I need to use Windows authentication in my application along with claim-based authorization using Windows Identity Foundation. I have used following configuration for my service.
<system.identityModel>
<identityConfiguration>
<claimsAuthorizationManager type="Framework.Authorization.AuthorizationManager, ClaimsAuthorizationService"/>
</identityConfiguration>
</system.identityModel>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="CustomTcpBinding" maxConnections="50" openTimeout="01:20:00" receiveTimeout="20.00:00:00" sendTimeout="00:05:00" closeTimeout="01:20:00">
<security authenticationMode="Kerberos" />
<reliableSession/>
<windowsStreamSecurity protectionLevel="None"/>
<tcpTransport maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />
</binding>
</customBinding>
</bindings>
<services>
<service behaviorConfiguration="Framework.Authorization.DummyRebServiceBehavior" name="Framework.Authorization.DummyRebService">
<endpoint address="IDummyRebService"
binding="customBinding" bindingConfiguration="CustomTcpBinding"
contract="Framework.Authorization.IDummyRebService"
name="IDummyRebService"/>
<endpoint address="mex"
binding="mexTcpBinding"
contract="IMetadataExchange"/>
<host>
<timeouts closeTimeout="00:00:01"/>
<baseAddresses>
<add baseAddress="net.tcp://localhost:8234//DummyRebService"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="Framework.Authorization.DummyRebServiceBehavior">
<serviceCredentials useIdentityConfiguration="true" />
<serviceAuthorization principalPermissionMode="Always" />
<serviceMetadata httpGetEnabled="True"/>
<dataContractSerializer maxItemsInObjectGraph="1000000000"/>
<serviceDebug includeExceptionDetailInFaults="True"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
I encounter some or other problem as I am working by trial and error but can't find a sure shot solution. Currently the service fails to start because of "Contract required two way, but binding doesn't support..." error. Apart from that previously I was getting userName (authorizationContext.Principal.Identity.Name) as null in the CheckAccess method of AuthorizationManager (derived from ClaimsAuthorizationManager) whenever I try to add the service in WCF Test Client.
Basically I need to configure service such that the WCF service gets Windows Principal when-ever it gets call from client.
Any help would be appreciated. I can provide more details if needed.
After much trial and error, the following configuration has worked for me.
<configuration>
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</configSections>
<system.identityModel>
<identityConfiguration>
<claimsAuthenticationManager type = "Framework.Services.Security.PrincipalTransformer, ClaimsAuthorizationService"/>
<claimsAuthorizationManager type="Framework.Services.Security.AuthorizationManager, ClaimsAuthorizationService"/>
</identityConfiguration>
</system.identityModel>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="CustomTcpBinding" closeTimeout="01:20:00" openTimeout="00:00:30"
receiveTimeout="20.00:00:00" sendTimeout="00:05:00">
<reliableSession />
<windowsStreamSecurity protectionLevel="None" />
<tcpTransport maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />
</binding>
</customBinding>
</bindings>
<services>
<service behaviorConfiguration="Framework.Authorization.DummyRebServiceBehavior" name="Framework.Authorization.DummyRebService">
<endpoint address="IDummyRebService"
binding="customBinding" bindingConfiguration="CustomTcpBinding"
contract="Framework.Authorization.IDummyRebService"
name="IDummyRebService"/>
<endpoint address="mex"
binding="mexTcpBinding"
contract="IMetadataExchange"/>
<host>
<timeouts closeTimeout="00:00:01"/>
<baseAddresses>
<add baseAddress="net.tcp://localhost:8234//DummyRebService"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="Framework.Authorization.DummyRebServiceBehavior">
<serviceSecurityAudit auditLogLocation="Application" messageAuthenticationAuditLevel="SuccessOrFailure" serviceAuthorizationAuditLevel="SuccessOrFailure" suppressAuditFailure="True"/>
<serviceCredentials useIdentityConfiguration="true"/>
<serviceAuthorization principalPermissionMode="Always"/>
<serviceMetadata httpGetEnabled="False"/>
<dataContractSerializer maxItemsInObjectGraph="1000000000"/>
<serviceDebug includeExceptionDetailInFaults="True"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5"/>
</startup>
</configuration>
Related
I could use some help writing the config file for my WCF. Everything was working till I tried to include the use of throttling and quotas. Not sure if I am using tags correctly or in the correct place. Below is my App.config file:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
</startup>
<appSettings>
<add key="baseAddress" value="http://localhost:8000" />
