Client Certs for WCF consumer stops working after a while - wcf

I am having really peculiar issue with certs not working after a while for WCF Client App that connect to SOAP 1.1 SAP service. What boggles me is the steps I have to take to make the certs work again. After I installed the certs on couple of load balanced servers, seems like everything works fine. But then after a few days, one of the app/servers throws this error.
The request was aborted: Could not create SSL/TLS secure channel.
When I log on to the server using MMC and open the cert (I do not even have to reinstall it, just open is good enough), the web app works. I am at my wits end as to why this might be happening. Any help will be appreciated.
Below are the architecture/some code samples of how the apps/web services are set up
[MVC WebApp]--[ Load Balancer ]-->(Server 1, Server 2)--> SAP SOAP 1.0 Web Service
Some configuration and code samples..
<system.serviceModel>
<client>
<endpoint address="https://somesapwebservice:8104/XISOAPAdapter/MessageServlet?senderParty=&senderService=BC_PORTAL&receiverParty=&receiverService=&interface=SI_AppFormData_Out_Sync&interfaceNamespace=urn%3Acominc.com%3AOTC%3AI1053%3AppForm" behaviorConfiguration="secureCert" binding="wsHttpBinding" contract="somecontract_Out_Sync" name="HTTPS_Port" />
</client>
<bindings>
<wsHttpBinding>
<binding>
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="secureCert">
<clientCredentials>
<clientCertificate storeName="My" storeLocation="CurrentUser" x509FindType="FindBySubjectDistinguishedName" findValue="CN=CNN, OU=Windows, OU=SAP, OU=Service Accounts, OU=Admin, OU=CORP, DC=myinc, DC=ds" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
..
<appSettings>
<add key="ProtocolExceptionMessage" value="The content type text/xml; charset=utf-8 of the response message does not match the content type of the binding (application/soap+xml; charset=utf-8)" />
C# Code
public ActionResult FormSubmit(SubmitViewModel model)
try
{
this.SubmitToSAPService(model);
return this.RedirectToAction("Index", "Complete");
}
catch (ProtocolException pe)
{
// Current SAP only support SOAP 1.1 and WCF with .NET 4.6 runs on SOAP 1.2 - Catching the known exception
// Creating custom WCF binding to handle this is another possibility but that config could get convoluted
var messageSnippet = ConfigurationManager.AppSettings["ProtocolExceptionMessage"];
if (pe.Message.Contains(messageSnippet))
{
return this.RedirectToAction("Index", "Complete");
}
throw pe;
}
One thing I am doing little off here is that I was told is that SAP is currently running SAOP 1.1 and .NET we are running is SOAP 1.2. So I was always getting Protocol Exception. To get around that I check for the text and if the exception message matches exactly as expected, I bypass it.
public string SubmitToSAPService(SubmitViewModel model)
{
var dtFormDataRecords = new DT_FormData();
dtFormDataRecords.Records = new DT_FormDataRecords();
dtFormDataRecords.Records.Name = model.name
....
var client = new SI_AppFormData_Out_SyncClient();
try
{
client.SI_AppFormData_Out_Sync(dtFormDataRecords);
}
finally
{
client.Close();
}
...

After trying to run intellitrace on the app, that let to clue me in the app-pool settings Load User Profile was set to False. That had cause the issue I was getting. After I set the it to True, my issue was resolved.

