I created a self hosted WCF REST server (w/o IIS). When I enable SSL support, I am keep asked for a Client Certification when I test the site in Chrome.
Below is my app.config of which I believe I disabled the client authentication. Is there anything that I am missing here?
photo :
Chrome asking for client certificate
App.config code :
<system.serviceModel>
<services>
<service behaviorConfiguration="ADConnectorLibrary.Service1Behavior" name="ADConnectorLibrary.ADConnectorLibrary">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpTransportSecurity" behaviorConfiguration="web" contract="ADConnectorLibrary.IADConnectorLibrary" >
</endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
<host>
<baseAddresses>
<add baseAddress="https://ADDRESS:8888/ADConnectorLibrary/"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ADConnectorLibrary.Service1Behavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="False"/>
**<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="None" />
</clientCertificate>
</serviceCredentials>**
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="web">
<webHttp/>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding name="webHttpTransportSecurity">
<security mode="Transport">
**<transport clientCredentialType="None" />**
</security>
</binding>
</webHttpBinding>
</bindings>
The only thing you need to do is disable the SSL setting when hosting the service in IIS.
On my side, I create a console application to host the service and bind the sslcert to the specified port with the following command. when the client calls it via browser, it does not pop up a dialog box and prompted me to select the client certificate.
netsh http add sslcert ipport=0.0.0.0:8000
certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6
appid={00112233-4455-6677-8899-AABBCCDDEEFF}
Maybe we don't need to open the support client certificate,or disable it.
clientcertnegotiation=disable
Here is the official document, wish it is useful to you.
https://learn.microsoft.com/en-us/windows/desktop/http/add-sslcert
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-configure-a-port-with-an-ssl-certificate
Feel free to let me know if there is anything I can help with.
Since you are using TransportSecurity, I believe you need to assign a certificate to your service otherwise it will not be able to encrypt the message via SSL over HTTPS.
Likewise the client would have to trust that certificate, or will get one of these reponses when the client tries to access the service via HTTPS in a brower, and calls from code will fail.
You probably need to use netsh, since you are not using IIS. You might need to reseach netsh a bit to fit your needs.
Something like this to register the cert to the port and map to the application guid: This is a pure made up example: netsh http add sslcert ipport=127.0.0.1:8000 certhash=c20ed305ea705cc4e36b317af6ce35dc03cfb83d appid={c9670020-5288-47ea-70b3-5a13da258012} clientcertnegotiation=enable
you probably don't need this since you are not apply a certificate:
**<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="None" />
</clientCertificate>
</serviceCredentials>**
Related
I´m trying to test a WCF service with mutual certificates authentication using a client on C# and it works; now I want to test the service using SOAP UI.
This is the service configuration:
<system.serviceModel>
<services>
<service behaviorConfiguration="ServiceBehavior" name="WS_XXXXX.WcfXXXX">
<endpoint address=""
binding="customBinding" bindingConfiguration="XXXSoap" bindingNamespace=""
contract="IXXXSoap" >
</endpoint>
<host>
<baseAddresses>
<add baseAddress="http://localhost:47037/"/>
</baseAddresses>
</host>
</service>
</services>
<bindings>
<customBinding>
<binding name="XXXSoap">
<security authenticationMode="SecureConversation"
requireSignatureConfirmation="false"
canRenewSecurityContextToken="true"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11"
requireDerivedKeys="false" >
<secureConversationBootstrap
authenticationMode="MutualCertificate"
requireSignatureConfirmation="true"
canRenewSecurityContextToken="true"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11"
requireDerivedKeys="false">
</secureConversationBootstrap>
</security>
<textMessageEncoding messageVersion ="Soap11WSAddressingAugust2004" >
</textMessageEncoding>
<httpTransport />
</binding>
</customBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior" >
<serviceCredentials>
<serviceCertificate findValue="WCfClient"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
I read some info on how to test a WCF service with service certificate on SOAPUI; but because of the WCF configuration (mutual certificates), I don´t know how to configure the SOAP UI for test the WCF web service.
Thanks in advance.
When we use mutual certificate mode to authenticate the client and protect the server communication. We need to establish the trust relationship between the client and the server, then we provide the client certificate on the clients-side when calling the service. For some kinds of WCF created with message security, we might need to on the client-side provide the service certificate that the server-side used.
Anyhow, we at least a client certificate on the client-side. In SOAPUI, we are able to configure the client certificate for one request or all request.
Here are steps details.
1. Export your certificate that your client needs to provide by using the export wizard.
2. Please tick “export the private key” option.
3. Input your password.
4. Set up the certificate for all request. the menu locates in the main toolbar File > Preferences.
Result.
For sending https request for one, please refer to the below link. It is similar to these steps.
https://www.soapui.org/docs/functional-testing/sending-https-requests.html
Feel free to let me know if the problem still exists.
I have created a WCF with several calls and I want to protect it with Transport security so it'll go over SSL.
So I configured SSL in webmatrix since I'm using VS2012 + IIS Express like you can see below.
