I'm setting up a SAML2 STS using Thinktecture IdentityServer and a WCF Service.
The idea is to have Thinktecture supply the Assertions that are then used in the WCF Service.
Now, I have it running all fine with SAML 11 Assertions - urn:oasis:names:tc:SAML:1.0:assertion
The assertions are something like this:
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_4e06770b-7fa0-425f-a4f3-263710f135d7" Issuer="https://localhost:123" IssueInstant="2014-01-18T16:16:38.099Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
- <saml:Conditions NotBefore="2014-01-18T16:16:37.662Z" NotOnOrAfter="2014-01-18T16:26:37.662Z">
- <saml:AudienceRestrictionCondition>
<saml:Audience>https://localhost:44300/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
- <saml:AttributeStatement>
- <saml:Subject>
- <saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>...
Now, the requirement is to use SAML2, not the previous version. So changing the Token type in Thinktecture is simple and the new Assertion generates fine and get's picked by the client just fine.
New SAML2 Assertion:
<Assertion ID="_f9c48402-857a-4cc3-8525-1af307ef3a01" IssueInstant="2014-01-18T16:32:18.038Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://localhost:123</Issuer>
- <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
- <SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
- <Reference URI="#_f9c48402-857a-4cc3-8525-1af307ef3a01">
- <Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>Nib1Bs9jy13unYShm08EcncqFsOS5IwVuWQ4tGoe4Pg=</DigestValue>
</Reference>
</SignedInfo> ...
But when we then try to consume the WCF by passing the new asertion we get the exception:
XmlException: Cannot read the token from the 'Assertion' element with the 'urn:oasis:names:tc:SAML:2.0:assertion' namespace for BinarySecretSecurityToken, with a '' ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified
Here's an excerpt of WCF web.config:
...
<services>
<service name="testsys.RFD.FormManager.RFDFormManagerService" behaviorConfiguration="testsys.RFD.FormManagerBehavior">
<endpoint address="" binding="ws2007FederationHttpBinding" bindingConfiguration="ws2007FederationHttpBinding" contract="FormManager_PortType" />
</service>
</services>
<protocolMapping>
<!--<add scheme="http" binding="ws2007FederationHttpBinding" />
<add scheme="http" binding="ws2007FederationHttpBinding" />-->
<add binding="ws2007FederationHttpBinding" scheme="https" />
<add binding="wsHttpBinding" scheme="https" />
</protocolMapping>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_ILoggerService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxBufferSize="65536" maxReceivedMessageSize="65536" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true" messageEncoding="Text">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
<ws2007FederationHttpBinding>
<binding name="ws2007FederationHttpBinding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false" issuedKeyType="BearerKey">
<!-- issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"-->
<issuerMetadata address="https://localhost:123/adfs/services/trust/mex" />
</message>
</security>
</binding>
<binding name="">
<security mode="TransportWithMessageCredential">
<message>
<issuerMetadata address="https://localhost:123/adfs/services/trust/mex" />
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<wsHttpBinding>
<binding name="RFD_Binding_HTTP" closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None">
<extendedProtectionPolicy policyEnforcement="Never" />
</transport>
<message negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
<binding name="wsHttpBinding_IRFDFormManager" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
<binding name="HttpBinding_IRFDFormManager" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="None" />
</binding>
<binding name="WSHttpBinding_IRESTFormManager">
<security mode="None" />
</binding>
</wsHttpBinding>
...
<behavior name="testsys.RFD.FormManagerBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" httpsGetUrl="https://localhost:44300/RFDFormManager.svc" />
<serviceDebug includeExceptionDetailInFaults="true" />
<useRequestHeadersForMetadataAddress />
<serviceCredentials>
<serviceCertificate findValue="65A34BC197C2E1334D971613521D53D3B5B807FF" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
<issuedTokenAuthentication certificateValidationMode="None">
<!-- The X.509 certificate CN=localhost chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider -->
<allowedAudienceUris>
<add allowedAudienceUri="https://localhost:44300/" />
</allowedAudienceUris>
</issuedTokenAuthentication>
<clientCertificate>
<authentication certificateValidationMode="None" />
</clientCertificate>
</serviceCredentials>
<serviceAuthorization principalPermissionMode="Always" />
<serviceSecurityAudit auditLogLocation="Application" suppressAuditFailure="true" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="Failure" />
</behavior>
...