Related

Use Both Certificate and User/Pass to Consume Java Web Service From .Net

I have a .Net c# client that needs to consume a Java web service from a third party. They require both a client cert and user name and password. I have the cert set up but constantly get 401 Unauthorized because I don't think the username and password are actually being attached to the request. It seems like WCF expects one or the other but not both cert and username/password. Surely I'm missing something.
<bindings>
<binding name="CC2WebSoap">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</bindings>
<client>
<endpoint address="https://url_goes_here.com"
binding="basicHttpBinding"
bindingConfiguration="CC2WebSoap"
contract="acontract"
name="CC2WebSoap"
behaviorConfiguration="SecureClientBehavior"/>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="SecureClientBehavior">
<clientCredentials>
<clientCertificate findValue="mythumbprint" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
try
{
CC2WebSoap client= new CC2WebSoapClient("CC2WebSoap");
client.ClientCredentials.UserName.UserName = "username";
client.ClientCredentials.UserName.Password = "password";
request = BuildRequest();
response = client.DoSomething(request);
}
catch(Exception e){ // Always get 401 exception here. }
This turned out to be reasonably simple by adding a MessageInspector and the related classes to get WCF to attach the username and password to the headers before each request. Specifically, I followed the advice in the blog post below exactly.
Using a MessageInspector To modify HTTP Headers

connect programmatically to a WCF service through HTTPS

I am working on a project that uses WCF service. I have built the service, configured the web.config file, deployed it on a IIS 7 server. The service is accesed through HTTPS (on my dev machine, i have self-created the certificate).
Everything is fine when a create the ServiceReference in Visual Studio 2010, it creates the client and it works fine.
What i need is to create a client programatically (need a little flexibility), so when i try to connect "manually", it gives me a error like this:
The provided URI scheme 'https' is invalid; expected 'http'.
Parameter name: via
The code for web.config is: (i hope there is nothing wrong in it)
<system.serviceModel>
<services>
<service name="WcfService1.Service1" behaviorConfiguration="WcfService1.Service1Behavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="TransportSecurity" contract="WcfService1.IService1" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="WcfService1.Service1Behavior">
<serviceMetadata httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="True"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="TransportSecurity">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
The procedure i wrote to access the WCF service is:
void proc()
{
string ADRESASSL = "https://localhost/ServiciuSSLwsBind/Service1.svc";
WSHttpBinding bind= new WSHttpBinding();
EndpointAddress ea = new EndpointAddress(ADRESASSL);
var myChannelFactory = new ChannelFactory<IService1>(bind, ea);
IService1 client = null;
try
{
client = myChannelFactory.CreateChannel();
client.RunMethod1();
client.Close();
//((ICommunicationObject)client).Close();
}
catch (Exception exc)
{
MessageBox.Show(exc.Message);
if (client != null)
client.Close();
}
}
The code for IService1
[ServiceContract]
public interface IService1 : IClientChannel
{
[OperationContract]
int RunMethod1();
//....................................
}
It seems i am doing something wrong here, the procedure raises the Exception i mentioned. Something more i must do to work, but i didn't figured it out.
Thanks in advance for any advice you can give me.
I haven't tested this, but I believe you need to set the security mode for the binding before you create the factory. The default mode for security for WSHttpBinding is SecurityMode.Message, and you want SecurityMode.Transport.
You can resolve this one of three ways, as follows.
First, you can use the overloaded version of the WSHttpBinding constructor to specify the security mode, like this:
WSHttpBinding bind= new WSHttpBinding(SecurityMode.Transport);
bind.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
Secondly, you can use the parameterless constructor and specify the security mode (and the client credential type) like this:
WSHttpBinding bind= new WSHttpBinding();
bind.Security.Mode = SecurityMode.Transport;
bind.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
Third, you can place a binding configuration section in the client config and reference that section in the constructor, like this:
WSHttpBinding bind = new WSHttpBinding("TransportSecurity");
The third example assumes a wsHttpBinding section with the name "TransportSecurity" in the client config file.
For more information, check these MSDN articles:
How to: Set the Security Mode
WSHttpBinding Constructor
Well, solved the problem with the self created certificate.
I have changed the endpoint adress for both the programatically connection and the service reference in Viosual Studio 2010.
string ADRESASSL = "https://localhost/ServiciuSSLwsBind/Service1.svc";
now is
string ADRESASSL = "https://eu-pc/ServiciuSSLwsBind/Service1.svc";
I have changed the adress from localhost to the name of pc "eu-pc". It has to do with the domain the certificate was issued.
Using localhost or 127.0.0.1 worked only for one method or the other.
Hope this will help other guys who might run into this.

