I have three different WCF services deployed on server separately in there own application directory under "Default WebSites" in IIS. One of the service is deployed by me and two other services are deployed by some other client. There is a single server certificate deployed in IIS to which i have bind my service.
But when i try to access my service form https I get this error in popup:
"Address Mismatched.
The security certificate presented by this website was issued for a different website's address.
This problem might indicate an attempt to fool you or intercept any data you send to the server."
Thee web.config file of my service is as following
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<identity impersonate="false" />
</system.web>
<system.serviceModel>
<services>
<service name="WcfApp.Service">
<endpoint address="customer"
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding"
contract="WCFApp.ICustomerService" />
<endpoint address="order"
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding"
contract="WcfApp.IOrderService" />
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior >
<serviceMetadata httpsGetEnabled="True" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceThrottling maxConcurrentCalls="21" maxConcurrentSessions="50" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<directoryBrowse enabled="true" />
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
</configuration>
Interesting thing is that when I hit the following URL:
https://myserverurl.com/applicationfolder/service.svc?wsdl
to get the wsdl, it runs perfectly and returns me the wsdl description but the original call is not working.
Why am I getting the "Mismatched Address"? Is there need to add host base address? if yes how and where exactly to add it in web.config and is there need to add it in other two wcf services deployed? Is port conflicting with certificate? I am new to wcf please help me resolve this issue?
I am using .net 4.0, IIS 7.0, windows server 2008.
Thanks in advance.
The error message says (basically) that the certificate that you are using for your site doesn't match the DNS name that is being used (from the client's browser) to connect to the site.
My guess is that you are implementing virtual hosting; i.e. multiple services with different DNS names that are being served from one IIS instance. This won't work ... unless you either use a different certificate for each service, or you use a wild-card certificate that matches all of the service DNS names.
Apparently, name-based SSL virtual hosting is not supported by IIS prior to 7.0. This article describes how to configure it for IIS 7.0. But note that the names in the respective certificates must match the corresponding virtual host names ...
Note that the requirement that the hostnames and certificates must match is fundamental to SSL security. It is what allows the browser / user to know that it is talking to the expected server (based on the DNS name) and not some imposter site.
Related
I have been trying to resolve a problem that I am having with a WCF service hosted on our cloud platform. Service is written targeting .NET 4.0. I can access the service using both wsHttpBinding and basicHttpBinding over just plain http. However, when I try and access the service over a https end point it consistently gives me an endpoint not found exception which is odd because on the client I add a service reference pointing at the https end point and this should be sufficient to build a compatible proxy?
The web site has a SSL certificate setup which is valid, and the site hosting the service has a binding in IIS that uses this certificate. I can browse to the https URL from within the IIS snap-in and it finds the service with no problems, and I can use the same url from my desktop and get the normal "you have created a service page". IIS has anonymous authentication enabled only.
Here is where I get a bit hazy on what I have to do in terms of the WCF configuration.
In the server web.config I have security mode of Transport and
client credentials of None (Think I need this because of the
anonymous authentication on the host service)
Also in the server web.config I have set up mex end points for each
of the server's end points that are defined.
Is there anything else I need to do here?
On the client side
I have created a basic console app, and create a service
reference pointing at the https url and this is found
In the code I instantiate the proxy and call a method that invokes
the service.
When I run the code I get the end point not found exception.
I have created a really basic ASP.NET web site on my local IIS that hosts a really simple service. I have added a self-signed certificate and in the mmc snap-in I have imported this as a trusted certificate. I have set up a wsHttp end point for both secure and non-secure and when I create a simple client that references the service I get the same problem when using a https end point.So I can replicate the problem I am seeing in the live environment.
The event viewer doesn't shed any light on anything untoward happening.On my various searches I found references to re-registering asp.net and the WCF runtime components. Tried all this to no avail. Getting really stuck. I've included the config from my local asp.net web site, and the client config so people can scan what I have. Any suggestions on what else I could try would be great. I'm hoping I have overlooked something obvious that another pair of eyes with more experience with WCF can spot.
Thanks in advance.