<system.identityModel>
<identityConfiguration saveBootstrapContext="true">
<securityTokenHandlers>
<add type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</securityTokenHandlers>
<audienceUris>
<!-- <add value="https://localhost:44300/" />-->
<add value="https://localhost:44300/" />
</audienceUris>
<!--Commented by Identity and Access VS Package-->
<!--<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry"><authority name="https://localhost:123"><keys><add thumbprint="7C399B2EA330F507902C81280E77407242FF6916" /></keys><validIssuers><add name="https://localhost:123" /></validIssuers></authority></issuerNameRegistry>-->
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<!--<certificateValidation certificateValidationMode="None" />-->
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<!--<add thumbprint="7C399B2EA330F507902C81280E77407242FF6916" name="https://localhost:123" />-->
<add thumbprint="65A34BC197C2E1334D971613521D53D3B5B807FF" name="https://localhost:123" />
<add thumbprint="15abb1aef64def860ca543f54fc8dee222d49b86" name="https://localhost:123" />
</trustedIssuers>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" revocationMode="NoCheck" />
<!--revocationMode="NoCheck" should not be used to prod.-->
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" />
<!--<wsFederation passiveRedirectEnabled="true" issuer="https://localhost:123/issue/wsfed" realm="https://localhost:44300" reply="https://localhost:44300" requireHttps="false" />-->
<wsFederation passiveRedirectEnabled="true" issuer="https://localhost:123/issue/wsfed" realm="https://localhost:44300/" reply="https://localhost:44300/" requireHttps="true" />
</federationConfiguration>
</system.identityModel.services>
...
So what we're doing wrong ?
I can't be bothered to go through your WCF configuration - especially since most of it is not related to the question.
You don't need to do anything "special" in WCF to consume SAML2 tokens - follows this simple sample - and then re-integrate into your application:
http://leastprivilege.com/2012/11/16/wcf-and-identity-in-net-4-5-external-authentication-with-ws-trust/
Related
I have a website that logs in using an STS, then gets a delegated token using the bootstrap token. I am then trying to use the delgated token to connect to a WCF service. I believe its my WCF config thats wrong. I've tried so many different configurations I'm lost.
I've gotten various errors from "Description Failed to lookup a channel to receive an incoming message. Either the endpoint or the SOAP action was not found." To Audience URI missing in the SAML token.
I'm fairly sure its the federated configurations.
Any ideas would be helpful!!
Or anybody have an example of delegation to a wcf service?
Thanks!
This is the channel factory code.
private static IService1 GetServiceProxy(SecurityToken token)
{
var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.EstablishSecurityContext = false;
var factory = new ChannelFactory<IService1>(
binding,
new EndpointAddress(serviceAddress));
factory.Credentials.SupportInteractive = false;
factory.ConfigureChannelFactory();
var channel = factory.CreateChannelWithIssuedToken(token);
return channel;
}
This is the services config. I've got 3 various sub-bindings that i've tried as well.
