I am just getting started with WCF and am having a bit of trouble getting my message encryption to work. I finally got Role based authentication working with Asp.Net Identity 2.0 and am now trying to secure all data exchanged with encryption. I have signed my own x.509 certificate using SelfCert. Now when I try to hit any method on my contract I get a 404. I think the problem might be somewhere in my web.configs. Can anyone point out any obvious noobie mistakes in these web.config files?
Service Config
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="authBehavior">
<serviceCredentials>
<serviceCertificate findValue="onpSquad"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName"/>
<clientCertificate>
<authentication certificateValidationMode="None" />
</clientCertificate>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WCFServiceWebRole1.Onp.Security.IdentityValidator,WCFServiceWebRole1" />
</serviceCredentials>
<serviceAuthorization principalPermissionMode="Custom" serviceAuthorizationManagerType="WCFServiceWebRole1.Onp.Security.RoleAuthorizationManager,WCFServiceWebRole1">
</serviceAuthorization>
</behavior>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="authBehavior" name="WCFServiceWebRole1.SupportTicketSubmission">
<endpoint address="SupportTicketSubmission.svc"
binding="wsHttpBinding"
bindingConfiguration="MessageAndUserName"
name="SecuredByTransportEndpoint"
contract="WCFServiceWebRole1.Onp.IServiceSquadContract" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="MessageAndUserName">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
The client
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IServiceSupportTicketSubmission" />
<binding name="BasicHttpBinding_IServiceLoggingContract" />
</basicHttpBinding>
<wsHttpBinding>
<binding name="WSHttpBinding_IService1" />
<binding name="WSHttpBinding_IServiceSquadContract">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:64054/Service1.svc" binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IService1" contract="ServiceReference1.IService1"
name="WSHttpBinding_IService1">
<identity>
<userPrincipalName value="MARIASCOMPUTER\chuyita" />
</identity>
</endpoint>
<endpoint address="http://localhost:10234/SupportTicketSubmission.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IServiceSupportTicketSubmission"
contract="OnpService.IServiceSupportTicketSubmission" name="BasicHttpBinding_IServiceSupportTicketSubmission" />
<endpoint address="http://localhost:10234/SupportTicketSubmission.svc"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IServiceSquadContract"
contract="OnpService.IServiceSquadContract"
name="SecuredByTransportEndpoint">
<identity>
<dns value ="onpSquad" />
</identity>
</endpoint>
</client>
</system.serviceModel>
Old config file
As you can see from below, there were never any explicit endpoints defined. This is the first time I actually have to define them so that I can use ASP.Net's Identity 2.0 for logging in and also setting up encryption.
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
Update thus far
I got a WCF book and read the first chapter. I've got my binding working correctly and I am able to access the methods of my ISquadContract but now am having issues with Identity 2.0 not grabbing the provided username from the request. That's a topic for another question. Here is what my new config looks like
<system.serviceModel>
<protocolMapping>
<add scheme="http" binding="wsHttpBinding"/>
</protocolMapping>
<services>
<service name="WCFServiceWebRole1.SupportTicketSubmission"
behaviorConfiguration="authBehavior"
>
<endpoint address="SupportTicketSubmission.svc"
binding="wsHttpBinding"
contract="WCFServiceWebRole1.Onp.IServiceSquadContract"
bindingConfiguration="squadBindingConfiguration">
</endpoint>
<endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex"></endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="authBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WCFServiceWebRole1.Onp.Security.IdentityValidator,WCFServiceWebRole1" />
</serviceCredentials>
<serviceAuthorization principalPermissionMode="Custom" serviceAuthorizationManagerType="WCFServiceWebRole1.Onp.Security.RoleAuthorizationManager,WCFServiceWebRole1">
</serviceAuthorization>
</behavior>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<bindings>
<wsHttpBinding>
<binding name="squadBindingConfiguration">
<security mode="None">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
Your client configuration file appears to define config to allow it to connect to three distinct service endpoints, one available at the address:
http://localhost:64054/Service1.svc
which is expecting to find there a service which exposes a contract called:
ServiceReference1.IService1
and the other two available at the address:
http://localhost:10234/SupportTicketSubmission.svc
however, one of these is expecting to call the service contract called:
OnpService.IServiceSupportTicketSubmission
and the other one is expecting to call the service contract called:
OnpService.IServiceSquadContract
Your service configuration file, on the other hand, defines a service endpoint available at the base service address of:
SupportTicketSubmission.svc
and exposing the contract:
WCFServiceWebRole1.Onp.IServiceSquadContract
This is about as confused a picture I think I have ever seen in two WCF config files which are supposed to work together. There are multiple problems here. If you want me to help you detangle this, write me a comment below.
