WCF Service configuration HTTPS with CustomBinding - wcf

I needed a custombinding on a WCF Service to allow me to pass raw content to WCFRest service. Works great, but I can't get it to accept transport level security. I want https and basicauthentication as I use elsewhere. Endpoint looks like this:
<endpoint address="" behaviorConfiguration="web" contract="SmsService.ISmsReceive" binding="customBinding" bindingConfiguration="RawReceiveCapable"></endpoint>
customBinding looks like this:
<customBinding>
<binding name="RawReceiveCapable">
<security mode="Transport">
<transport clientCredentialType="Basic"/>
</security>
<webMessageEncoding webContentTypeMapperType="SmsService.RawContentTypeMapper, SmsService, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<httpTransport manualAddressing="true" maxReceivedMessageSize="524288000" transferMode="Streamed" />
</binding>
</customBinding>
but system complains that mode attribute is not allowed in the security node. Without the security node all works great but it's not https.
Thanks
Ray

I think you need to drop the <security> element and then change the httpTransport element to httpsTransport as shown in the following example:
<system.serviceModel>
<bindings>
<customBinding>
<binding name="RawReceiveCapable">
<webMessageEncoding webContentTypeMapperType="SmsService.RawContentTypeMapper, SmsService, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<httpsTransport authenticationScheme="Basic" manualAddressing="true" maxReceivedMessageSize="524288000" transferMode="Streamed" />
</binding>
</customBinding>
</bindings>
The following link might be helpful:
http://msdn.microsoft.com/en-us/library/ms731818.aspx

Related

WCF net.tcp issued token

Does anyone have a current example of using net.tcp with message security mode of issued token. I currently have a security token service that issues tokens but not sure how to configure it with net.tcp. I only see examples of using ws2007FederationHttpBinding
<customBinding>
<binding name="wsFed">
<security authenticationMode="SecureConversation" requireSecurityContextCancellation="true">
<secureConversationBootstrap authenticationMode="IssuedToken">
<issuedTokenParameters tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<issuer address="http://localhost/STSWebHost/STSService.svc" binding="ws2007HttpBinding" />
</issuedTokenParameters>
</secureConversationBootstrap>
</security>
<tcpTransport />
</binding>
</customBinding>
I keep getting Crypto algorith not supported error? Works fine with ws2007FederationHttpBinding but I am required to use net.tcp. Anyone?
I have a working version by setting allowInsecureTransport=true. I also removed secureconversation since I don't want sessions.
<customBinding>
<binding
name="netTcpFederated">
<security
authenticationMode="IssuedTokenOverTransport"
allowInsecureTransport="true" >
<issuedTokenParameters keyType="BearerKey" />
</security>
<binaryMessageEncoding>
<readerQuotas
maxStringContentLength="1048576"
maxArrayLength="2097152" />
</binaryMessageEncoding>
<tcpTransport
maxReceivedMessageSize="2162688" />
</binding>
</customBinding>`

TCP error code 10013 Cross Domain Policy Error with netTcpBinding Service and Silverlight Client

