I have a Delphi Intraweb application which is hosted on IIS using ISAPI DLL. This application internally connect with a Windows service application through IndyClient. Windows Service acts as an application server and written in Delphi itself.
I want to secure the communication performed between IndyClient and IndyServer (at Windows service side) through TLS/SSL. For this I am using TIdSSLIOHandlerSocketOpenSSL at client side and TIdServerIOHandlerSSLOpenSSL at service side. below code has been written in service side -
IdServerIOHandlerSSLOpenSSL1.SSLOptions.CertFile := Config.ServerCertificate;
IdServerIOHandlerSSLOpenSSL1.SSLOptions.KeyFile := Config.ServerKey;
IdServerIOHandlerSSLOpenSSL1.SSLOptions.Mode := sslmServer;
IdServerIOHandlerSSLOpenSSL1.SSLOptions.VerifyMode := [];
IdServerIOHandlerSSLOpenSSL1.SSLOptions.VerifyDepth := 0;
IdServerIOHandlerSSLOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];
IndyServer.IOHandler := IdServerIOHandlerSSLOpenSSL1;
IndyServer.OnConnect := ServerConnect;
// Config object gets the correct path for certificate and key file
// Code for ServerConnect event
if (AContext.Connection.IOHandler is TIdSSLIOHandlerSocketBase) then
TIdSSLIOHandlerSocketBase(AContext.Connection.IOHandler).PassThrough := False;
Below code is written inside ISAPI DLL to connect with IndyServer
IdSSLIOHandler.SSLOptions.VerifyMode := [];
IdSSLIOHandler.SSLOptions.VerifyDepth := 0;
IdSSLIOHandler.SSLOptions.SSLVersions := [sslvTLSv1_2];
IdSSLIOHandler.SSLOptions.Mode := sslmClient;
IndyClient.IOHandler := IdSSLIOHandler;
TIdSSLIOHandlerSocketBase(IndyClient.IOHandler).PassThrough := False;
When I host the ISAPI DLL on IIS and try to connect with the Windows Service , getting below error message in Windows service side code -
EIdOSSLAcceptError with message 'Error accepting connection with SSL.EOF was observed that violates the protocol'
I have one desktop client application which connects with the same Windows service successfully using the same code written at client side.
I am using Self Signed certificates and tried configuring IIS to use HTTPS as well. My Delphi version is Delphi 10.2 Tokyo.
Related
I am writing a proxy application that runs on IIS 7.5 (could be a WCF web service or an MVC application) which forwards some data to another process on another server which doesn't run on IIS.
This following is the situation, where S1 is the server where the proxy must forward the data to and C1 is the client:
S1 --A-- [proxy] --B-- C1
The need for the proxy application is because we want to secure the connection A with 2-way SSL. And this can easily be configured in IIS.
Because of the 2-way SSL we want to use the keep alive option of HTTP 1.1.
If connection A is closed, the proxy needs to close connection B and vice versa. Connection A can also be closed after some time out after the last response has been sent.
My question is:
How can I close connection B after connection A is closed?
So in other words let the proxy send a TCP FIN to C1.
For the proxy application I can either use an asp.net MVC web site or a WCF web service.
The problem is that the response has already been sent to the client and there is no 'current http request' between C1 and the proxy, when connection A is closed after a timeout. So a call like this: HttpContext.Current.Response.Close() does not close connection B.
Thanks.
When you read EOS from the upstream socket, shutdown the downstream socket for output, and vice versa. When you do this, if you've already shutdown the socket that you read the EOS from, you've had EOS in both directions so you can close both sockets, and exit both threads if you're using threads. Let the actual decision as to when to close connections be taken by the downstream client and the upstream server.
It is a very simple wcf service. Since my original wcf service didn't work there I decided to create one test service. Basically I'm using the default method GetData(int).
I hosted this service on windows 2003 server. It works well when I consume it from a different machine. I use a windows forms test application to consume this service. When I run this forms app on the same ws2003 server and attempt to consume the service on the same server it throws the following error:
There was no endpoint listening at http://...