Related
I have a WCF service that I want to configure with Transport Security and Client Certificates. I have this working on my local IIS instance, but having troubles configuring it in an Azure Web App.
Here are som snippets from the web.config:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
<behavior name="ApiBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<clientCertificate>
<certificate
findValue="<Thumbprint>"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindByThumbprint" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
<bindings>
<wsHttpBinding>
<binding name="apiBindingSecure" textEncoding="utf-8">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="ApiService" behaviorConfiguration="ApiBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="apiBindingSecure" contract="IApiService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
When I call the service I get the following error:
The SSL settings for the service 'SslRequireCert' does not match those of the IIS 'None'.
I found that in IIS this relates to the SSL Settings -> Client certificates -> Accept setting:IIS SSL seettings
However in Azure this has to be done through a web.config setting:
<location path="BdoApiService.svc" >
<system.webServer>
<security>
<access sslFlags="SslRequireCert,SslNegotiateCert" />
</security>
</system.webServer>
</location>
I tried different combinations of settings: "Ssl"; "Ssl,SslRequireCert,SslNegotiateCert"; "SslNegotiateCert", etc.
But when I set sslFlags, I always get the following error in the browser:
The page cannot be displayed because an internal server error has occurred.
What can I do to get this working?
I have been working on a WCF service which is developed in VS 2008 and hosted in Windows Server 2008, IIS 7.0,
When I host this service in my local environment, its working fine but when i host this service in production site its not working.
In this service i am using WShttpbinding binding, and i am using the Security mode is message and clientcredential type is "Username"
<security mode= "Message">
<message clientCredentialType="UserName" />
</security>
In behaviour configuration i am using the
<behavior name="name">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" httpsGetUrl="https://serviceurl/basic"/>
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate findValue="CN=WMSvc-AMAZONA-PJ1K606" />
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider" embershipProviderName="WCFSqlProvider" />
</serviceCredentials>
</behavior>
but when i consume the service from my client application it gives me the error
There was no channel actively listening at "//name of the machine where service hosted/servicename/$metadata" This is often caused by an incorrect address URI. Ensure
that the address to which the message is sent matches an address on which a service is listening.
Looks like your problem is with the metadata, according to the error message.
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" httpsGetUrl="//https://serviceurl/basic"/>
Try removing the // in the beginning of httpsGetUrl attribute, they might be causing you trouble.
Here are a few examples of configurations: http://msdn.microsoft.com/en-us/library/ms731317(v=vs.110).aspx
<system.serviceModel>
<bindings>
<webHttpBinding>
<binding name="TransportSecurity">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</webHttpBinding>
</bindings>
<services>
<service name="Service" behaviorConfiguration="ServiceBehaviour">
<endpoint address="" binding="webHttpBinding" behaviorConfiguration="webMyAcc" bindingConfiguration="TransportSecurity" contract="IService"/>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehaviour">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="webMyAcc">
<webHttp />
</behavior>
</endpointBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<client />
</system.serviceModel>
WP supports only basicHttpBinding. My app sends sensitive data through WCF and store them in DB. Data are sent as plain text and this is inacceptable. I found some solutions but it isn't working. I've set securityMode to Transport but I've got exception. Here is my web.config file:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="serviceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="baseBinding" >
<security mode="Transport" />
</binding>
</basicHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="serviceBehavior" name="TestWCF.WcfNotificationService.WcfNotificationService">
<endpoint address="base" binding="basicHttpBinding" bindingConfiguration="baseBinding"
contract="TestWCF.WcfNotificationService.IWcfNotificationService" />
<host>
<timeouts openTimeout="00:05:00" />
</host>
</service>
</services>
when I update service reference in client I get error:
Could not find a base address that matches scheme https for the endpoint with binding BasicHttpBinding. Registered base address schemes are [http].