</appSettings>
<system.serviceModel>
<services>
<service behaviorConfiguration="mexBehaviour" name="StringManipulationService.StringManipulation">
<endpoint address="StringManipulationService" binding="basicHttpBinding"
contract="StringManipulationService.IStringManipulation" />
<endpoint address="StringManipulationService" binding="netTcpBinding"
contract="StringManipulationService.IStringManipulation" />
<endpoint address="" binding="wsHttpBinding"
contract="StringManipulationService.IStringManipulation" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost:8080/" />
<add baseAddress="net.tcp://localhost:8090/" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="mexBehaviour">
<serviceMetadata httpGetEnabled="true"/>
</behavior>
<behavior name="Throttled">
<serviceThrottling
maxConcurrentCalls="1"
maxConcurrentSessions="1"
maxConcurrentInstances="1"
/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="basicHttp" allowCookies="true"
maxReceivedMessageSize="20000000"
maxBufferSize="20000000"
maxBufferPoolSize="20000000">
<readerQuotas maxDepth="32"
maxArrayLength="200000000"
maxStringContentLength="200000000"/>
</binding>
</basicHttpBinding>
</bindings>
</configuration>
I am working on a WCF REST-type service that will accept text/xml type documents via a POST over HTTPS (ASP.NET 4.0 on IIS). Can someone help me with the web.config? I'm testing with the sample code for the CustomTextMessageEncoder to parse the document. I'm getting an error:
"Manual addressing is not supported with message level security. Configure the binding ('CustomBinding', 'http://tempuri.org/') to use transport security or to not do manual addressing."
Unfortunately, if I turn off ManualAddressing, I get a different error. I'm not sure how to turn on TransportSecurity since it's a custom binding.
The main portions of the web.config for what I"m doing are:
<system.serviceModel>
<services>
<service name="MyApp.MyApp" behaviorConfiguration="MyAppBehavior" >
<endpoint address="https://myURL/MyApp/" binding="customBinding" bindingConfiguration="newBinding" behaviorConfiguration="webEndpoint" contract="MyApp.IMyApp" />
<host>
<baseAddresses>
<add baseAddress="https://myURL/MyApp/" />
</baseAddresses>
</host>
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="false" aspNetCompatibilityEnabled="true">
<baseAddressPrefixFilters>
<add prefix="https://myURL/MyApp/" />
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
<behaviors>
<serviceBehaviors>
<behavior name="MyAppBehavior" >
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="True" httpsGetUrl="https://myURL/MyApp/MyApp.svc/" />
<serviceDebug includeExceptionDetailInFaults="True" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="webEndpoint" >
<webHttp />
</behavior>
</endpointBehaviors>
</behaviors>
<extensions>
<bindingElementExtensions>
<add name="customTextMessageEncoding" type="Microsoft.Samples.CustomTextMessageEncoder.CustomTextMessageEncodingElement, CustomTextMessageEncoder" />
</bindingElementExtensions>
</extensions>
<bindings>
<webHttpBinding>
<binding name="webHttpBinding">
<security mode="Transport" />
</binding>
</webHttpBinding>
<customBinding>
<binding name="newBinding" >
<security authenticationMode="AnonymousForCertificate" />
<customTextMessageEncoding messageVersion="Soap12WSAddressing10">
</customTextMessageEncoding>
<httpsTransport manualAddressing="true" requireClientCertificate="true" />
</binding>
</customBinding>
</bindings>
</system.serviceModel>
I have a nice WCF REST-ful JSON service working well as is. The problem arises when I try to put it to work on HTTPS. The Web.config is as follows:
<system.serviceModel>
<bindings>
<webHttpBinding>
<binding name="StreamedRequestWebBinding" bypassProxyOnLocal="true" useDefaultWebProxy="false" hostNameComparisonMode="WeakWildcard" sendTimeout="10:15:00" openTimeout="10:15:00" receiveTimeout="10:15:00" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" maxBufferPoolSize="2147483647" transferMode="StreamedRequest">
<security mode="Transport">
<transport clientCredentialType = "None" />
</security>
<readerQuotas maxArrayLength="2147483647" maxStringContentLength="2147483647" />
</binding>
</webHttpBinding>
</bindings>
<services>
<service name="WcfRESTFullJSON.Service1" behaviorConfiguration="ServiceBehaviour">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="StreamedRequestWebBinding" contract="WcfRESTFullJSON.IService1" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehaviour">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="web">
<!--Him-->
<webHttp automaticFormatSelectionEnabled="true" />
</behavior>
</endpointBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true" />
</system.serviceModel>
I configured a home-made certificate on IIS.