<system.serviceModel>
<diagnostics>
<messageLogging logMessagesAtServiceLevel="true"
logMessagesAtTransportLevel="true"
logKnownPii="true"
logEntireMessage="true"
logMalformedMessages="true" />
</diagnostics>
<bindings>
<ws2007FederationHttpBinding>
<binding name="ServiceHost_Service1">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false" issuedKeyType="SymmetricKey">
<issuerMetadata address="https://localhost/sts2/issue/wstrust/mex"/>
<issuer address="http://localhost/sts2/issue/wstrust/message/username"
binding="ws2007HttpBinding"
bindingConfiguration="https://localhost/sts2/issue/wstrust/message/username">
<identity>
<certificate encodedValue="certblahblah"/>
</identity>
</issuer>
<tokenRequestParameters></tokenRequestParameters>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<ws2007HttpBinding>
<binding name="https://localhost/sts2/issue/wstrust/mixed/username"
closeTimeout="00:01:00"
openTimeout="00:01:00"
receiveTimeout="00:10:00"
sendTimeout="00:01:00"
bypassProxyOnLocal="false"
transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536"
messageEncoding="Text"
textEncoding="utf-8"
useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32"
maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<reliableSession ordered="true"
inactivityTimeout="00:10:00"
enabled="false" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="false" />
</security>
</binding>
<binding name="https://localhost/sts2/issue/wstrust/mixed/certificate"
closeTimeout="00:01:00"
openTimeout="00:01:00"
receiveTimeout="00:10:00"
sendTimeout="00:01:00"
bypassProxyOnLocal="false"
transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536"
messageEncoding="Text"
textEncoding="utf-8"
useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32"
maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<reliableSession ordered="true"
inactivityTimeout="00:10:00"
enabled="false" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="false" />
</security>
</binding>
<binding name="https://localhost/sts2/issue/wstrust/message/username"
closeTimeout="00:01:00"
openTimeout="00:01:00"
receiveTimeout="00:10:00"
sendTimeout="00:01:00"
bypassProxyOnLocal="false"
transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536"
messageEncoding="Text"
textEncoding="utf-8"
useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32"
maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<reliableSession ordered="true"
inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName"
negotiateServiceCredential="false"
algorithmSuite="Default"
establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<federatedServiceHostConfiguration/>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<serviceCertificate findValue="1d076d8f9dff87a44b59d09ec0e1bc60"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySerialNumber">
</serviceCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<extensions>
<behaviorExtensions>
<add name="federatedServiceHostConfiguration"
type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</behaviorExtensions>
</extensions>
<services>
<service name="ServiceHost_Service1">
<endpoint binding="ws2007FederationHttpBinding"
bindingConfiguration="ServiceHost_Service1"
contract="ServiceHost.IService1">
<identity>
<servicePrincipalName value="localhost"/>
<certificate encodedValue="certblahblah"/>
</identity>
</endpoint>
<endpoint address="MEX" binding="mexHttpBinding" bindingConfiguration="" contract="IMetadataExchange"/>
</service>
</services>
<!--<client>
<endpoint binding="customBinding"
bindingConfiguration="ServiceHost_Service1"
contract="ServiceHost.IService1">
<identity>
<userPrincipalName value="localhost"/>
<certificate encodedValue="certblahblahblah"/>
</identity>
</endpoint>
</client>-->
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
This is the identity config
<microsoft.identityModel>
<certificateValidation revocationMode="NoCheck"
certificateValidationMode="None" />
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="c4e675b5add2a7d6d59bbd5e04ca30b440e23eff"
name="Thinktecture.IdentityServer" />
</trustedIssuers>
</issuerNameRegistry>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="false"
issuer="https://localhost/sts2/issue/wsfed"
realm="https://localhost/ServiceHost/" />
<cookieHandler requireSsl="true" />
</federatedAuthentication>
<serviceCertificate>
<certificateReference findValue="1d076d8f9dff87a44b59d09ec0e1bc60"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySerialNumber"/>
</serviceCertificate>
I was trying to figure out the active STS / WCF delegation scenario myself and cobbled together a sample project (note that security checks themselves are turned off, this project was to help me understand the flow and dependencies):
https://github.com/colinbowern/TwoTierSts
I'm hosting a WCF service in IIS 7.5 using .NET 4.0. I also have a WPF application that I am using as my client that was built with Visual Studio 2010 and .NET 4.0. I added my service reference and when I attempt to call a function, I get the following exception
The content type application/xml; charset=utf-8 of the response message does not match the content type of the binding (application/soap+xml; charset=utf-8)
I am able to navigate to the service in a web browser and my bindings appear to be the same between the client and service (WsHttp bindings).