HTTPs configured in Webmatrix on port 44330.
I updated my Web.config to support one endpoint with metadata on HTTPS and transportsecurity.
<system.serviceModel>
<services>
<service name="Counter" behaviorConfiguration="Behavior">
<endpoint address="https://localhost:44330/Counter.svc"
binding="wsHttpBinding"
bindingConfiguration="HTTPsBinding"
contract="ICounter">
</endpoint>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="HTTPsBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="Behavior">
<serviceMetadata
httpGetEnabled="false"
httpsGetEnabled="true"
httpsGetUrl="" />
</behavior>
</serviceBehaviors>
</behaviors>
Now when I run this in the browser it points me to the metadata at the HTTPS address like you can see below.
HTTP works but HTTPs fails.
And here is the problem, it doesn't use any certificate and I don't see anything.
"This page can't be displayed" without any certificate being used.
How do I fix this or what am I doing wrong?
I found it that my issue wasn't located in my WCF configuration since it worked the day before. After a lot of coffee, surfing and command lining I noticed that the issue was IIS Express and it's SSL bindings with netsh http ssl.
I was using the default IIS Express certificate (CN=localhost) because I didn't include any serviceCertificate like Sam Vanhoutte suggests.
Even when specify a certificate IIS Express only uses CN=localhost that needs to be in LocalMachine > Personal when starting IIS Express.
If that doesn't fix your problem, try to reinstall IIS Express.
(It will reinstall the CN=localhost certificate on the correct place - Don't forget to reenable SSL in Webmatrix)
I believe you need to specify your server certificate in your web.config
<behaviors>
<behavior name="wsHttpCertificateBehavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
<serviceCredentials>
<clientCertificate>
<authentication
certificateValidationMode="PeerOrChainTrust"
revocationMode="NoCheck"/>
</clientCertificate>
<serverCertificate findValue="CN=SSLCert"/>
</serviceCredentials>
</behavior>
</behaviors>
I am trying to authenticate my user logging from windows phone 7 using
AuthenticationService WCF which is hosted in IIS 7.
I tried it without SSL and is working fine. But I want to convert it to
https.
The error I am getting is when I hit the call to this WCF from my WP7 emulator
is :
"EndpointNotFoundException"
However my web.config has the following details:
<system.serviceModel>
<services>
<service name="System.Web.ApplicationServices.AuthenticationService"
behaviorConfiguration="AuthenticationServiceTypeBehaviors">
<endpoint contract="System.Web.ApplicationServices.AuthenticationService"
binding="basicHttpBinding"
bindingConfiguration="userHttps" address="https://localhost:700/AuthenticationService.svc"
bindingNamespace="http://asp.net/ApplicationServices/v200"/>
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="userHttps">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="AuthenticationServiceTypeBehaviors" >
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment
aspNetCompatibilityEnabled="true"/>
</system.serviceModel>
USING: AspNetSqlMembershipProvider and I am avoiding those details to make the point.
In my IIS 7, I have created an App pool and associated a self signed
certificate to the hosted WCF and in the SSL Settings options to "Require SSL
- selected" and "Ignore client certificates- checked"
I am able to browse to https://localhost:700/AuthenticationService.svc.
I was able to add this as a Service Reference in my phone, but when I call the
login method it is showing the error.
I have specified the end-point address and even then it is showing error.
Can anyone explain me how to debug this to get more details or any pointers to
solve "Using Authentication Service WCF via SSL"
EDIT 1 I tried using IP addresses and the svc URL when I tried accessing
the service through browser
svcutil.exe https://mcname.domain.local:700/AuthenticationService.svc?wsdl
EDIT 2 Tried disabling antivirus and firewalls and still no luck.
As per #Rajesh's comments, I installed the certificate in phone and it started working.
I tried all options of exporting .CER, .PFX and .P7B format and only P7B format worked for me to get it installed in phone.
The part of web.config file for enabling AuthenticationService WCF with SSL is
<services>
<service behaviorConfiguration="AppServiceBehaviors" name="System.Web.ApplicationServices.AuthenticationService">
<endpoint binding="basicHttpBinding" bindingConfiguration="defaultBasicHttpBinding"
bindingNamespace="http://asp.net/ApplicationServices/v200" contract="System.Web.ApplicationServices.AuthenticationService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="AppServiceBehaviors">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"
multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.web.extensions>
<scripting>
<webServices>
<authenticationService enabled="true" requireSSL="true"/>
Steps followed to make it work: http://blogs.msdn.com/b/davidhardin/archive/2010/12/30/wp7-and-self-signed-ssl-certificates.aspx
The host name must be resolvable by the http agent via DNS, WINS,
hosts file, etc.
The SSL certificate must be known by a name that matches the host
name.
The trusted root certificate must be installed with the http
agent, i.e. on the phone.
Installing the certificate on to the WP7 emulator phone was the trickiest part. As mentioned earlier the P7B file was hosted on the IIS and URL was accessed via emulator browser which helped me to install the certificate on phone (Sorry! I forgot the reference link).
