IIS WCF webservice and mutual authentication - wcf

I have a C# based WCF RESTful webservice in IIS7 running on Windows Server 2008. The webservice accepts XML data via HTTPS POST only. customBinding is being used. I have checked "Require SSL" in the SSL Settings option and also selected the option of "Require" in that same page.
During the SSL handshake, however, I do not see the server sending a CertificateRequest (ssl.handshake.type = 13) request from the Server. I can only see a (ServerHello, Certificate, ServerHelloDone). After the ServerHelloDone message there is a "Bad Certificate" message in the wireshark capture.
Can someone please help ? The relevant part of the binding in Web.Config file contents are as follows :
<bindings>
<customBinding>
...
<binding name="RawReceiveCapableHttps">
<webMessageEncoding webContentTypeMapperType="e000webapp1.RawContentTypeMapper, e000webapp1, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<httpsTransport manualAddressing="true" maxReceivedMessageSize="524288000" transferMode="Streamed" requireClientCertificate="true" />
<!-- security mode="Transport">
<transport clientCredentialType="Certificate" />
</security -->
</binding>
</customBinding>
</bindings>

Related

IIS Anonymous Authentication enabled but credentials required

We have a some web services hosted in IIS8 that were running fine with anonymous authentication set. Then a couple of days ago anonymous authentication was disabled in favour for windows authentication which made it impossible to connect to the web services. Now we have reverted to anonymous authentication but the site still asks for windows credentials:
The HTTP request is unauthorized with client authentication scheme
'Anonymous'. The authentication header received from the server was
'Negotiate,NTLM'.
What we have done is this:
in web.config:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="CustomHttpBinding" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="None">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
and in IIS Manager we only have Anonymous Authentication checked:
In the applicationHost.config file everything seems correct:
<location path="Path/WebServices">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" useKernelMode="true">
<providers>
<clear />
<add value="NTLM" />
<add value="Negotiate" />
</providers>
<extendedProtection tokenChecking="None" />
</windowsAuthentication>
<anonymousAuthentication enabled="true" />
<basicAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
App-pools, site, and server have all been restarted/recycled.
Where else should I look? Thanks.
I agree that everything looks correct from what you've shown. I would recommend reviewing all your visible configuration for any anonymous/Windows auth that may apply that you may not be seeing. To do this, in IIS Manager click on the Server on the Left, then select Configuration Editor. On the right, select Search Configuration. The search at the top only accepts "section names" so things like WindowsAuthentication and AnonymousAuthentication are good searches. Review each place in your config that may apply to your site/app.
It turned out that the DNS pointed to a different server than the one I was doing my changes in.

How to create a .NET client for a wso2 Secure Token Service

I need to create a .NET client for a wso2 Secure Token Service.
Normally I would create a simple console or WinForm project adding a Service Reference to it. The exposed WSDL would be turned in a set of classes that I can use to query the service and to properly manage its response.
Unfortunately, the generated request and response classes are empty: just the class declaration without any property or method. This is similar to the behaviour described in this other (unanswered) Stack Overflow question https://stackoverflow.com/q/22049080/2131913
I have found a sample request for the service in this forum post: http://cxf.547215.n5.nabble.com/Sample-STS-Client-tp4643980p4664175.html and I made it to work with SOAP UI.
Is there a proper, and possibly automated, way to recreate the complex data structure needed to query the Secure Token Service?
EDIT
OK, after many tries I have reduced the SOAP request from the above forum post to the minimal structure needed to still get a RequestSecurityTokenResponse from the STS service.
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-6D35592DCDDA26FFF3141578725699577">
<wsse:Username>USERNAME HERE</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD HERE</wsse:Password>
</wsse:UsernameToken>
<wsu:Timestamp wsu:Id="TS-6D35592DCDDA26FFF3141578725699576">
<wsu:Created>2014-11-12T10:14:16.995Z</wsu:Created>
<wsu:Expires>2014-11-12T10:16:16.995Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<wsa:Action soap:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</wsa:Action>
<wsa:MessageID soap:mustUnderstand="1">uuid:6d4eab69-77f9-42b7-8d6b-1f710020fb0b</wsa:MessageID>
<wsa:To soap:mustUnderstand="1">STS ENDPOINT ADDRESS HERE</wsa:To>
</soap:Header>
<soap:Body>
<wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
<wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
<wst:Claims>
<wsid:ClaimType Uri="http://wso2.org/claims/userid" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"/>
</wst:Claims>
</wst:RequestSecurityToken>
</soap:Body>
</soap:Envelope>
I have obtained a partial success defining in the app.config of my project either a single wsHttpBinding like the following:
<wsHttpBinding>
<binding name="SendUsername" messageEncoding="Text">
<security mode ="TransportWithMessageCredential">
<message clientCredentialType ="UserName"/>
<transport clientCredentialType ="Basic" />
</security>
</binding>
</wsHttpBinding>
with or without adding a CustomBinding like the following:
<customBinding>
<binding name="wso2carbon-stsSoap12Binding">
<security defaultAlgorithmSuite="Default" authenticationMode="IssuedToken"
requireDerivedKeys="true" securityHeaderLayout="Lax" includeTimestamp="true">
<localClientSettings detectReplays="false" />
<localServiceSettings detectReplays="false" />
<issuedTokenParameters keyType ="SymmetricKey" tokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
<issuer address =STS ENDPOINT ADDRESS HERE binding ="wsHttpBinding" bindingConfiguration ="SendUsername"/>
<claimTypeRequirements>
<add claimType ="http://wso2.org/claims/userid"/>
</claimTypeRequirements>
</issuedTokenParameters>
</security>
<textMessageEncoding messageVersion="Soap12" />
<httpsTransport />
</binding>
</customBinding>
In both cases however the request throws a timeout exception, and inspecting with WCF tracing the issued request I can see that it is missing the Claims element. Any hints?
Please refer this article
Security Token Service with WSO2 Identity Server 2.0
For more insight on this please refer:
http://wso2.com/library/3190/
Configuring WSO2 Identity Server Passive STS with an ASP.NET
Client
After many days struggling with WCF configuration option I have obtained a partial success.
The key that allows me to obtain a response from the Security Token Service is that I realized that, in the long term, I will need to operate in a federated security scenario. I don't need the token per se, but I need it to obtain a mean to authenticate to other services.
With this option in mind I started to explore what WCF has to offer for this kind of scenario and I built the following configuration options:
<wsFederationHttpBinding>
<binding name="fs">
<security mode="TransportWithMessageCredential">
<message issuedKeyType="SymmetricKey" issuedTokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
<issuer address = <!-- STS address here --> binding ="customBinding" bindingConfiguration ="StsBinding"/>
<claimTypeRequirements>
<add claimType="http://wso2.org/claims/userid" />
</claimTypeRequirements>
</message>
</security>
</binding>
</wsFederationHttpBinding>
The above binding is used to contact the service that needs token authentication while the following adds further instructions about how to contact the security token issuer:
<customBinding>
<binding name="StsBinding">
<textMessageEncoding messageVersion="Soap12WSAddressingAugust2004"/>
<useManagedPresentation/>
<security authenticationMode="UserNameOverTransport" includeTimestamp ="true" keyEntropyMode ="ServerEntropy" securityHeaderLayout ="Lax"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" >
</security>
<httpsTransport authenticationScheme ="Basic"/>
</binding>
</customBinding>
With this configuration, and with the help of Fiddler and WCF trace I can see I get a Security Token Response from the STS issuer.
Howevere as I said, in the beginnig, this was only a partial success because WCF infrastructure, when processing the token, says that it has a wrong action... but this can be the subjet of another question ;-)
I hope this can be considered a valid answer although my quest for token authentication is not yet concluded