Server config:
<system.serviceModel>
<diagnostics>
<messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" maxMessagesToLog="500" />
</diagnostics>
<services>
<service name="NorthwindServices.ProductService">
<host>
<baseAddresses>
<add baseAddress="http://localhost:8732/Design_Time_Addresses/NorthwindServices/ProductService/" />
</baseAddresses>
</host>
<endpoint address="" binding="wsHttpBinding" contract="NorthwindServices.IProducts">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex" binding="wsHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="Secure">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Basic">
</transport>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
</
==================================================================================
Client config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IProducts">
<security mode="Transport"></security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost/Northwind.svc" binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IProducts" contract="ProductProxy.IProducts"
name="WSHttpBinding_IProducts">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
BindingConfiguration is optional since an endpoint is primarily composed of address, binding and contract. If no wsHttpBinding is defined under bindings, the default configuration will be used; if there's one under wsHttpBinding without name or with empty name, the binding configuration will be used if the endpoint does not declare a named one. And you may have multiple named binding configuration under wsHttpBinding, and each endpoint may pick one accordingly. The problems so far according to your config files listed has nothing to do with bindingConfiguration as they all look fine. However, the baseAddress in service side and the client endpoint address do not seem to match, and I presume you are using svc files for service activation. Then you need to make sure the svc files are located in the right place through proper routing. Alternatively you may use config activation without using svc files.
VS 2012/.NET4.5, Windows 8/IIS8 and 64 bit
Using WCF Service application, all the documentation that I've seen so far in naming my MSMQ queue to match the service name assume the fact that I am using an application or a virtual directory underneath the IIS website.
This is quoted from MSDN http://msdn.microsoft.com/en-us/library/ms789042.aspx
The application being activated must match (longest match) the prefix
of the queue name.
For example, a queue name is:
msmqWebHost/orderProcessing/service.svc. If Application 1 has a
virtual directory /msmqWebHost/orderProcessing with a service.svc
under it, and Application 2 has a virtual directory /msmqWebHost with
an orderProcessing.svc under it, Application 1 is activated. If
Application 1 is deleted, Application 2 is activated.
Also, http://blogs.msdn.com/b/tomholl/archive/2008/07/12/msmq-wcf-and-iis-getting-them-to-play-nice-part-1.aspx
However when you are hosting your MSMQ-enabled service in IIS 7 WAS,
the queue name must match the URI of your service's .svc file. In this
example we'll be hosting the service in an application called
MsmqService with an .svc file called MsmqService.svc, so the queue
must be called MsmqService/MsmqService.svc. Queues used for WCF
services should always be private
And, http://msdn.microsoft.com/en-us/magazine/cc163357.aspx
It's important to note that the activation of MSMQ endpoints only
works correctly if the queue has the same name as the .svc file (minus
the machine name). That means that if your service endpoint is
/server/app/service.svc, the queue name must be app/service.svc.
MyService.svc file is directly under the root of my IIS website (which is using a .NET 4 pool in integrated mode), so I did the following:
Creating a private transactional queue called MyService.svc and giving Network Services full control (for testing).
Setting my web.config endpoint: address="net.msmq://localhost/private/MyService.svc"
I was able to push a message to the queue using a client test application using the address in (2).
I added MSMQ protocol support to the website by executing the following:
C:\Windows\System32\inetsrv>appcmd set site "MyWebsite" /+bindings.[protocol='net.msmq',bindingInformation='localhost'] (and checked that it added the support properly)
From my website advanced settings I have http,net.tcp,net.msmq In Enabled Protocols
I double checked that "Net.Msmq Listener Adapter", which is responsible for activating the service when a message arrives, is running and I restarted it.
My web.config:
<configuration>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<protocolMapping>
<add binding="basicHttpBinding" scheme="http" />
<add binding="netMsmqBinding" scheme="net.msmq" />
</protocolMapping>
<serviceHostingEnvironment aspNetCompatibilityEnabled="false"
multipleSiteBindingsEnabled="true" />
<bindings>
<netMsmqBinding>
<binding name="MsmqBinding_IMyService" exactlyOnce="true"
receiveErrorHandling="Move">
<security mode="None"/>
</binding>
</netMsmqBinding>
</bindings>
<services>
<service name="CompanyName.Service.MyService">
<endpoint name="MyService"
address="net.msmq://localhost/private/MyService.svc"
bindingConfiguration="MsmqBinding_IMyService"
binding="netMsmqBinding" contract="IMyService" >
</endpoint>
</service>
</services>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<directoryBrowse enabled="false" />
</system.webServer>
</configuration>
My service is not getting activated with the arrival of new messages to the queue and the messages stay in the queue. Is that because I am not using an application or a virtual directory or is there something I am missing?
The problem is sorted by creating an application within the default website and modifying the configuration to fit the new path.
I have the simplest WCF service which works when hosted in IIS using basicHttp binding. It has one empty method called DoNothing which takes no parameters and returns a void
void DoNothing()
However I cannot get it to work when trying to host it in IIS using net.tcp.
I am assuming it is the configuration, as the same service code should work regardless of binding used.
I have enabled non-http activation. I am using a different port 12345 to avoid any clashes. The website and service is set up to use net.tcp binding.
The Net.Tcp ListenerAdaptor and Net.Tcp Port Sharing services are running
I can get the metadata to use WcfTestClient to test the service.
The error I get is
The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:59.8597984'.
