Why is Message Security and Transport Security needed? - wcf

Please see the XML below:
<client>
<endpoint address="https://hq-wk-is.lincspolice.local/WCFSSL/Service1.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpsBinding_IService1"
contract="ServiceReferenceInsecure.IService1" name="BasicHttpsBinding_IService1" />
</client>
Here is a basicHttpBinding over HTTP. The channel is encrypted.
What is the point of Message Security and Transport Security, which are apparently not available for basicHTTPBinding? The binding above is encrypted over HTTPS (using SSL). Therefore why is MessageSecurity and TransportSecurity needed?

Related

calling WCF Services hosted on IIS Server with wsHttpBinding having Message security mode from Ios Device

I am calling WCF Service (wsHttpBinding with Message Security mode) from ios device but i am not able to see encrypted request and response .
while i am calling service from TestClient i can see request and response is encrypted.i want my request and response should be secure on network .
my configuration in web.config
<wsHttpBinding>
<binding name="Service.BasicHttp.BindingConfig">
<security mode="Message" />
</binding>
</wsHttpBinding>
--binding applied on endpoint
<endpoint address="" binding="wsHttpBinding" contract="CloudMitoAPI.ICloudMitoService" bindingConfiguration="Service.BasicHttp.BindingConfig"/>
You should add some parameter secure parameter in which add both json object and encrypted secure object in your request and then when you send it to server check the parameter object and encrypted secure object with your secret key is it proper or tampered.

Host WCF service in WAS

I need some help with hosting a WCF service in WAS.
I hosted the service ok in IIS and accessed over basicHttp and wsHttp binding.
But it seems I miss something when trying to host it in WAS and access over tcp/ip.
I need to configure it for access over tcp on port 10000.
I enabled WCF activation for Non-HTTP in Windows Features
The service is published under default web site, application mywcfapp
I created a BAT file to enable net.tcp binding on port 10000 on default web site and mywcfapp as below:
%windir%\system32\inetsrv\appcmd.exe set site "Default Web Site" -+bindings.[protocol='net.tcp',bindingInformation='10000:*']
%windir%\system32\inetsrv\appcmd.exe set app "Default Web Site/mywcfapp" /enabledProtocols:http,net.tcp
The web.config is
<services>
<service name="MyWcfService">
<clear />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"
listenUriMode="Explicit" />
<endpoint address="net.tcp://localhost:10000/mywcfapp/mywcfapp.svc"
binding="netTcpBinding" bindingConfiguration="PortSharingBinding" contract="MyApp.IService" />
<endpoint address="net.tcp://localhost:10000/mywcfapp/mywcfapp.svc"
binding="netTcpBinding" bindingConfiguration="PortSharingBinding" contract="MyApp.IService" />
</service>
</services>
<bindings>
<netTcpBinding>
<binding name="PortSharingBinding" portSharingEnabled="true">
<security mode="None" />
</binding>
</netTcpBinding>
</bindings>
However, it seems I cannot access the service.
When I try to access the service with WcfTestClient with the uri
net.tcp://localhost:10000/mywcfapp/mywcfapp.svc/mex
I get the following error
<Fault xmlns="http://www.w3.org/2003/05/soap-envelope">
<Code>
<Value>Sender</Value>
<Subcode><Value xmlns:a="http://www.w3.org/2005/08/addressing">a:DestinationUnreachable</Value>
</Subcode>
</Code>
<Reason><Text xml:lang="ro-RO">
The message with To 'net.tcp://localhost:10000/mywcfapp/mywcfapp.svc/mex'
cannot be processed at the receiver, due to an AddressFilter mismatch
at the EndpointDispatcher.
Check that the sender and receiver's EndpointAddresses agree.
</Text></Reason>
</Fault>
If I try to connect with url (w/o specifying port)
net.tcp://localhost/OneTest.Service/OneTest.Service.svc/mex
I get the error (kept only significant part)
Could not connect to net.tcp://localhost/mywcfapp/mywcfapp.svc/mex.
The connection attempt lasted for a time span of 00:00:02.0041146.
TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:808.
No connection could be made because the target machine actively refused it 127.0.0.1:808
This might help:
Go to IIS Manager.
Right click on the app.
Choose Manage Applications -> Advanced settings
Under Behavior, there is a field for Enabled Protocols.
Make sure it has net.tcp
If it just has http, change it to
http,net.tcp

connecting to wcf service hosted on domain from a client that is not on the domain