WCF inter-service messaging

I am building a system with 2 WCF Services. Both are IIS Hosted. At the moment they both reside in a single VS2010 website app, running on my local IIS7 (Windows 7) using the Derfault Website. I have enabled net.tcp on both.
Service1
accepts HTTP posts using webHttpBinding
wraps the data in a serializable composite object
sends the composite object to Service2 (we hope) using netMsmqBinding
Service2
receives said message and does something with it
Service 1 works as expected, however instead of placing the message on the configured Private Queue, our code is creating a new Queue under "Outgoing Queues" with the handle
DIRECT=TCP:127.0.0.1\private$\Service2/Service2.svc
note the forward slash
Of course Service2 never sees the message - this is the first time I have attempted this structure so I am not certain that Service2 misses the message because of its location, but based on what I have read it would seem so - I have not come across anything mentioning this Queue-creation behaviour.
Questions:
Am I doing this correctly (is there something wrong in the structure, web.config or code)?
When done properly in VS Debug, should Service1's
proxy.ProcessForm(formMessage);
hit breakpoints in my Service2 code, or is there another way to hande Service2 debug (ala windows services for example)?
Service1 Web.Config
<system.serviceModel>
<bindings>
<webHttpBinding>
<binding name="webHttpFormBinding" crossDomainScriptAccessEnabled="true"/>
</webHttpBinding>
<netMsmqBinding>
<binding name="MsmqFormMessageBindingClient" exactlyOnce="false" useActiveDirectory="false" >
<security mode="None">
<message clientCredentialType="None"/>
<transport msmqAuthenticationMode="None" msmqProtectionLevel="None" />
</security>
</binding>
</netMsmqBinding>
</bindings>
<client>
<endpoint
name="HttpServiceWebEndpoint"
address=""
binding="webHttpBinding"
bindingConfiguration="webHttpFormBinding"
contract="Service1.HttpService.IHttpServiceWeb" />
<endpoint name="MsmqFormMessageBindingClient"
address="net.msmq://127.0.0.1/private/Service2/Service2.svc"
binding="netMsmqBinding"
contract="MyInfrastructure.IService2" />
</client>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
<!--
<serviceAuthenticationManager />
-->
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
On Receipt of an HTTP Post Service1 executes the following:
StreamReader sr = new StreamReader(formData);
string str = sr.ReadToEnd();
var t = HttpUtility.ParseQueryString(str);
Hashtable nvc = new Hashtable();
foreach (string n in t)
{
nvc.Add(n, (string)t[n]);
}
WcfFormMessage formMessage = new WcfFormMessage(nvc);
////create the Service binding
NetMsmqBinding msmq = new NetMsmqBinding("MsmqFormMessageBindingClient");
msmq.Security.Mode = (NetMsmqSecurityMode) MsmqAuthenticationMode.None;
EndpointAddress address = new EndpointAddress("net.msmq://127.0.0.1/private/Service2/Service2.svc");
ChannelFactory<IService2> factory = new ChannelFactory<IFormService>(msmq,address);
IService2 proxy = factory.CreateChannel();
using (TransactionScope scope = new TransactionScope(TransactionScopeOption.Required))
{
proxy.ProcessForm(formMessage);
//do any 'sent to queue logging/updates here
}
I am ready to bet that your problem is related to 127.0.0.1 in your config. Type the machine name in there, even if it is local.

