I have the following situation - i call remote service, written on Java from my WCF-client. This service has a certificate-based authentication, using SSL, and giving to all clients certificates in JKS format. I converted this certificate to P12 format and called to service. Сall does not raised an exception, but returned empty result.
Client-proxy i'm generated from service WSDL. Here is my config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
</startup>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="ClientEndPointBehavior">
<clientCredentials>
<clientCertificate storeLocation="CurrentUser" storeName="My" x509FindType="FindBySerialNumber" findValue="01234567"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="MyBinding" allowCookies="true">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://myservice/services/"
binding="basicHttpBinding" bindingConfiguration="MyBinding"
contract="IContract" name="Contract" behaviorConfiguration="ClientEndPointBehavior"/>
</client>
</system.serviceModel>
</configuration>
What i'm doing wrong?
You would have to use CustomBinding for interoperability with java client or services.You could try any of the below bindings based on your mode of Authentication.
<customBinding>
<binding name="bindingName">
<textMessageEncoding messageVersion="Soap11" />
<httpsTransport authenticationScheme="Anonymous"
requireClientCertificate="true" />
</binding>
Try different authenticationScheme for the above
OR
<customBinding>
<binding name="bindingName">
<textMessageEncoding messageVersion="Soap11" />
<security authenticationMode="CertificateOverTransport" />
<httpsTransport requireClientCertificate="true"/>
</binding>
Please refer link for different options on authenticationMode
Hope this helps
Related
In my project I recently changed my WCF service to use Https. It is configured to be a mutual ssl setup and the client and server certificates are both installed appropriately. Server side looks fine and even started fine in the browser as shown below.
However, when trying to configure the service reference from the WPF client side (service proxy that was previously added and generated). I get a 403 forbidden error code as shown below. Any idea why?
Here are my configurations.
WCF Server Side Config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceCredentials>
<serviceCertificate storeLocation="LocalMachine" x509FindType="FindByIssuerName" findValue="QuickFire Root Authority" />
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="PushNotification_SignalR_PoC.WCF.PushNotificationService">
<endpoint binding="wsHttpBinding" bindingConfiguration="MutualSslLargeMessageBinding" contract="PushNotification_SignalR_PoC.WCF.IPushNotificationService" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="MutualSslLargeMessageBinding" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<security mode="Transport">
<transport clientCredentialType="Certificate"></transport>
</security>
</binding>
</wsHttpBinding>
</bindings>
<protocolMapping>
<add binding="basicHttpsBinding" scheme="https" />
</protocolMapping>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
WPF Client Side Config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
</startup>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WsHttpBinding_IPushNotificationService"
closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:30:00" sendTimeout="00:01:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647"
maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost:44367/PushNotificationService.svc"
binding="wsHttpBinding" bindingConfiguration="WsHttpBinding_IPushNotificationService"
contract="ServiceProxy.IPushNotificationService" name="WsHttpBinding_IPushNotificationService" />
</client>
<behaviors>
<endpointBehaviors>
<behavior name="MutualSslBehavior">
<clientCredentials>
<clientCertificate storeLocation="CurrentUser" x509FindType="FindBySubjectName" findValue="QuickFire Test Client"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
If we want to call the service by adding service reference, we should add the MEX endpoint in the service endpoints on the server side. It could exchange metadata of the service over all platforms.
Like below,
<services>
<service name="PushNotification_SignalR_PoC.WCF.PushNotificationService">
<endpoint binding="wsHttpBinding" bindingConfiguration="MutualSslLargeMessageBinding" contract="PushNotification_SignalR_PoC.WCF.IPushNotificationService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"></endpoint>
</service>
</services>
For details,
https://learn.microsoft.com/en-us/dotnet/framework/wcf/extending/how-to-configure-a-custom-ws-metadata-exchange-binding
Feel free to let me know if there is anything I can help with.
I’ve searched through several posts (here and here, for example) related to this area, but none seem to address this fairly straight forward scenario question: What Binding configurations should be used to configure an SSL enabled (e.g. https) WCF Web Service on an Azure Web Role: in the Web Role’s ServiceDefinition.csdef, the Web Service’s web.config and the client’s app.config?
I have configured the SSL cert for the service in the Azure Portal and in the Web Role’s ServiceConfiguration.csfg for https:// MyApp.cloudapp.net and this appears to be working fine.
