I have a WCF service that I want to configure with Transport Security and Client Certificates. I have this working on my local IIS instance, but having troubles configuring it in an Azure Web App.
Here are som snippets from the web.config:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
<behavior name="ApiBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<clientCertificate>
<certificate
findValue="<Thumbprint>"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindByThumbprint" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
<bindings>
<wsHttpBinding>
<binding name="apiBindingSecure" textEncoding="utf-8">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="ApiService" behaviorConfiguration="ApiBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="apiBindingSecure" contract="IApiService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
When I call the service I get the following error:
The SSL settings for the service 'SslRequireCert' does not match those of the IIS 'None'.
I found that in IIS this relates to the SSL Settings -> Client certificates -> Accept setting:IIS SSL seettings
However in Azure this has to be done through a web.config setting:
<location path="BdoApiService.svc" >
<system.webServer>
<security>
<access sslFlags="SslRequireCert,SslNegotiateCert" />
</security>
</system.webServer>
</location>
I tried different combinations of settings: "Ssl"; "Ssl,SslRequireCert,SslNegotiateCert"; "SslNegotiateCert", etc.
But when I set sslFlags, I always get the following error in the browser:
The page cannot be displayed because an internal server error has occurred.
What can I do to get this working?
Related
I have a WCF Service (with authentication and authorization) hosting in IIS 7.5 using SSL certification in Windows Server 2008 R2. I got error while running the WCF application with Visual Studio in this server. WCF Test Client gave me this error: Could not find a base address that matches scheme https for the endpoint with binding WSHttpBinding. But Its working in IIS. And I can deploy my WCF service in my web application with no error. All suggestions were tried and had no solution.
My web.config:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None"/>
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ServiceBehavior" name="TBBWS.TBBService">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding"
name="wsHttpEndpoint" contract="TBBWS.ITBBService" />
<endpoint address="mex" binding="mexHttpsBinding" bindingConfiguration=""
name="MexHttpsBindingEndpoint" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="TBBWS.CustomValidation, App_Code" />
</serviceCredentials>
<serviceAuthorization principalPermissionMode="Custom">
<authorizationPolicies>
<add policyType="TBBWS.CustomAuthorizationPolicy, App_Code" />
</authorizationPolicies>
</serviceAuthorization>
</behavior>
</serviceBehaviors>
</behaviors>
<protocolMapping>
<remove scheme="http" />
<add binding="wsHttpBinding" scheme="https" />
</protocolMapping>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
Any suggestions about it?
Ok, I got it. For those who need help because of the same problem:
1)I added <serviceCertificate storeLocation="LocalMachine" storeName="My" findValue="bla bla bla" x509FindType="FindByThumbprint" /> under serviceCredentials tag.
2)I defined 2 bindings. http and https. I removed http binding.
Thanks anyway...
I have been working on a WCF service which is developed in VS 2008 and hosted in Windows Server 2008, IIS 7.0,
When I host this service in my local environment, its working fine but when i host this service in production site its not working.
In this service i am using WShttpbinding binding, and i am using the Security mode is message and clientcredential type is "Username"
<security mode= "Message">
<message clientCredentialType="UserName" />
</security>
In behaviour configuration i am using the
<behavior name="name">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" httpsGetUrl="https://serviceurl/basic"/>
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate findValue="CN=WMSvc-AMAZONA-PJ1K606" />
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider" embershipProviderName="WCFSqlProvider" />
</serviceCredentials>
</behavior>
but when i consume the service from my client application it gives me the error
There was no channel actively listening at "//name of the machine where service hosted/servicename/$metadata" This is often caused by an incorrect address URI. Ensure
that the address to which the message is sent matches an address on which a service is listening.
Looks like your problem is with the metadata, according to the error message.
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" httpsGetUrl="//https://serviceurl/basic"/>
Try removing the // in the beginning of httpsGetUrl attribute, they might be causing you trouble.