I know there are alot of google results about this error but none of them seemed to be relevant/help my specific problem. I tried installing Non-HTTP Activation features as well as a wide variety of other small tricks. Anybody be able to help? Thanks
edit, here are my configs (they are quite lengthy)
Client
<?xml version="1.0"?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="ContentSoap"
closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="2147483647" maxBufferPoolSize="2147483647"
maxReceivedMessageSize="2147483647"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="2147483647"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
<binding name="OrderSoap"
closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384" maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
<netTcpBinding>
<binding name="NetTcpBindingEndpoint" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered"
transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10"
maxBufferPoolSize="2147000000" maxBufferSize="65536" maxConnections="10"
maxReceivedMessageSize="2147000000">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="2147000000" maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:01:00"
enabled="true" />
<security mode="None">
<transport clientCredentialType="Windows"
protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
<wsHttpBinding>
<binding name="WSHttpBinding_IInmateCanteenServiceWeb"
closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384" maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint name="ContentSoap"
address="http://media.team.twvending.net/storeservices/content.asmx"
binding="basicHttpBinding" bindingConfiguration="ContentSoap"
contract="MediaPortContent.ContentSoap" />
<endpoint name="OrderSoap"
address="http://media.team.twvending.net/storeservices/order.asmx"
binding="basicHttpBinding" bindingConfiguration="OrderSoap"
contract="MediaPortOrder.OrderSoap" />
<endpoint name="NetTcpBindingEndpoint"
address="..."
binding="netTcpBinding" bindingConfiguration="NetTcpBindingEndpoint"
contract="WebCallBack.ICallbackService" />
<endpoint name="WSHttpBinding_IInmateCanteenServiceWeb"
address="..."
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IInmateCanteenServiceWeb"
contract="InmateCanteenWeb.IInmateCanteenServiceWeb" />
<endpoint name="WSHttpBinding_ICommAccountingBinding"
address="..."
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IInmateCanteenServiceWeb"
contract="CommAccountingWeb.ICommAccountingWeb" />
</client>
</system.serviceModel>
and Server
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="httpBehavior">
<!--<webHttp />-->
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceCredentials>
<clientCertificate>
<authentication revocationMode="NoCheck" />
</clientCertificate>
<serviceCertificate findValue="CN=secure.inmatecanteen.com" />
</serviceCredentials>
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="MexBehavior">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="HttpMexBehavior">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="BasicHttpMexBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="false"
multipleSiteBindingsEnabled="true" />
<bindings>
<wsHttpBinding>
<binding name="myWsHttpBinding" maxBufferPoolSize="2147483647"
maxReceivedMessageSize="2147483647" messageEncoding="Text">
<readerQuotas maxDepth="32" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
<webHttpBinding>
<binding name="myWebHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
</security>
</binding>
</webHttpBinding>
<basicHttpBinding>
<binding name="myBasicHttpBinding" maxBufferPoolSize="2147483647"
maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="32" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="CommAccountingWeb.CommAccountingWeb"
behaviorConfiguration="HttpMexBehavior">
<endpoint
address=""
behaviorConfiguration="httpBehavior"
binding="webHttpBinding" bindingConfiguration="myWebHttpBinding"
contract="CommAccountingWeb.ICommAccountingWeb" />
<endpoint
address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="..."></add>
</baseAddresses>
</host>
</service>
<service name="CommAccountingWeb.CommAccountingBasic"
behaviorConfiguration="BasicHttpMexBehavior">
<endpoint
address=""
binding="basicHttpBinding"
bindingConfiguration="myBasicHttpBinding"
contract="CommAccountingWeb.ICommAccountingBasic" />
<endpoint
address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="..." />
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>
As I suspected - your client-side config looks like this:
<endpoint name="WSHttpBinding_ICommAccountingBinding"
address="https://secure.inmatecanteen.com/CommAccountingService/CommAccountingWeb.svc"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IInmateCanteenServiceWeb"
contract="CommAccountingWeb.ICommAccountingWeb" />
It expects wsHttpBinding - but the server-side address it's connecting to is:
<service name="CommAccountingWeb.CommAccountingWeb"
behaviorConfiguration="HttpMexBehavior">
<endpoint
address=""
behaviorConfiguration="httpBehavior"
binding="webHttpBinding" bindingConfiguration="myWebHttpBinding"
contract="CommAccountingWeb.ICommAccountingWeb" />
<host>
<baseAddresses>
<add baseAddress="https://secure.inmatecanteen.com/CommAccountingService/CommAccountingWeb.svc"></add>
</baseAddresses>
</host>
</service>
and this server endpoint uses webHttpBinding.