I would like an example or explanation of how to connect a client to a wcf service when the client is not on the domain.
I imagine there is a way to specify domain credentials with the client and the wcf service could talk to the authority (dc) to see if the client is secure.
I followed the examples on the msdn and can connect to see the metadata (methods available) but when using wshttpbinding I get "An unsecured or incorrectly secured fault was received from the other party".
Thanks in advance!
By default, wsHttpBinding will use Windows credentials - this only works if both your service and your calling client are member of the same domain (or member of domains with a mutual trust relationship).
If you want to authenticate using username/password, there's a number of things you need to do:
the service needs a certificate to authenticate itself to the caller, and to provide an encryption mechanism for the exchange of username/passwords and messages. So you will need to create a security certificate and install it on the server machine, and configure it:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="Internet">
<serviceCredentials
findValue="MyServiceCertificate"
storeLocation="LocalMachine"
storeName="My"
X509FindType="FindBySubjectName" />
</behavior>
<serviceBehaviors>
<behaviors>
<services>
<service name="MyService" behaviorConfiguration="Internet">
......
</service>
</services>
</system.serviceModel>
the client needs to set up a config that defines wsHttpBinding with message security, and username/password client credentials
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="UserNameWS">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
<wsHttpBinding>
<bindings>
<client>
<endpoint name="Default"
address="........."
binding="wsHttpBinding" bindingConfiguration="UserNameWS"
contract="........." />
</client>
</system.serviceModel>
on the server side, you need to set up a mechanism to authenticate those username/passwords - typically, the easiest way is to use the ASP.NET membership system
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="Internet">
<userNameAuthentication
userNamePasswordValidationMode="MembershipProvider" />
<serviceCredentials
.....
</system.serviceModel>
before each call from the client, you need to set the username/password on your client-side proxy (this is one of the few things you cannot do in config - works only in code).
proxy.ClientCredentials.UserName.UserName = "YourUserName";
proxy.ClientCredentials.UserName.Password = "Top$Secret";
Read all about WCF security at the WCF Security Guidance site on Codeplex.
The error message "An unsecured or incorrectly secured fault was received from the other party" is a rather misleading one. A common cause is a difference in the bindings configuration between the client and the server. Check the system.serviceModel section of the web.config at the service side, and modify your client settings to match.
The reason why you can access metadata and cannot call service is that you are using WsHttpBinding probably with default configuration. It uses message security wich is involved only for service usage - not service metadata. It uses Windows credentials and Windows security to encrypt and sign message. Because of Windows security it works only when both client and server are on the same domain.
Your client is not part of domain - you can send windows credentials either with message security or transport security. In case of message security you will have to use clientCredentialType="UserName", default password validator and you will have to configure X509 certificate in service behavior to support encryption and signing. In case of transport security will either use HTTPS (X509 certificate configured in http.sys/IIS) or TransportCredentialOnly mode which will send windows user name and password as a plain text over HTTP (this is bad solution). In case of transport security set clientCredentialType="Basic".

WCF Security and what to use in this situation

I have a client/server application that has many client machines and one service on a server.....
On the server side I will be using a Windows Service to host my WCF service. The service will be passing data across the internet to the client machines. I figure I will be using wsHttpBinding with message level security, which requires a username or a certificate.
Now here's the problem.....
-We don't want to have the user log in to the system
-there is no Windows Authentication on the client machines
-and I would use certificates but, we have tons of client machines going out everyday, so installing certificates manually on each machine is not gonna be an option (unless it can all be done through code... and I mean creation and installing)
anybody have any ideas on how to secure this kind of service? Thanks in advance
Peace
In your scenario, it seems like you're looking for the "basicHttpBinding" with no security whatsoever.
<bindings>
<basicHttpBinding>
<binding name="NoSecurity">
<security mode="None" />
</binding>
</basicHttpBinding>
</bindings>
and then configure your endpoints to use that binding configuration:
<system.serviceModel>
<services>
<service name="YourNamespace.YourService"
behaviorConfiguration="MyServiceBehavior">
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="NoSecurity"
contract="YourNamespace.IMyService">
</endpoint>
<endpoint address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>
There's also a really good blog post series that talk about the basics of WCF security in terms of five different, typical scenarios - excellent read! Your scenario would be the "No security at all" scenario.
Another good introductory article is Michele Leroux Bustamante's Fundamentals of WCF Security.
A more thorough (but also more complex) set of guidance for WCF can be found at the WCF Security Guidance on Codeplex.
Marc
Since you will be using an app wirtten by yourself. You can use wshttpbinding with username and password authentication (Client credential type basic) where your app reads the username and password from a config file.
http://msdn.microsoft.com/en-us/library/ms731299.aspx
EDIT
The windows service could run under an account that the user does not have the password for. The service is in a directory that is protected with ACLs, such that the user of the machine does not have access to the config file.