When I browse to the service https:// myapp.cloudapp.net/WCFService.svc?wsdl , the metadata displays correctly. I can add a Service Reference to the service from a client, but when I call it, I get the exception: “There was no endpoint listening at https:// myapp.cloudapp.net/WCFService.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.” Inner Exception: “The remote server returned an error: (404) Not Found”
The respective configuration files look like this:
ServiceDefinition.csdef :
<WebRole name="WCFServiceWebRole" vmsize="Small">
<Sites>
<Site name="Web">
<Bindings>
<Binding name="HttpIn" endpointName="HttpIn" />
<Binding name="HttpsIn" endpointName="HttpsIn" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="HttpIn" protocol="http" port="8080" />
<InputEndpoint name="HttpsIn" protocol="https" port="443" certificate="MySSLCert" />
</Endpoints>
<Certificates>
<Certificate name="MySSLCert" storeLocation="LocalMachine" storeName="My" />
</Certificates>
</WebRole>
Web Service’s web.config :
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding" />
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
</system.serviceModel>
The Client’s App.Config looks like this:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IMyWebService" >
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://myapp.cloudapp.net/MyWebService.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IMyWebService"
contract="MyWebServiceServiceReference.IMyWebService"
name="BasicHttpBinding_IMyWebService" />
</client>
</system.serviceModel>
When I use SvcUtil to generate the binding configuration for the client, it generates:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IMyWebService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://myapp.cloudapp.net/MyWebService.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IMyWebService"
contract="MyWebServiceServiceReference.IMyWebService" name="BasicHttpBinding_IMyWebService" />
</client>
</system.serviceModel>
Which then gives the exception when I call the web service: "The provided URI scheme 'https' is invalid; expected 'http'." So that doesn't seem to be the correct configuration either.
I’m sure this is just a matter of getting the right configuration in the three files above, but I can’t seem to find the correct combination anywhere, and so I would really appreciate if someone could call out what they should be.
Conor.
An Azure dev helped me figure out the answer to this, the problem was the omission of the Service node from the Web Service's web.config file. Here is the full set of configuration files required for this scenario in case it helps anyone else trying to achieve the same result (An SSL/HTTPS WCF Web Service implemented on an Azure Web Role:
ServiceDefinition.csdef :
<WebRole name="WCFServiceWebRole" vmsize="Small">
<Sites>
<Site name="Web">
<Bindings>
<Binding name="HttpIn" endpointName="HttpIn" />
<Binding name="HttpsIn" endpointName="HttpsIn" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="HttpIn" protocol="http" port="8080" />
<InputEndpoint name="HttpsIn" protocol="https" port="443" certificate="MySSLCert" />
</Endpoints>
<Certificates>
<Certificate name="MySSLCert" storeLocation="LocalMachine" storeName="My" />
</Certificates>
</WebRole>
Web Service’s web.config :
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding" />
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="" name="MyWebServiceNameSpace.MyWebService">
<endpoint bindingConfiguration="BasicHttpBinding" address="" binding="basicHttpBinding"
contract="MyWebServiceNameSpace.IMyWebService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
The Client’s App.Config looks like this:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IMyWebService" >
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://myapp.cloudapp.net/MyWebService.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IMyWebService"
contract="MyWebServiceServiceReference.IMyWebService"
name="BasicHttpBinding_IMyWebService" />
</client>
</system.serviceModel>
Thanks, works for me too!
I made some changes removing the certificates section in the service definition.
<WebRole name="WCFServiceBizagiCloud" vmsize="Standard_D1_v2">
<Sites>
<Site name="Web">
<Bindings>
<!--<Binding name="Endpoint1" endpointName="Endpoint1" />-->
<Binding name="HttpIn" endpointName="HttpIn" />
<Binding name="HttpsIn" endpointName="HttpsIn" />
</Bindings>
</Site>
</Sites>
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" />
</ConfigurationSettings>
<Endpoints>
<!--<InputEndpoint name="Endpoint1" protocol="http" port="80" />-->
<InputEndpoint name="HttpIn" protocol="http" port="8080" />
<InputEndpoint name="HttpsIn" protocol="https" port="443" />
</Endpoints>
<!--<Certificates>
<Certificate name="MySSLCert" storeLocation="LocalMachine" storeName="My" />
</Certificates>-->
</WebRole>
I am trying to create a WCF service that uses certificate authentication over SSL to create a Business to Business gateway. I have created a CA and a client certificate and put them in the Trusted root and personal folders respectively. I have set up the SSL routing but I keep getting the following error ‘The security protocol cannot verify the incoming message.’ And I can’t figure out why.