After the installation, the endpoint issue disappeared and it started to work. As this is not a permanent solution (because everytime emulator is closed the CERT needs to be reinstalled), I am working on http://wp7certinstaller.codeplex.com/ code to make it work when it is hosted in IIS for testing purposes.
Thanks #Rajesh for your help.
I have two websites hosted on the same IIS server. SiteA contains WCF services that need to be accessed by SiteB, as well as anything else that is authenticated on the domain.
The service is configured with a wsHttpBinding and thus I believe uses Windows security by default. Right now I can call the services from a console app running on my local machine, as well as from a web application running in the default Visual Studio web server, so I am taking that the authentication is working.
However, when SiteB tries to access the services, it fails with this error:
The caller was not authenticated by the service.
SiteB runs on the same machine than SiteA so I don't understand why it could not be authenticated. SiteB uses Forms Authentication and I mapped Anonymous access to a domain user.
Here are the config bits:
SiteA (service):
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
<services>
<service behaviorConfiguration="wcfServiceBehaviour" name="MyService">
<endpoint address="" binding="wsHttpBinding" contract="IServiceContract" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="wcfServiceBehaviour">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
SiteB (client):
<system.serviceModel>
<client>
<endpoint address="http://xxxxx/Services/xxService.svc"
binding="wsHttpBinding"
contract="IServiceContract" />
</client>
</system.serviceModel>
You are correct - wsHttpBinding configured in WCF will use Windows Authentication by default.
There is a suggestion here - WCF - changing endpoint address results in securityexception - that the Identity block will not work with Windows Authentication - try removing it.
When SiteB impersonates another user, does your code specify the impersonation level?
My guess is that your are not specifying a high enough level of impersonation. (Delegation is the highest, allowing SiteB to pass the permissions to a different service).
I suspect that fixing up the SiteB impersonation code will be enough to solve the problem.
If not, try passing the allowable impersonation level to the server:
<system.serviceModel>
<client>
<endpoint address="http://xxxxx/Services/xxService.svc"
binding="wsHttpBinding"
contract="IServiceContract"
behaviorConfiguration = "ImpersonationBehavior" />
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ImpersonationBehavior">
<clientCredentials>
<windows allowedImpersonationLevel = "Delegation" /> <!-- The highest level -->
</clientCredentials>
</behavior>
<endpointBehaviors>
</behaviors>
</system.serviceModel>
If you're using a self hosted site like me, the way to avoid this problem (as described above) is to stipulate on both the host and client side that the wsHttpBinding security mode = NONE.
When creating the binding, both on the client and the host, you can use this code:
Dim binding as System.ServiceModel.WSHttpBinding
binding= New System.ServiceModel.WSHttpBinding(System.ServiceModel.SecurityMode.None)
or
System.ServiceModel.WSHttpBinding binding
binding = new System.ServiceModel.WSHttpBinding(System.ServiceModel.SecurityMode.None);
I've got a machine-control application where I have a single client computer and five server boxes communicating on the machine subnet. There is no domain controller. I would like to use netTcpBinding to allow for reliability and transaction support.
Is is possible to use username / password authentication with this binding, when a domain controller is not present? I would prefer not to use a certificate as I don't want to manage certificates across 900 computers (150 machines) that will not be connected to the office LAN.
Yes, of course - but only if you use Message security (rather than transport security). Define your binding configuration like so:
<netTcpBinding>
<binding name="UserNameSecurity">
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
</netTcpBinding>
and then reference that binding configuration in your endpoints (on server and client):
<endpoint address="....."
binding="netTcpBinding"
bindingConfiguration="UserNameSecurity"
contract="IMyService" />
Marc
UPDATE:
Ah, yes, on the server-side, you'll need a certificate to authenicate the service to the client calling it, and it's also used to encrypt+sign the messages. That's on the server only - clients need not install anything.
Configuration:
<behaviors>
<serviceBehavior>
<behavior name="ServerInternet">
<serviceCredentials>
<serviceCertificate
findValue="MyServiceCertificate"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehavior>
</behaviors>
<services>
<service name="MyServiceInternet"
behaviorConfiguration="ServerInternet">
....
</service>
</services>
Make sure to install your server's certificate into the "Local Machine" folder on your server, under the "subject name" that you specify in your config.
There is something you can try first. Set serviceNegotiationCredentials to true:
<message negotiateServiceCredential="true"/>
This will create a secure conversation between your client and your service without a domain controller.
BUT, if there isn't any domain controller, the client doesn't trust your service, so it will fail.
So you should set the expected identity of the service. You can find that in the WSDL of your service. By default, if you are hosted on IIS, it seems to be:
<client>
<endpoint>
<identity>
<servicePrincipalName value="host/NETWORKSERVICE"></servicePrincipalName>
</identity>
</endpoint>
</client>
I don't think you'll need it, but maybe you'll have to allow anonymous logon on the service side:
<serviceBehaviors>
<behavior>
<serviceCredentials>
<windowsAuthentication allowAnonymousLogons="true"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>