Was wondeirng if anybody could get me out of my cross domain policy hell.
I have a duplex WCF service which uses netTcpBining, and the client is a Silverlight 4 app. When I self host the service, then it works perfectly and my Silverlight clients can consume the service with no problems. However when I host it in IIS 7, that's when the trouble starts. When I host it in IIS I'm able to see the service at:
http://localhost/Conference/VideoConferenceService.svc
And when I add a reference to the service which is hosted in IIS, and try to call it, I get a:
CommunicationException: Could not connect to
net.tcp://localhost/Conference/VideoConferenceService.svc. The
connection attempt lasted for a time span of 00:00:03.3071892. TCP
error code 10013: An attempt was made to access a socket in a way
forbidden by its access permissions.. This could be due to attempting
to access a service in a cross-domain way while the service is not
configured for cross-domain access. You may need to contact the owner
of the service to expose a sockets cross-domain policy over HTTP and
host the service in the allowed sockets port range 4502-4534.
Or if seeing the actual error helps inspire those who have seen it before, here is what it throws at me in Reference.cs:
I have checked out almost every solution suggested regarding solving the cross-domain policy error, and I've put my clientaccesspolicy.xml in my default website root in IIS, and also in wwwroot. I've also turned off all my firewalls. I'm able to see the policy at http://localhost/clientaccesspolicy.xml
and also at http://127.0.0.1/clientaccesspolicy.xml but I still get this error.
Here is my web.config for the service hosted in IIS 7:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<runtime>
<gcServer enabled="true" />
</runtime>
<system.web>
<compilation debug="false" />
</system.web>
<system.serviceModel>
<services>
<service name="VideoServer.VideoConferenceService">
<endpoint address="" binding="netTcpBinding" bindingConfiguration="NetTcpBinding_IVideoConferenceService" contract="VideoServer.IVideoConferenceService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:4502/VideoServer/" />
</baseAddresses>
</host>
</service>
</services>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_IVideoConferenceService" portSharingEnabled="true" transactionFlow="false" transferMode="Buffered" listenBacklog="2147483647" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="2147483647" maxReceivedMessageSize="2147483647" closeTimeout="24.20:31:23.6470000" openTimeout="24.20:31:23.6470000" receiveTimeout="24.20:31:23.6470000" sendTimeout="24.20:31:23.6470000">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<reliableSession enabled="false" />
<security mode="None">
<message clientCredentialType="None" />
<transport protectionLevel="None" clientCredentialType="None" />
</security>
</binding>
</netTcpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="False" />
<serviceDebug includeExceptionDetailInFaults="False" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
And here is the Silverlight client's ServiceReferences.ClientConfig file:
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="NetTcpBinding_IVideoConferenceService">
<binaryMessageEncoding />
<tcpTransport maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="net.tcp://localhost/Conference/VideoConferenceService.svc"
binding="customBinding" bindingConfiguration="NetTcpBinding_IVideoConferenceService"
contract="ServiceReference1.IVideoConferenceService" name="NetTcpBinding_IVideoConferenceService" />
</client>
</system.serviceModel>
</configuration>
Has anybody got any suggestions? This annoying error has taken days of my time thus far.
Any help would be greatly appreciated.
EDIT
When I check the files being retrieved in my web sessions using fiddler, it shows that my browser is retrieving the client access policy file, so I think the error lies somewhere else and WCF is just throwing this error at me? I've also set IE9 to clear its cache everytime its close. Take a look below.
Well I just managed to get it working. Couple of points worth mentioning are that:
1. If you look at the erroneous ServiceReferences.ClientConfig that I posted above (generated by visual studio when I gave the service address as: http://localhost/Conference/VideoConferenceService.svc ) you can see that the netTcp port which is 4502, was not generated as part of the endpoint, this is what what causing the TCP error 10016 (EndpointNotFoundException) as well as TCP error 10013. The correct ServiceReferences.ClientConfig is actually:
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="NetTcpBinding_IVideoConferenceService">
<binaryMessageEncoding />
<tcpTransport maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="net.tcp://localhost:4502/Conference/VideoConferenceService.svc"
binding="customBinding" bindingConfiguration="NetTcpBinding_IVideoConferenceService"
contract="ServiceReference1.IVideoConferenceService" name="NetTcpBinding_IVideoConferenceService" />
</client>
</system.serviceModel>
</configuration>
2. When I was hosting my service in IIS 7, I was giving the port range 808:* as the netTcp ports, whereas I should have given 4502:* as the port range, like below:
Also from what I gathered, the website hosting the service should be on port 80, as Silverlight will look in localhost:80/ClientAccessPolicy.xml for the client access policy file.
And just for the record, for those who stumble across this same problem, this web.config managed to work in IIS:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<compilation debug="false" />
</system.web>
<system.serviceModel>
<services>
<service name="VideoServer.VideoConferenceService">
<endpoint address="" binding="netTcpBinding" bindingConfiguration="NetTcpBinding_IVideoConferenceService" contract="VideoServer.IVideoConferenceService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_IVideoConferenceService" portSharingEnabled="false" transactionFlow="false" transferMode="Buffered" listenBacklog="2147483647" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="2147483647" maxReceivedMessageSize="2147483647" closeTimeout="24.20:31:23.6470000" openTimeout="24.20:31:23.6470000" receiveTimeout="24.20:31:23.6470000" sendTimeout="24.20:31:23.6470000">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<reliableSession enabled="false" />
<security mode="None">
<message clientCredentialType="None" />
<transport protectionLevel="None" clientCredentialType="None" />
</security>
</binding>
</netTcpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="True" />
<serviceDebug includeExceptionDetailInFaults="False" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
Also worth noting that you don't need to put any ports or base addresses in the web.config for IIS. It will create the service endpoint using the port 4502, I tried changing it to 4503, 4522 etc. and interestingly it didn't work with those ports, only with 4502.
We had a similar problem as specified in the original post. Just to help anyone who has not been able to resolve the issue with the solutions provided above, we found that the Windows firewall on the machine hosting the service was blocking the port we were trying to connect with net.tcp through. Once we allowed the traffic through the port on that software firewall our service started working as expected.
It may be worth checking any hardware firewall you might have in place as well to allow the ranges 4502-4530 I believe for net.tcp