WCF - There was no endpoint listening

One of my WCF Services has an operation contract taking a large sized file as a parameter. So, when the client tries to send this over, I got an exception and when I looked at the server trace this is what I saw:
MESSAGE: The maximum message size quota for incoming messages (65536)
has been exceeded. To increase the quota, use the
MaxReceivedMessageSize property on the appropriate binding element.
I was using the default simplified configuration for my WCF services, so added a new service definition as follows:
<system.serviceModel>
<services>
<service name="MyNamespace.MyService">
<endpoint address="MyService.svc"
binding="basicHttpBinding" bindingConfiguration="basicHttp"
contract="MyNamespace.IMyService" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="basicHttp" allowCookies="true"
maxReceivedMessageSize="10485760"
maxBufferSize="10485760"
maxBufferPoolSize="10485760">
<readerQuotas maxDepth="32"
maxArrayLength="10485760"
maxStringContentLength="10485760"/>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
...
</behaviors>
<protocolMapping>
...
</protocolMapping>
The way I consume my services is, I have a function returning a channel in my helper class, and I use that channel to call the operations:
public static T CreateChannel<T>() where T : IBaseService
{
System.ServiceModel.BasicHttpBinding binding= new System.ServiceModel.BasicHttpBinding();
binding.TransferMode = TransferMode.Streamed;
binding.Security = new BasicHttpSecurity() { Mode = BasicHttpSecurityMode.None };
binding.MaxReceivedMessageSize = 10485760;
binding.MaxBufferSize = 10485760;
System.ServiceModel.ChannelFactory<T> cf2 = new ChannelFactory<T>(binding,
new System.ServiceModel.EndpointAddress(MyEndpointAddress)); //I checked this part, the address is correct.
T Channel= cf2.CreateChannel();
return Channel;
}
and then,
var businessObject = WcfHelper.CreateChannel<IMyService>();
var operationResult = await businessObject.MyOperationAsync(...);
Even though, my other services are running correctly, the one I defined in the configuration explicitly returns an exception of "There was no endpoint listening..." I am developing on VS2012, using IISExpress. What may be the problem, any suggestions?
I think there is a mismatch for transfert mode. In client-side, you are are using streamed transfert whereas in server-side it is not in the config. In addition, you have specified 10MB, which is not so high.
Please visit this for more info on streaming.
Edit :
If you are hosting under IIS, please also check (default is 4Mb) :
<system.web>
<httpRuntime maxRequestLength="4096 " />
</system.web>

Two WCF services cannot interact when on same server

I have two WCF services hosted with a hosting provider. Both service to work fine. I can access them from my own computer or even from a website hosted with another provider. The weird part (at least, the part I don't understand) is; one cannot call the other.
Both services are located in a subfolder of the web root, at the same hierarchical level. Like wwwroot\serviceone and wwwroot\servicetwo. Both are marked as application folder in IIS en both have an almost similar web.config as shown below, only the names differ:
<configuration>
<system.web>
<compilation targetFramework="4.0" />
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="servone">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<services>
<service name="MyService.ServiceOne" behaviorConfiguration="servone">
<endpoint address="" binding="basicHttpBinding" contract=" MyService.IServiceOne "/>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
Browsing to the .svc displays the well-known service page with the example code;
class Test
{
static void Main()
{
ServiceOne client = new ServiceOne ();
// Use the 'client' variable to call operations on the service.
// Always close the client.
client.Close();
}
}
The client has a method named HandleRequest(string str). So in my code (C#) there's a line like;
client.HandleRequest("blah");
The call doesn't raise an exception (I can tell because they are catched, handled and written to a database). It's like the message is sent but never returns.
When I run this service (who calls the other) locally and leave the second on the remote server, all works well.
Obvious it is hard to provide all the details from the hosting party. Unfortunate I don't have access to an IIS installation to simulate the environment either. So, I'm not expecting an in-depth technical solution based on the little information I can provide. But any comment about how this setup differs from all others might be helpful.
I really appreciate any effort, thanks.
Edit:
The call is made like this:
public bool Send(String str)
{
bool result = false;
BasicHttpBinding binding = new BasicHttpBinding();
EndpointAddress ep = new EndpointAddress("http://www.mydomain.com/ServiceTwo.svc");
client = new ServiceTwoClient(b, ep);
//
try
{
result = client.HandleRequest(str);
client.Close();
return result;
}
catch (Exception x)
{
Add2DbLog(x.Message);
return false;
}
}
The domain alias you're using may not work locally on the server. Log in to that server, launch a web browser, and navigate to the service URL used in your code (http://www.mydomain.com/ServiceTwo.svc). Ensure that you don't get any error messages.