I created another wcf client using asp.net, also silverlight, nothing works.
Basically, it looks like it can't consume any wcf service.
I couldn't figure out what could be the issue.
Basically, the machine had McAfee antivirus installed and was blocking http communication to aspnet_wp.exe.
The full path is c:\windows\microsoft.net\framework\v4.0.30319\aspnet_wp.exe
Everything works fine after unblocking this specific exe.
On 1st server, there is wcf service hosted in windows managed service. On the 2nd server, there is another wcf service, hosted in their own windows managed service. I try to connect to 1st service from the inside of the 2nd service, but I become a exception "The socket connection was aborted". With same configuration and same code I successfully connect from console application and winform application, but not from this windows managed service.
Configure your WCF services on both servers to perform diagnostic logging. Follow the instructions in http://msdn.microsoft.com/en-us/library/ms730064.aspx to achieve that.
Make sure the account your service on server 2 is running under is capable of connecting to server 1. This is a typical difference between the client test you did (and worked) and a service running on that system. For a test, make the service on server 2 run under your personal login credentials.
I have a WCF service hosted in a Windows service. The application is an intranet app, and I have programmatically set the bindings on both the service and the client as:
NetTcpBinding aBinding = new NetTcpBinding(SecurityMode.Transport);
aBinding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Windows;
aBinding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;
Both the service and client have endpoints configured with SPNs:
EndpointAddress = new EndpointAddress(uri, EndpointIdentity.CreateSpnIdentity("Service1"));
As far as I know, I have setup the bindings correctly-- and I am usually able to connect to the service just fine. I did however run into a case where on a server running Windows Server 2003 R2, x64, SP2 I get the following exception immediately when the client tries to connect:
INNEREXCEPTION -- Exception Message:
InvalidCredentialException: Either the target name is incorrect or the server has rejected the client credentials.
Stack Trace:
at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
I get the exception when I try to connect to the service from another machine in the domain, but if I connect to the service on the same machine running the service it works fine.
The hosting service itself is running as a domain user account-- but I have tried running the service as a Local System and Network Service to no avail. I have checked the Local Security Policies for the server and didn't see anything amiss (i.e. 'Access this computer from the network' includes 'Everyone').
Anyone have an idea of what could resolve this?
I am wondering if I need to do something in Active Directory with respect to the service's SPN? I have read some about using setspn.exe to register or refresh SPNs, but I haven't needed to do this before. Why would this be working with other configurations but not the one above?
Try and run the service as an account that has local administrator access - if you can't run the service with this much permisison, then I belive you'll need to use setspn.exe as you have alluded to.
Is it true that a WCF either runs as a console application that you have to manually start OR under a more traditional IIS application (like a website or webservice)
you can start a WCF host process in a:
Windows Forms App
Console App
Windows Service
IIS 6 (Only HTTP hosting)
IIS 7 - WAS (All bindings supported)
Each of them has advantage or disadvantages. This page gives great information about hosting options: http://msdn.microsoft.com/en-us/library/bb332338.aspx.
EDIT: No, that is not quite true.
Those are two hosting options for WCF. There are others.
orig answer:
you can actually execute a wcf service everywhere, where you can execute managed code.
i've seen wcf services running inside sql server, wpf apps, windows services and even one running on a linux box on mono.
There is a class ServiceHost defined in WCF that allows you to host a service in any application like so:
using (ServiceHost host = new ServiceHost(typeof(MyService))
{
host.Open();
WaitForClose();
host.Close();
}
IIS running in Windows XP SP2+, Vista, 2003 or 2008 can host WCF services.
Yes, that's correct... you can also host them as a Windows Service
Part of the objective of WCF is to free you up from limitations on where the service is running. You can also use Windows Activation Service (WAS) for Vista and Windows Server 2008.
I have a WCF service that needs to run as a service in IIS 7.
The problem is that in order for it to start I need to manually invoke it through the browser e.g. http://site/myservice.svc.
Is there a way to have IIS call out and start the service host / wcf service when the application pool is restarted?
My preference would be to avoid a windows service and go with IIS / WAS