How to secure a Silverlight-Enabled WCF Web Service with SSL?

How do you secure a Silverlight-Enabled WCF Web Service with SSL? I have tried setting it up similar to a regular WCF service secured by SSL, but it doesn't seem to work. What do you set in the Web.Config, and what do you set in the Silverlight's ServiceReferences.ClientConfig?
I noticed that in the ServiceReferences.ClientConfig file of the Silverlight client app that the "Binding" tag only allows basicHttpBinding and NOT wsHttpBinding. Does this mean that you can not secure a Silverlight-Enabled WCF Service? If so are there better approaches to securing it?
There are three key places that I configure to use https in my own apps.
Web.config
In the behavior tag include this line:
<serviceMetadata httpsGetEnabled="true"/>
For the MEX endpoint, make sure you use the https protocol:
<endpoint address="mex" binding="mexHttpsBinding"
contract="IMetadataExchange" />
Create a custom binding. The important part is the transport security:
<basicHttpBinding>
<binding name="myServicesBinding">
<security mode="Transport"/>
</binding>
</basicHttpBinding>
You can also include the usual authorization stuff:
<authorization>
<allow users="?"/>
<deny users="*"/>
</authorization>
Silverlight
On the Silverlight end, either point the ServiceReference at the now secure service, or set up the connections manually in code. the ServiceReferences.ClientConfig file should have the security stuff in it:
<security mode="Transport"/>
And the code version looks like this:
BasicHttpBinding b = new BasicHttpBinding(BasicHttpSecurityMode.Transport);
There are probably more complex things that can be done, but this should be good enough for most people.
To create Silverlight-Enabled WCF Web Service using SSL you have to do the following steps:
Create standard Silverlight-Enabled WCF Web Service using Visual Studio 2010
Change 3 places of webconfig.xml:
a. In serviceMetadata change httpGetEnabled to httpsGetEnabled like this:
<behaviors >
<serviceBehaviors >
<behavior name="" >
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
b. In binding change httpTransport to httpsTransport:
<bindings>
<customBinding>
<binding name="Project.Web.YourService.customBinding0">
<binaryMessageEncoding/>
<httpsTransport/>
</binding>
</customBinding>
</bindings>
c. in endpoint change binding="mexHttpBinding" to binding="mexHttpsBinding":
<service name="Project.Web.YourService.YourService">
<endpoint address="" binding="customBinding" bindingConfiguration="Project.Web.YourService.customBinding0"
contract="Project.Web.YourService.YourService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
Don't use ServiceReferences.ClientConfig. Create everything in code behind - it's easy to deploy on server:
CustomBinding binding = new CustomBinding(new BinaryMessageEncodingBindingElement(), new HttpsTransportBindingElement());
YourServiceReference.YourServiceClient service = new YourServiceReference.YourServiceClient (binding, new EndpointAddress(new Uri( "https:yourhostname/YourService.svc").AbsoluteUri));
service.YourMethodCompleted += new EventHandler<YourServiceReference.YourMethodCompleted EventArgs>(service_YourMethodCompleted );
service.YourMethodAsync();
in the ServiceReferences.ClientConfig file of
the Silverlight client app that the "Binding" tag only allows
basicHttpBinding and NOT wsHttpBinding.
Does this mean that you can not secure a Silverlight-Enabled
WCF Service?
No, it doesn't mean that. You can have a basicHttpBinding and still assign transport-level security (HTTPS with SSL) to it. That shouldn't be a problem.
Marc
PS: Many one of those links gives you more insight and the proverbial "AHA!" :-)
http://winterdom.com/2007/11/basichttpbindingwithtransportsecurity
http://silverlight.net/forums/p/13275/44170.aspx
http://kevindockx.blogspot.com/2009/02/username-authentication-with.html
http://www.pixel73.com/blog/Default.aspx?g=posts&t=4173
http://community.irritatedvowel.com/blogs/pete_browns_blog/archive/2008/03/19/WCF-Integration-in-Silverlight-2-Beta-1.aspx
Link
WS* is not supported in Silverlight - basically change the URL in the client config to be an https:// url - that's all you can do