Could you help me, what I have to do?
Thanks
I'm tackling with an issue but couldn't sort out it.
I have one service which is worked inside asp.net 4.0 app.
The site is available both over http and https.
Issue is that the service with below provided config snipped can work either over http or over https.
What is wrong in my config?
<system.serviceModel>
<bindings>
<webHttpBinding>
<binding name="webHttpsBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</webHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="HMS.DataServices.PaymentsServiceBehavior">
<enableWebScript />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="HMS.DataServices.PaymentsServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="HMS.DataServices.PaymentsService">
<!--HTTP-->
<endpoint address="" binding="webHttpBinding" contract="HMS.DataServices.IPaymentsService"
behaviorConfiguration="HMS.DataServices.PaymentsServiceBehavior" />
<!--HTTPS-->
<endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpsBinding"
contract="HMS.DataServices.IPaymentsService" behaviorConfiguration="HMS.DataServices.PaymentsServiceBehavior" />
</service>
</services>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
this config works over https but not nttp
In the windows log I see next error
The exception message is: Could not find a base address that matches scheme https for the endpoint with binding WebHttpBinding. Registered base address schemes are [http]..
Thanks in advance!
Please post the steps you have taken to setup SSL to work with WCF on Azure.
I have my valid certificate uploaded successfully (using cspack) and working with the rest of the site, but after adding it, my previously working WCF service stopped working. (All I get is a 404 error back to Silverlight, which is not very helpful. Up votes to whomever comes up with some better logging I could be doing too to help diagnose the problem too!)
I've tried many variations on this configuration:
<system.serviceModel>
<!--start added for SSL-->
<bindings>
<basicHttpBinding>
<binding name="SecureBasicHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<!--end added for SSL-->
<behaviors>
<!--start added for SSL-->
<endpointBehaviors>
<behavior name="DisableServiceCertificateValidation">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="None"
revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
<!--start added for SSL-->
<serviceBehaviors>
<behavior name="Silverheat.Cloud_WebRole.API.DataServiceBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<!-- certificate checking removed -->
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
<services>
<service behaviorConfiguration="Silverheat.Cloud_WebRole.API.DataServiceBehavior"
name="Silverheat.Cloud_WebRole.API.DataService">
<!--<endpoint address="" binding="basicHttpBinding" contract="Silverheat.Cloud_WebRole.API.DataService" />-->
<endpoint bindingConfiguration="SecureBasicHttpBinding"
behaviorConfiguration="DisableServiceCertificateValidation"
address="" binding="basicHttpBinding"
contract="Silverheat.Cloud_WebRole.API.DataService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
Unfortunately, debugging this and getting more info is really hard because I cannot step through and debug with any configuration remotely like I'd use on the live server because the bindings tag has problems on debug (but not live).
Thanks for your help and interest!
Wow! Its alive! Its working!!
Still doesn't work in debug (security exception), but I'll live with that until the next release.
Here's the configuration that worked:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="SecureBasicHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="Silverheat.Cloud_WebRole.API.DataServiceBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
<services>
<service behaviorConfiguration="Silverheat.Cloud_WebRole.API.DataServiceBehavior"
name="Silverheat.Cloud_WebRole.API.DataService">
<endpoint bindingConfiguration="SecureBasicHttpBinding"
address="" binding="basicHttpBinding"
contract="Silverheat.Cloud_WebRole.API.DataService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
(I think it was "mexHttpsBinding" that made it finally work, although I don't entirely understand why it needs meta data after its already configured, back to the books I guess)
I'd still like to know how to enable some kind of logging for WCF, but I'll poke around this great site a bit more and I'm sure I'll find an answer.