WCF The HTTP request is unauthorized with client authentication scheme 'Negotiate'

I have a WCF service hosted on IIS with Windows Aut, I am able to connect to the service from my client application (WPF) on my local machine, but when I try to access the service from some other machine I get the following error
The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
I checked the providers in my IIS and there "Negotiate" is the first one and then the "NTLM". I also tried removing "NTLM" but that also did not help.
I have following configuration in my App.config
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding" maxReceivedMessageSize="2147483647"
receiveTimeout="00:30:00" sendTimeout="00:30:00"
openTimeout="00:10:00" closeTimeout="00:10:00">
<readerQuotas maxStringContentLength="2147483647" maxArrayLength="20971520" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
You may need to enable anonymous access in IIS.

protecting and signing messages in WCF

I'm a new member in this fantastic website and this is my first question here ..
I wish I can find the solution..
I'm building a website and I need to secure the communications between clients and the server.
I should Use WCF in the implementation.
My project's requirements :
use WCF
binding: ws2007HttpBinding
security: HTTPS
client: Sign
I should use HTTPS for securing the communications and I should make the client sign the message (it's important).
I install certificates in both server and Client But I don't knoe how to make the clients sign the message.
I can't use message security in the wcf because I need HTTPS. Anyone can help me to know what is the TransportWithMessageCredential do for signing and how to implement such a thing??
Here is part of the app.config of the server:
<bindings>
<ws2007HttpBinding>
<binding name="ServiceWS2007HttpBindingConfg">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="Certificate" negotiateServiceCredential="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<services>
<service name="Service">
<endpoint address="https://MAHER-PC/EBPP/Service.svc" binding="ws2007HttpBinding"
bindingConfiguration="ServiceWS2007HttpBindingConfg" contract="IService" />
</service>
</services>
thanks....
Depends on what you're planning to sign.
A good place to start would be to have a look at setting the ProtectionLevel for your service in the service contract.
Information:
http://msdn.microsoft.com/en-gb/library/aa347692.aspx
How to:
http://msdn.microsoft.com/en-gb/library/aa347791.aspx

WCF security in an internet scenario

I have a WCF service hosted in a Windows Service. Clients from various platforms will access the service. Now I would like to add a basic security mechanism. Ideally, the clients should use username/password for authentication.
Which binding settings do I have to use in this scenario and how can I authenticate the client? Interoperability is more important than a very secure solutions. If possible the client should not be forced to use a certificate or something the like. Additionally, authentication should not be strongly coupled with a SQL Server database. I would like to manually inspect the client credentials.
Thanks for your help
The best for your case can be BasicHttpBinding with security set to TransportWithMessageCredentials and credential type set to UserName. In this case your service will be secured with HTTPS (requires server certificate for SSL which has to be trusted on clients) and authentication will be provided on message level with UserName Token Profile (SOAP header). You can implement your own password validator.
BasicHttpBinding configuration skeleton:
<bindings>
<basicHttpBinding>
<binding name="Secured">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</basicHttpBinding>
</bindings>
If you don't want to use HTTPS you can create custom binding with HttpTransport, TextMessageEncoding and with security mode set to UserNameOverTransport. But you have to set allowInsecureTransport to true (be aware that there is some bug with WSDL generation in this setting).
Custom binding configuration skeleton:
<bindings>
<customBinding>
<binding name="Secured">
<security authenticationMode="UserNameOverTransport" allowInsecureTransport="true" />
<textMessageEncoding messageVersion="Soap11" />
<httpTransport />
</binding>
</cutomBinding>
</bindings>
See the Internet section of the Application Scenarios for guides on how to achieve this:CodePlex Application Scenarios