So while the client expects a SOAP XML message (content type: application/soap+xml; charset=utf-8), the server-side endpoint is a REST endpoint which returns plain XML (content type: application/xml; charset=utf-8)
Solution: you need to make sure both the client and the server endpoint used are in sync with regards to bindings and configuration!
As Steven Westbrook says in a comment on this answer:
Add ?wsdl to your client's endpoint address, and you should have more luck with the service. ?wsdl is important - it means the browser is just getting "Web Services Description Language" for the service, and not calling the service.
I had the same issue and adding ?wsdl solved my headache.
I came across a similar error while creating a client service to one of the existing server side WebService. I could rectify it using SOAP 1.1 transport protocol on the client. Somehow soap 1.2 is giving/expecting a different format. This trace back to the difference between BasicHttpBinding vs WebHttpBinding vs WsHttpBinding.
I got this problem after I added a method that returned a collection of instances of a base class that didn't have a [KnownType] attribute that would resolve to a concrete instance.
With the [KnownType] attribute in place the problem disappeared.
[ServiceContract]
public interface IService {
[OperationContract]
IEnumerable<ItemBase> GetItems();
}
[DataContract]
// [KnownType(typeof(RealItemA))] <--- without these attributes you will get a problem
// [KnownType(typeof(RealItemB))]
public class ItemBase {
}
[DataContract]
public class RealItemA : ItemBase {
}
[DataContract]
public class RealItemB : ITemBase {
}
in my case same error was caused by missing
[datacontract]
[datamember]
attributes in returned data type.
Error message was really misleading.
In my case a specific service was using SOAP 1.1 instead of the usual 1.2.
I had to change the binding from this:
<system.serviceModel>
<bindings>
<customBinding>
<binding name="ServiceSoapBinding">
<textMessageEncoding messageVersion="Soap12"/>
</binding>
</customBinding>
</bindings>
</system.serviceModel>
To this:
<system.serviceModel>
<bindings>
<customBinding>
<binding name="ServiceSoapBinding">
<textMessageEncoding messageVersion="Soap11"/>
</binding>
</customBinding>
</bindings>
</system.serviceModel>
I'm still trying to get WCF to talk to CXF. I used a sample from http://rocksolidknowledge.com/Download.mvc and it looks to me like the code works because when I change the username in the client, I see the new username in the service.
I tried to add logging in the client app.config to save what is being sent to the service.
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_Av1Service" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="true" />
</security>
<!--
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="true" />
</security>
-->
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="client">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="None"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="https://darsdevlaptop:8015/DarsWebServices/services/av1" binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_Av1Service" contract="Av1ServiceReference.Av1Service"
name="WSHttpBinding_Av1Service" />
<!--
<endpoint
address="http://localhost:9015/DarsWebServices/services/av1" binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_Av1Service" contract="Av1ServiceReference.Av1Service"
name="WSHttpBinding_Av1Service" />
-->
</client>
<diagnostics>
<messageLogging logEntireMessage="true"
logMalformedMessages="true"
logMessagesAtServiceLevel="true"
logMessagesAtTransportLevel="true"
maxMessagesToLog="3000"
maxSizeOfMessageToLog="2000"/>
</diagnostics>
</system.serviceModel>
</configuration>
This configuration makes a client_msg.svclog file which I can view with the Microsoft Service Trace Viewer. And inside this file I see
E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
<System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
<EventID>0</EventID>
<Type>3</Type>
<SubType Name="Information">0</SubType>
<Level>8</Level>
<TimeCreated SystemTime="2011-12-08T15:27:46.1360000Z" />
<Source Name="System.ServiceModel.MessageLogging" />
<Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
<Execution ProcessName="Clieint.vshost" ProcessID="5660" ThreadID="10" />
<Channel />
<Computer>DARSDEVLAPTOP</Computer>
</System>
<ApplicationData>
<TraceData>
<DataItem>