Below is my service configuration:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<services>
<service name="B2BGateway.SSOBackChannel" behaviorConfiguration="B2B">
<endpoint binding="wsHttpBinding"
bindingConfiguration="WSCertificateSecurity"
contract="B2BGateway.Contracts.ISSOBackChannel"
address="https://blah.com/SSOBackChannel.svc"></endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="B2B">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate />
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
</serviceCredentials>
<serviceAuthorization principalPermissionMode="None"></serviceAuthorization>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="B2B">
<clientCredentials>
<clientCertificate findValue="2e2ecba0f33265085cc53cb53c0b00977aaa9e9e" storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="WSCertificateSecurity">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
<system.diagnostics>
<sources>
<!-- See here for recommended diagnostics settings: http://msdn.microsoft.com/en-us/library/aa702726.aspx -->
<source name="System.ServiceModel" switchValue="Warning,Information,ActivityTracing,Verbose" propagateActivity="true">
<listeners>
<add name="traceListener" type="System.Diagnostics.XmlWriterTraceListener" initializeData="d:\logs\gah.svclog" />
</listeners>
</source>
</sources>
</system.diagnostics>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
And the client configuration is just the autogenerated code:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ISSOBackChannel" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://blah.com/SSOBackChannel.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ISSOBackChannel"
contract="SSOBackChannelService.ISSOBackChannel" name="WSHttpBinding_ISSOBackChannel" />
</client>
</system.serviceModel>
</configuration>
I wrote a unit test to see if the thing works which is where I’m getting the error...
[TestMethod]
public void Should_Call_Service_As_Machine_Does_Have_x509Certificate()
{
SSOBackChannelClient service = new SSOBackChannelClient();;
service.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "2e2ecba0f33265085cc53cb53c0b00977aaa9e9e");
var result = service.CheckBackChannelToken("123456789");
}
Any help would be so greatly appreciated!!
Josh
You are using wsHttpBinding but you havent specified the certificate it needs to use to secure your transport channel. Try to specify a certificate it needs to use. i.e. for SSL
Also try enabling tracing on your service. See here how to enable tracing.
These scenarios work in their pieces. Its when i put it all together that it breaks.
I have a WCF service using netTCP that uses impersonation to get the callers ID (role based security will be used at this level)
on top of this is a WCF service using basicHTTP with TransportCredientialOnly which also uses impersonation
I then have a client front end that connects to the basicHttp.
the aim of the game is to return the clients username from the netTCP service at the bottom - so ultimatley i can use role based security here.
each service is on a different machine - and each service works when you remove any calls they make to other services when you run a client for them both locally and remotley. IE the problem only manifests when you jump accross more than one machine boundary.
IE the setup breaks when i connect each part together - but they work fine on their own.
I also specify
[OperationBehavior(Impersonation = ImpersonationOption.Required)] in the method and
have IIS setup to only allow windows authentication (actually i have ananymous enabled still, but disabling makes no difference)
This impersonation works fine in the scenario where i have a netTCP Service on Machine A with a client with a basicHttp service on machine B with a clinet for the basicHttp service also on machine B ... however if i move that client to any machine C i get the following error:
The exception is 'The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:10:00''
the inner message is 'An existing connection was forcibly closed by the remote host'
Am beginning to think this is more a network issue than config ... but then im grasping at straws ...