Configuring SSL (https) for ws2007FederationHttpBinding Endpoint 404 No Endpoint found

Another WIF related problem - can anyone point me in the direction of how to configure https in wcf for a ws2007FederationHttpBinding endpoint. I have the certificates and bindings all set-up in IIS, but whenever I try to connect to the endpoint I get a 404 error. My binding looks like this
<bindings>
<ws2007FederationHttpBinding>
<binding name="BindingConfigName">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false">
<issuerMetadata address="https://identity.localhost/issue/wstrust/mex" />
<claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
</claimTypeRequirements>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
Endpoint Looks Like
<endpoint address="https://services.localhost/MyService.svc" binding="ws2007FederationHttpBinding"
bindingConfiguration="BindingConfigName"
bindingNamespace="MyNamespace"
contract="IServiceContract">
</endpoint>
Really struggling to see what to do.
Matt

Silverlight 3 + WCF and IIS basic authentication

I have the following problem. On my machine I have a SL 3 application, which basically consists of:
* Client app (SL)
* Web app (.Net 3.5)
* Communication with the database handled by WCF
The site is hosted on my IIS, with the following authentication set up:
* Anonymous access: off
* Basic authentication: on
* Integrated Windows authentication: on
My bindings are set up as follows:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IWcfPortal" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="TransportCredentialOnly" />
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost/MyApp/WCFPortal.svc" binding="basicHttpBinding"
bindingConfiguration="BasicHttpBinding_IWcfPortal" contract="WcfPortal.IWcfPortal"
name="BasicHttpBinding_IWcfPortal" />
</client>
</system.serviceModel>
</configuration>
Web.config:
<authentication mode="Windows" />
<identity impersonate="true" />
When I navigate to my site, I am prompted for an username and password. When filled in correctly, I can access the site but the db communication does not work. When I go to localhost/MyApp/WcfPortal.svc, I get the following error:
Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.
I tried adding <transport clientCredentialType="Windows" /> to the security in the basicHttpBinding, but VS gives me the warning "The 'clientCredentialType' attribute is not declared.".
If anyone can help me with this, I would be very grateful.
I fixed my issue. Turned out I had to change the basicHttpBinding in two places: ServiceReferences.ClientConfig and Web.Config
ServiceReferences.ClientConfig:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IWcfPortal" maxBufferSize="2147483647"
maxReceivedMessageSize="2147483647">
<security mode="TransportCredentialOnly" />
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost/MyApp/WCFPortal.svc" binding="basicHttpBinding"
bindingConfiguration="BasicHttpBinding_IWcfPortal" contract="WcfPortal.IWcfPortal"
name="BasicHttpBinding_IWcfPortal" />
</client>
</system.serviceModel>
</configuration>
Web.config:
...
<authentication mode="Windows" />
...
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IWcfPortal" maxBufferSize="10000000" maxReceivedMessageSize="10000000" receiveTimeout="00:10:00" sendTimeout="00:10:00" openTimeout="00:10:00" closeTimeout="00:10:00">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" />
</security>
<readerQuotas maxBytesPerRead="10000000" maxArrayLength="10000000" maxStringContentLength="10000000"/>
</binding>
</basicHttpBinding>
</bindings>
Unfortunately, to host this service under IIS6, you must turn on Anonymous Authentication.

https with WCF error: "Could not find base address that matches scheme https"