<MessageLogTraceRecord Time="2011-12-08T10:27:46.1320000-05:00" Source="ServiceLevelSendRequest" Type="System.ServiceModel.Channels.BodyWriterMessage" xmlns="http://schemas.microsoft.com/2004/06/ServiceModel/Management/MessageTrace">
<HttpRequest>
<Method>POST</Method>
<QueryString></QueryString>
<WebHeaders>
<VsDebuggerCausalityData>uIDPo7bjbPmwsKdKqJIT7OFhvN8AAAAA+hhv3g5Q+UymaaUAoh1MoXMwGPaCPSlAoTQw7kFj3m8ACQAA</VsDebuggerCausalityData>
</WebHeaders>
</HttpRequest>
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/IPing/Ping</a:Action>
<a:MessageID>urn:uuid:85d46f93-9798-41c4-a8fd-e862b3858d46</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
</s:Header>
<s:Body>
<Ping xmlns="http://tempuri.org/"></Ping>
</s:Body>
</s:Envelope>
</MessageLogTraceRecord>
</DataItem>
</TraceData>
</ApplicationData>
And I am dismayed not to find any reference to username or password
<s:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/IPing/Ping</a:Action>
<a:MessageID>urn:uuid:85d46f93-9798-41c4-a8fd-e862b3858d46</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
</s:Header>
I also tried running fiddler2, but I'm not seeing any username/password there either.
So what is happening? Am I missing how to use the view tools? Is it being passed not in the header? If so, how would I fix that!
Just to explain why I care about this:
I gave code based on the sample to my customer to talk to the CXF
service and the report I'm getting back is that the username/password
is not being passed.
I can't actually debug the communication myself because I can't seem
to get WCF to take the test certificate from CXF.
Everything worked fine WCF to WCF but that isn't what the customer
needs.
I'm feeling very stumped. Thanks for your help.
I don't see the diagnostic source being set. Such as this.
<system.diagnostics>
<sources>
<source name="System.ServiceModel.MessageLogging">
<listeners>
<add name="messages"
type="System.Diagnostics.XmlWriterTraceListener"
initializeData="c:\logs\messages.svclog" />
</listeners>
</source>
</sources>
</system.diagnostics>
I hope you have looked at this msdn article.
I am trying to create a WCF service that uses certificate authentication over SSL to create a Business to Business gateway. I have created a CA and a client certificate and put them in the Trusted root and personal folders respectively. I have set up the SSL routing but I keep getting the following error ‘The security protocol cannot verify the incoming message.’ And I can’t figure out why.
Below is my service configuration:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<services>
<service name="B2BGateway.SSOBackChannel" behaviorConfiguration="B2B">
<endpoint binding="wsHttpBinding"
bindingConfiguration="WSCertificateSecurity"
contract="B2BGateway.Contracts.ISSOBackChannel"
address="https://blah.com/SSOBackChannel.svc"></endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="B2B">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate />
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
</serviceCredentials>
<serviceAuthorization principalPermissionMode="None"></serviceAuthorization>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="B2B">
<clientCredentials>
<clientCertificate findValue="2e2ecba0f33265085cc53cb53c0b00977aaa9e9e" storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="WSCertificateSecurity">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
<system.diagnostics>
<sources>
<!-- See here for recommended diagnostics settings: http://msdn.microsoft.com/en-us/library/aa702726.aspx -->
<source name="System.ServiceModel" switchValue="Warning,Information,ActivityTracing,Verbose" propagateActivity="true">
<listeners>
<add name="traceListener" type="System.Diagnostics.XmlWriterTraceListener" initializeData="d:\logs\gah.svclog" />
</listeners>
</source>
</sources>
</system.diagnostics>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
And the client configuration is just the autogenerated code:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ISSOBackChannel" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://blah.com/SSOBackChannel.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ISSOBackChannel"
contract="SSOBackChannelService.ISSOBackChannel" name="WSHttpBinding_ISSOBackChannel" />
</client>
</system.serviceModel>
</configuration>
I wrote a unit test to see if the thing works which is where I’m getting the error...