On the client I have:
WebClient WC;
...
WC.UploadData(URL, "POST", asciiBytes);
What we get:
The remote server returned an error: (500) Internal Server Error.
What may be the problem?
The issue is resolved. It was a missing reference to a endpoint behavior in the following line
...endpoint behaviorConfiguration="web" address="" binding="webHttpBinding" bindingConfiguration="StreamedRequestWebBinding" contract="WcfRESTFullJSON.IService1"...
in the Web.config below. Thank you for your help friends! The solution was finally found in the article Implementing 5 important principles of REST using WCF Services
<services>
<service name="WcfRESTFullJSON.Service1" behaviorConfiguration="ServiceBehaviour">
<endpoint behaviorConfiguration="web" address="" binding="webHttpBinding" bindingConfiguration="StreamedRequestWebBinding" contract="WcfRESTFullJSON.IService1" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehaviour">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="web">
<!--Him-->
<webHttp automaticFormatSelectionEnabled="true" />
</behavior>
</endpointBehaviors>
As SSL is a protocol under HTTP, there is usually nothing extra to configure in web.config (only a new binding). Another thing that changes if you use SSL is the port... you may need to update the firewall or check that your request is sent to the right port.
See Complete config file
<configuration> <system.web>
<compilation debug="true" targetFramework="4.0" />
<webServices>
<protocols>
<add name="HttpsGet"/>
<add name="HttpsPost"/>
</protocols>
</webServices> </system.web> <system.serviceModel>
<services>
<service name="RESTTEST.RestTestService" behaviorConfiguration="ServiceBehavior">
<endpoint address="" binding="webHttpBinding"
contract="RESTTEST.IRestTestService"
bindingConfiguration="sslBinding"
behaviorConfiguration="web"
></endpoint>
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before
deployment -->
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before
deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="web">
<webHttp/>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding name="sslBinding" crossDomainScriptAccessEnabled="true">
<security mode="Transport">
</security>
</binding>
</webHttpBinding>
</bindings>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="false">
</serviceHostingEnvironment>
<standardEndpoints>
<webHttpEndpoint>
<standardEndpoint crossDomainScriptAccessEnabled="true"></standardEndpoint>
</webHttpEndpoint>
<webScriptEndpoint>
<standardEndpoint name="" crossDomainScriptAccessEnabled="true" />
</webScriptEndpoint>
</standardEndpoints> </system.serviceModel> <system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
</customHeaders>
</httpProtocol> </system.webServer> </configuration>
I'm trying to set the maxClockSkew of my WCF Service to something higher than 5 minutes(default)but I'm not succeding. It looks that there's something wrong when I want to set it together with the authenticationMode="UserNameOverTransport". I need this because my server is running under https and I will authenticate the user using a custom authentication Provider. There's no errors on the server initialization, but the value does not change from 5 minutes(00:05:00)... And I always get the annoying message from the client side saying
The security timestamp is invalid because its creation time ('2011-06-24T15:31:22.338Z') is in the future. Current time is '2011-06-24T15:21:30.923Z' and allowed clock skew is '00:05:00'.
Here you can see my whole Service config file:
<?xml version="1.0"?> <configuration>
<system.web>
<compilation debug="true"/>
</system.web>
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true">
</serviceHostingEnvironment>
<services>
<service name="MYSERVICE">
<endpoint address="" binding="customBinding" bindingConfiguration="HTTP" contract="MYCONTRACT">
<identity>
<dns value="https://localhost"/>
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
<host>
<baseAddresses>
<add baseAddress="https://localhost/service"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="False" httpsGetEnabled="True" />
<serviceDebug includeExceptionDetailInFaults="False"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="CUSTOMServiceCredentialsValidator, ASSEMBLY" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="HTTP">
<transactionFlow />
<textMessageEncoding>
<readerQuotas maxStringContentLength="2147483647"/>
</textMessageEncoding>
<security authenticationMode="SecureConversation">
<localClientSettings maxClockSkew="00:10:00"/>
<localServiceSettings maxClockSkew="00:10:00"/>
<secureConversationBootstrap authenticationMode="UserNameOverTransport">
<localClientSettings maxClockSkew="00:10:00"/>
<localServiceSettings maxClockSkew="00:10:00"/>
</secureConversationBootstrap>
</security>
<httpsTransport maxReceivedMessageSize="2147483647" maxBufferSize="2147483647"/>
</binding>
</customBinding>
</bindings>
</system.serviceModel>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
</startup>
What Am I missing? Does anyone faced this issue? I did not found many people facing this situation.
