization> 

To avoid confusion, the ? represents unauthenticated users, while the * refers to all users, whether or not they are authenticated.

Typically, when an application accesses restricted resources, it does so through an account created specifically for that purpose (rather than by creating accounts for every user ). Therefore, go ahead and modify Web.config to restrict access to a single user named ServerInfoClient :

 <authorization>   <deny users="*" />   <allow users="ServerInfoClient" /> </authorization> 

This account fulfills that purpose for the rest of the chapter. No specific rights need to be assigned; just create the user on the domain (or the local machine, if testing is done there) and assign it a password.

9.9.1 Credentials

If everything is configured correctly, the client from Example 9-14 will no longer work. Instead of receiving server information, the output looks something like this:

 System.Net.WebException The remote server returned an error: (401) Unauthorized. 

This output occurs because the client must now provide the appropriate credentials to access the remote object. Creating the appropriate credentials is easy with the System.Net.NetworkCredential class; the constructor takes a user name , password, and domainjust what is needed. But getting the credential to IIS is the trick.

Calling ChannelServices.GetChannelSinkProperties returns an IDictionary interface that allows various properties associated with the proxy object to be set or retrieved.

The properties are:

username

Username for basic and digest authentication

password

Password for basic and digest authentication

domain

Domain name for basic and digest authentication

preauthenticate

Indicates whether preauthentication of requests is enabled

credentials

Security credentials for web service client authentication

clientcertificates

Collection of client certificates

proxyname

The name of the proxy server to use for requests

proxyport

The port number of the proxy server to use for requests

timeout

The timeout (in milliseconds ) for synchronous calls

allowautoredirect

Indicates whether automatic handling of server redirects is enabled

The property of interest is credentials . The following fragment demonstrates how this property is set using the NetworkCredential class. Notice that the credentials must be set for the factory object as well as the ServerInfo proxy instance:

 Dim factory As IServerInfoFactory = _ Activator.GetObject(GetType(IServerInfoFactory), _   "http://192.168.1.100:80/ServerInfo/ServerInfoFactoryWeb.rem")     Dim dictionary As IDictionary = _   ChannelServices.GetChannelSinkProperties(factory)     '  Set the cedentials for factory object   Dim nc As NetworkCredential = _   New NetworkCredential("RemoteUserWithRights", "pass", "MYDOMAIN")   dictionary("credentials") = nc  'Get object from factory Dim si As IServerInfo = factory.CreateServerInfo( )     '  Use credentials for ServerInfo, too   dictionary = ChannelServices.GetChannelSinkProperties(si)   dictionary("credentials") = nc  '  Make calls on IServerInfo here