[TestMethod]
public void Should_Call_Service_As_Machine_Does_Have_x509Certificate()
{
SSOBackChannelClient service = new SSOBackChannelClient();;
service.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "2e2ecba0f33265085cc53cb53c0b00977aaa9e9e");
var result = service.CheckBackChannelToken("123456789");
}
Any help would be so greatly appreciated!!
Josh
You are using wsHttpBinding but you havent specified the certificate it needs to use to secure your transport channel. Try to specify a certificate it needs to use. i.e. for SSL
Also try enabling tracing on your service. See here how to enable tracing.
I am getting the following error
"The Address property on
ChannelFactory.Endpoint was null. The
ChannelFactory's Endpoint must have a
valid Address specified."
and I am not sure what I am doing wrong. Does anybody see know what is the reson of it? Below are my project's App.config Server and Client Side
Thank you for help, regards
<system.serviceModel>
<services>
<service name="Server.DualService" behaviorConfiguration="NetTcpBehavior">
<endpoint address=""
binding="netTcpBinding"
bindingConfiguration="DuplexBinding"
contract="Server.IDualService" />
<endpoint address="mex" binding="mexTcpBinding" contract="Server.IDualService" />
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:8731/Service/DualService/" />
</baseAddresses>
</host>
</service>
<service name="Server.PhoneService" behaviorConfiguration="Server.PhoneServiceBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="" contract="Server.IPhoneService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost:4444/Service/PhoneService" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="Server.DualServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="Server.PhoneServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="NetTcpBehavior">
<serviceThrottling maxConcurrentSessions="10000" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="DuplexBinding" sendTimeout="00:00:11">
<reliableSession enabled="true" />
<security mode="None" />
</binding>
</netTcpBinding>
</bindings>
</system.serviceModel>
CLIENT SIDE
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="DefaultBinding_IPhoneService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="">
<extendedProtectionPolicy policyEnforcement="Never" />
</transport>
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
<binding name="DefaultBinding_IDualService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="">
<extendedProtectionPolicy policyEnforcement="Never" />
</transport>
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
<wsHttpBinding>
<binding name="WSHttpBinding_IPhoneService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="">
<extendedProtectionPolicy policyEnforcement="Never" />
</transport>
<message clientCredentialType="Windows" negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint binding="basicHttpBinding" bindingConfiguration="DefaultBinding_IPhoneService"
contract="IPhoneService" name="DefaultBinding_IPhoneService_IPhoneService" />
<endpoint binding="basicHttpBinding" bindingConfiguration="DefaultBinding_IDualService"
contract="IDualService" name="DefaultBinding_IDualService_IDualService" />
<endpoint address="http://localhost:4444/Service/PhoneService"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IPhoneService"
contract="ServiceReference2.IPhoneService" name="WSHttpBinding_IPhoneService">
<identity>
<userPrincipalName value="PANDZIA-PC\PANDZIA" />
</identity>
</endpoint>
</client>
</system.serviceModel>
There is some problem with your configuration. Server specifies DualService over net.tcp but client uses BasicHttpBinding and does not specify address. Also your client has configuration for more endpoint then your service expose and mex endpoint in DualService has incorrect contract (should be IMetadataExchange).
Only client endpoint for PhoneService looks correct.
Everything works, you were right :),Thank you once again , and below I am putting the correct configuration, maybe someday it will help to somebody, .. :D:D
On server side I ve corrected IMetadataExchange in endpoint :
<endpoint address="mex" binding="mexTcpBinding" contract="IMetadataExchange" />
and I changed alittle
<behavior name="NetTcpBehavior">
<serviceMetadata/>
<serviceThrottling maxConcurrentSessions="10000" />
</behavior>
On CLIENT SIDE I deleted most genereted code in retation with DualService and added
<endpoint name=""
address="net.tcp://localhost:8731/Service/DualService/"
binding="netTcpBinding"
bindingConfiguration="DuplexBinding"
contract="IDualService" />
where binding looks like :
<netTcpBinding>
<binding name="DuplexBinding" sendTimeout="00:00:05" >
<reliableSession enabled="true" />
<security mode="None" />
</binding>
</netTcpBinding>