Thanks In Advance
Pedro
You need to set up explicitly a new binding:
http://msdn.microsoft.com/en-us/library/aa738468.aspx
HTH
I'm using a duplex ReliableSecureProfile in WCF and the server will stop listening to new requests if an exception occurs on any client.
How can I make the server more resilient to failures that happen to any single client? Everything works again if I restart the server or redeploy
My client code looks like this:
CustomBinding rspBinding = new CustomBinding();
rspBinding.Elements.Add(new ReliableSessionBindingElement());
rspBinding.Elements.Add(new MakeConnectionBindingElement());
rspBinding.Elements.Add(new TextMessageEncodingBindingElement());
rspBinding.Elements.Add(new HttpTransportBindingElement());
DuplexChannelFactory<IProcessDataDuplex> channelFactory =
new DuplexChannelFactory<IProcessDataDuplex>
(new CallbackHandler(), rspBinding, serviceAddress);
//
// The problem always occurs on this line.
//
reusableSW = new LC.Utils.WCF.ServiceWrapper<IProcessDataDuplex>(channelFactory);
My web.config looks like this:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="rspServiceBehavior">
<serviceMetadata httpGetEnabled="true" policyVersion="Policy15" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<useRequestHeadersForMetadataAddress>
<defaultPorts>
<add scheme="http" port="80" />
<add scheme="https" port="443" />
</defaultPorts>
</useRequestHeadersForMetadataAddress>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<customBinding>
<!-- Reliable Secure Profile -->
<binding name="rspBinding">
<reliableSession />
<MakeConnectionBindingElement/>
<textMessageEncoding />
<httpTransport />
</binding>
</customBinding>
<netTcpBinding>
<binding portSharingEnabled="true" >
<security mode="None" />
</binding>
</netTcpBinding>
</bindings>
<extensions>
<bindingElementExtensions>
<!-- Reliable Secure Profile -->
<add name="MakeConnectionBindingElement" type="Microsoft.Samples.ReliableSecureProfile.MakeConnectionElement, Microsoft.Samples.ReliableSecureProfile.MakeConnectionChannel" />
</bindingElementExtensions>
</extensions>
<services>
<!-- Reliable Secure Profile -->
<service behaviorConfiguration="rspServiceBehavior" name="Microsoft.Samples.ReliableSecureProfile.RSPService">
<endpoint binding="customBinding" bindingConfiguration="rspBinding"
contract="Microsoft.Samples.ReliableSecureProfile.IProcessDataDuplex"
listenUriMode="Explicit">
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" bindingConfiguration=""
contract="IMetadataExchange" />
<host>
</host>
</service>
<!--<service name="WcfTcpTest.Service1" >
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:1337/Service1/" />
</baseAddresses>
</host>
<endpoint address="" binding="netTcpBinding" contract="WcfTcpTest.IService1">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<endpoint address="mex" binding="mexTcpBinding" contract="IMetadataExchange"/>
</service>-->
</services>
<protocolMapping>
<clear/>
<!-- removes all defaults which you may or may not want. -->
<!-- If not, use <remove scheme="http" /> -->
<add scheme="http" binding="customBinding" bindingConfiguration="rspBinding"/>
</protocolMapping>
<serviceHostingEnvironment
aspNetCompatibilityEnabled="false"
multipleSiteBindingsEnabled="true" />
</system.serviceModel>
I can't reproduce this issue anymore (where the server simply stops responding). I think the issue is related to VS2010's desire to catch handled exceptions and stop all threads as explained here:
Getting an Unhandled Exception in VS2010 debugger even though the exception IS handled