Here are a few examples of configurations: http://msdn.microsoft.com/en-us/library/ms731317(v=vs.110).aspx
<system.serviceModel>
<bindings>
<webHttpBinding>
<binding name="TransportSecurity">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</webHttpBinding>
</bindings>
<services>
<service name="Service" behaviorConfiguration="ServiceBehaviour">
<endpoint address="" binding="webHttpBinding" behaviorConfiguration="webMyAcc" bindingConfiguration="TransportSecurity" contract="IService"/>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehaviour">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="webMyAcc">
<webHttp />
</behavior>
</endpointBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<client />
</system.serviceModel>
I have simple WCF Service Service1 with the following config:
<behaviors>
<serviceBehaviors>
<behavior name="SecuredBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true"/>
<serviceCredentials type="System.ServiceModel.Description.ServiceCredentials">
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WCFS.Service1,WCFS"/>
<serviceCertificate findValue="BasicWCFCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<windowsAuthentication includeWindowsGroups="false"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="SecuredWsHttpBinding">
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="WCFS.Service1" behaviorConfiguration="SecuredBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="SecuredWsHttpBinding"
name="End1" contract="WCFS.IService1" />
</service>
</services>
So on my development machine I'm using this service with certificate "BasicWCFCert" stored in LocalMachine in "My" (Personal) location.
How should I change it before publishing this service in Azure?
How can I tell Service1 to use one of certificates uploaded to Azure?
Have you tried attaching the cert in the role configuration screen as show below?
You can get the thumbprint by running certmgr.msc and going to the relevant certificate.
I'm tackling with an issue but couldn't sort out it.
I have one service which is worked inside asp.net 4.0 app.
The site is available both over http and https.
Issue is that the service with below provided config snipped can work either over http or over https.
What is wrong in my config?
<system.serviceModel>
<bindings>
<webHttpBinding>
<binding name="webHttpsBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</webHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="HMS.DataServices.PaymentsServiceBehavior">
<enableWebScript />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="HMS.DataServices.PaymentsServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="HMS.DataServices.PaymentsService">
<!--HTTP-->
<endpoint address="" binding="webHttpBinding" contract="HMS.DataServices.IPaymentsService"
behaviorConfiguration="HMS.DataServices.PaymentsServiceBehavior" />
<!--HTTPS-->
<endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpsBinding"
contract="HMS.DataServices.IPaymentsService" behaviorConfiguration="HMS.DataServices.PaymentsServiceBehavior" />
</service>
</services>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
this config works over https but not nttp
In the windows log I see next error
The exception message is: Could not find a base address that matches scheme https for the endpoint with binding WebHttpBinding. Registered base address schemes are [http]..
Thanks in advance!
I have created a RESTful Service and implemented the Authentication. It accepts username and password and then grants access to the service requested. It Works fine. Now I want to use SSL on top of my Service. For this I Created Certificate, Then In IIS I gave the required settings. But my service is not working. I am using webHttpBinding.
my Web.Config on service side is :
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
<services>
<service behaviorConfiguration="ServiceBehavior" name="TestAPI">
<host>
<baseAddresses>
<add baseAddress="https://localhost/AuthWithSSLTest/API/TestAPI.svc" />
</baseAddresses>
</host>
<endpoint address="" behaviorConfiguration="RESTFriendly" bindingConfiguration="MywebHttpBinding" binding="webHttpBinding" contract="ITestAPI" >
</endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<client /><bindings>
<webHttpBinding>
<binding name="MywebHttpBinding">
<security mode="Transport" >
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</webHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="RESTFriendly">
<webHttp />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication revocationMode="NoCheck" />
</clientCertificate>
<serviceCertificate findValue="CN=tempCertClient" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
And In my client side app.config I have
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="NewBehavior">
<clientCredentials>
<clientCertificate findValue="CN=tempCertClient" storeLocation="LocalMachine" />
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="WebHttpBinding_ITestAPI">
<httpTransport/>
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://localhost/AuthWithSSLTest/API/API.svc/TestMethod"
behaviorConfiguration="NewBehavior" binding="customBinding"
bindingConfiguration="WebHttpBinding_ITestAPI"
contract="TestAPI.ITestAPI" name="WebHttpBinding_ITestAPI" />
</client>
</system.serviceModel>
When I try to Run Client, it says Provided URI scheme Https is invalid, http required.
Also when I try to invoke the Web Service from VS2008, it says "Could not find a base address that matches scheme https for the endpoint with binding WebHttpBinding. Registered base address schemes are [http]."
if I try to run the web service from IIS, it says "Could not find a base address that matches scheme http for the endpoint with binding WebHttpBinding. Registered base address schemes are [https]."
I have tried googling and tried all the suggested things, but no awail. Please Help.
Thanks in Advance,
Tara Singh
In your client configuration, try changing:
<httpTransport/>
to:
<httpsTransport/>