I go to https://mywebsite/MyApp/Myservice.svc and get the following error:
(The link works if I use http:// )
"The service '/MyApp/MyService.svc' cannot be activated due to an exception during compilation. The exception message is: Could not find a base address that matches scheme https for the endpoint with binding BasicHttpBinding. Registered base address schemes are [http].."
EDIT: So if I change address="" to address="https:// ..." then I get this error instead:
"Error: The protocol 'https' is not supported..... The ChannelDispatcher at 'https://.../Annotation.svc' with contract(s) '"Annotation"' is unable to open its IChannelListener."
Here's what my Web.Config looks like:
<services>
<service behaviorConfiguration="AnnotationWCF.AnnotationBehavior"
name="AnnotationWCF.Annotation">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_Annotation"
contract="AnnotationWCF.Annotation" />
<endpoint address=""
binding="basicHttpBinding" bindingConfiguration="SecureTransport"
contract="AnnotationWCF.Annotation" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_Annotation" maxBufferSize="2147483647"
maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />
</binding>
<binding name="SecureTransport" maxBufferSize="2147483647"
maxReceivedMessageSize="2147483647">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />
</binding>
</basicHttpBinding>
I had this exact same problem. Except my solution was to add an "s" to the binding value.
Old:
binding="mexHttpBinding"
New:
binding="mexHttpsBinding"
web.config snippet:
<services>
<service behaviorConfiguration="ServiceBehavior" name="LIMS.UI.Web.WCFServices.Accessioning.QuickDataEntryService">
<endpoint behaviorConfiguration="AspNetAjaxBehavior" binding="webHttpBinding" bindingConfiguration="webBinding"
contract="LIMS.UI.Web.WCFServices.Accessioning.QuickDataEntryService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
It turned out that my problem was that I was using a load balancer to handle the SSL, which then sent it over http to the actual server, which then complained.
Description of a fix is here: http://blog.hackedbrain.com/2006/09/26/how-to-ssl-passthrough-with-wcf-or-transportwithmessagecredential-over-plain-http/
Edit: I fixed my problem, which was slightly different, after talking to microsoft support.
My silverlight app had its endpoint address in code going over https to the load balancer. The load balancer then changed the endpoint address to http and to point to the actual server that it was going to. So on each server's web config I added a listenUri for the endpoint that was http instead of https
<endpoint address="" listenUri="http://[LOAD_BALANCER_ADDRESS]" ... />
Make sure SSL is enabled for your server!
I got this error when trying to use a HTTPS configuration file on my local box which doesn't have that certificate. I was trying to do local testing - by converting some of the bindings from HTTPS to HTTP. I thought it would be easier to do this than try to install a self signed certificate for local testing.
Turned out I was getting this error becasue I didn't have SSL enabled on my local IIS even though I wasn't intending on actually using it.
There was something in the configuration for HTTPS. Creating a self signed cert in IIS7 allowed HTTP to then work :-)
I think you are trying to configure your service in a similar way to the following config. There is more information here: Specify a Service with Two Endpoints Using Different Binding Values. Also, other than for development, it's probably not a good idea to have both HTTP & HTTPS endpoints to the same service. It kinda defeats the purpose of HTTPS. Hope this helps!
<service type="HelloWorld, IndigoConfig, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null">
<endpoint
address="http://computer:8080/Hello"
contract="HelloWorld, IndigoConfig, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null"
binding="basicHttpBinding"
bindingConfiguration="shortTimeout"
</endpoint>
<endpoint
address="http://computer:8080/Hello"
contract="HelloWorld, IndigoConfig, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null"
binding="basicHttpBinding"
bindingConfiguration="Secure"
</endpoint>
</service>
<bindings>
<basicHttpBinding
name="shortTimeout"
timeout="00:00:00:01"
/>
<basicHttpBinding
name="Secure">
<Security mode="Transport" />
</basicHttpBinding>
</bindings>
In my case i am setting security mode to "TransportCredentialOnly" instead of "Transport" in binding. Changing it resolved the issue
<bindings>
<webHttpBinding>
<binding name="webHttpSecure">
<security mode="Transport">
<transport clientCredentialType="Windows" ></transport>
</security>
</binding>
</webHttpBinding>
</bindings>
I was using webHttpBinding and forgot to dicate the security mode of "Transport" on the binding configuration which caused the error:
<webHttpBinding>
<binding name="MyWCFServiceEndpoint">
<security mode="Transport" />
</binding>
</webHttpBinding>
Adding this in configuration fixed the problem.
Look at your base address and your endpoint address (can't see it in your sample code). most likely you missed a column or some other typo e.g. https// instead of https://