the config files are as follows (heading from the client down to the netTCP layer)
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="basicHttpBindingEndpoint" closeTimeout="00:02:00"
openTimeout="00:02:00" receiveTimeout="00:10:00" sendTimeout="00:02:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://panrelease01/WCFTopWindowsTest/Service1.svc"
binding="basicHttpBinding" bindingConfiguration="basicHttpBindingEndpoint"
contract="ServiceReference1.IService1" name="basicHttpBindingEndpoint"
behaviorConfiguration="ImpersonationBehaviour" />
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ImpersonationBehaviour">
<clientCredentials>
<windows allowedImpersonationLevel="Impersonation"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
the service for the client (basicHttp service and the client for the netTCP service)
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="netTcpBindingEndpoint" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="524288"
maxBufferSize="65536" maxConnections="10" maxReceivedMessageSize="65536">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
<basicHttpBinding>
<binding name="basicHttpWindows">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"></transport>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="net.tcp://5d2x23j.panint.com/netTCPwindows/Service1.svc"
binding="netTcpBinding"
bindingConfiguration="netTcpBindingEndpoint"
contract="ServiceReference1.IService1"
name="netTcpBindingEndpoint"
behaviorConfiguration="ImpersonationBehaviour">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ImpersonationBehaviour">
<clientCredentials>
<windows allowedImpersonationLevel="Impersonation" allowNtlm="true"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="WCFTopWindowsTest.basicHttpWindowsBehaviour">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="WCFTopWindowsTest.Service1"
behaviorConfiguration="WCFTopWindowsTest.basicHttpWindowsBehaviour">
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="basicHttpWindows"
name ="basicHttpBindingEndpoint"
contract ="WCFTopWindowsTest.IService1">
</endpoint>
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
then finally the service for the netTCP layer
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Windows"></authentication>
<authorization>
<allow roles="*"/>
</authorization>
<compilation debug="true" targetFramework="4.0" />
<identity impersonate="true" />
</system.web>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="netTCPwindows">
<security mode="Transport">
<transport clientCredentialType="Windows"></transport>
</security>
</binding>
</netTcpBinding>
</bindings>
<services>
<service behaviorConfiguration="netTCPwindows.netTCPwindowsBehaviour" name="netTCPwindows.Service1">
<endpoint address="" bindingConfiguration="netTCPwindows" binding="netTcpBinding" name="netTcpBindingEndpoint" contract="netTCPwindows.IService1">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mextcp" binding="mexTcpBinding" contract="IMetadataExchange"/>
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:8721/test2" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="netTCPwindows.netTCPwindowsBehaviour">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="false" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
If you need to make a more than one hop, you're going to need to enable delegation for that occur. You can get more information on that here.
That being said, if all you need to do is determine the role of a user that calls the backend service (netTcp), you don't necessarily need impersonation as the TokenImpersonationLevel of the WindowsIdentity should only need to be Information in order to determine role membership. In this case, you would only need to ensure impersonation was taking place in the middle-tier (basicHttp).
I have a WCF service hosted in IIS7 with netTCP enabled.
This is my web.config in %apppath%\ , where the SVC file is.
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<services>
<service name="Search.Querier.WCF.Querier" behaviorConfiguration="SearcherServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="http://localhost:8050/SearcherService"/>
</baseAddresses>
</host>
<endpoint address="net.tcp://localhost:9000/SearcherService"
binding="netTcpBinding"
bindingConfiguration="Binding1"
contract="Search.Querier.WCF.IQuerier" />
</service>
</services>
<bindings>
<netTcpBinding>
<binding name="Binding1"
hostNameComparisonMode="StrongWildcard"
sendTimeout="00:10:00"
maxReceivedMessageSize="65536"
transferMode="Buffered"
portSharingEnabled="false">
<security mode="None">
<transport clientCredentialType="None" />
<message clientCredentialType="None" />
</security>
</binding>
</netTcpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="SearcherServiceBehavior">
<serviceMetadata httpGetEnabled="true" httpGetUrl=""/>
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<system.web>
<compilation debug="true" />
</system.web>
</configuration>
For some reason, instead of loading on port 8050 as I specified, I see the blue and beige site showing the site at:
http://localhost/SearcherService/searcherservice.svc
and not
http://localhost:8050/SearcherService/searcherservice.svc
Additionally, when I try to run
svcutil.exe http://process.mycomp.com/SearcherService/SearcherService.svc?wsdl
as the page rendered on the URL says, I get an error:
Metadata contains a reference that cannot be resolved: 'http://process.mycomp.com/SearcherService/SearcherService.svc?wsdl'
But I have that specified nowhere else in my web.config
Is there anywhere else it could be?
You are missing a MEX endpoint, have a look at this link:
http://bloggingabout.net/blogs/dennis/archive/2006/11/09/WCF-Part-4-3A00-Make-your-service-visible-through-metadata.aspx