The inner exception is
An existing connection was forcibly closed by the remote host
I thing I have checked everything. I have tried calling it remotely and locally on the virtual machine
I can only think it is a simple config error or a security issue. The virtual machine is not in a domain. I have disabled the firewall completely on the virtual machine.
Has anyone had the same issue, and has a resolution. Or does someone have a very simple (full) example of how to host a net.tcp service in IIS, whih they could post
Here is my web.config
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="PortSharingBinding" portSharingEnabled="true">
<security mode="None"/>
</binding>
</netTcpBinding>
</bindings>
<services>
<service name="SimpleNetTcpService.Service">
<endpoint address="net.tcp://192.168.0.2:12345/SimpleNetTcpService/Service"
binding="netTcpBinding" bindingConfiguration="PortSharingBinding"
contract="SimpleNetTcpService.IService" />
<endpoint address="mex" binding="mexTcpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="mexBehaviour">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
I found the issue. I just removed the address attribute from the service element
was
<service name="SimpleNetTcpService.Service">
<endpoint address="net.tcp://192.168.0.2:12345/SimpleNetTcpService/Service"
binding="netTcpBinding" bindingConfiguration="PortSharingBinding"
contract="SimpleNetTcpService.IService" />
now
<service name="SimpleNetTcpService.Service">
<endpoint
binding="netTcpBinding" bindingConfiguration="PortSharingBinding"
contract="SimpleNetTcpService.IService" />
Works fine now
Help please!!
I had the following set up working perfectly:-
WCF Service Library hosted in web site on local IIS 7
Silverlight Application on a web site on local IIS 7 using above services
The solution I am writing is for intranet and not internet use, however I have been told by my bosses that it needs to be over Https. I am using Windows Authentication.
Below is a chunk of the config file for one of the service endpoints (changed to remove company info etc):-
<services>
<service behaviorConfiguration="stdHttpBehavior" name="WcfServiceLibrary.StaticDataService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="windowsHttpBinding"
name="StaticDataService" contract="WcfServiceLibrary.ServiceContracts.IStaticDataService" />
<endpoint address="mex" binding="mexHttpBinding" name="" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost/WcfServiceLibrary/StaticDataService/" />
</baseAddresses>
</host>
</service>
<behaviors>
<serviceBehaviors>
<behavior name="stdHttpBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
</behavior>
</serviceBehaviors>
</behaviors>
To experiment with Https I created a 'Self-Signed Certificate'. I then added https to the Default Web Site bindings and changed the two web sites to require SSL and also changed the relvant URIs in the config files. I managed to get this to work but now I want to go back to standard Http and finish the project in that mode as it was easier to work with. I changed all the settings back (and I have checked these extremely carefully).
Now I get this error if I try to downoad the Service definition in the Silverlight project: -
'Could not find a base address that matches scheme https for the endpoint with binding BasicHttpBinding. Registered base address schemes are [http].'
If I put back the certificate and binding in IIS. The Service definition appears to download OK, however it references an https URI and therefore none of the actual service calls work as they are http adresses!
I tried adding a new web site to host the service but got the same errors.
I have been trying to solve this for the last couple of days but cannot find an answer. It seems as though there is a hidden reference somewhere and not in my project as it continued with a new web site added to IIS.
To use SSL over HTTP under Basic HTTP binding, you need to switch your endpoint to use Transport-level security. In your case you will also want to indicate the client credential type:
<bindings>
<basicHttpBinding>
<binding name="windowsHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
<message />
</security>
</binding>
</basicHttpBinding>
</bindings>
It may seem obvious, but did you change the security mode on the windowsHttpBinding binding configuration to BasicHttpSecurityMode.None?
<bindings>
<basicHttpBinding>
<binding name="windowsHttpBinding">
<security mode="None" />
</binding>
</basicHttpBinding>
</bindings>
Related resources:
Transport Security Overview
BasicHttpSecurityMode Enumeration
I have a asp.net 2.0 web site with WCF service hosted inside it running on .NET 3.5 framework. The website is setup with Integrated Windows Authentication only. The web server is IIS 6 with load balancing on Windows 2003 Sp2 (2 servers). I am unable to access the WCF service (.svc) using the full url (http://myqa2.abcdefg.com/trxn/WCFTrxnService.svc). Also note that the server is configured with multiple host headers. The website is protected by siteminder. Initially I was getting an error
This collection already contains an address with scheme http. There can be at most one address per scheme in this collection. Parameter name: item
So added the following config entry
<serviceHostingEnvironment>
<baseAddressPrefixFilters>
<clear/>
<add prefix="http://myqa2.abcdefg.com"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
That error went away, but now I am being prompted for login by the browser. For same website, I am able to access .aspx page. The login prompt is appearing only for .svc file.
Here is the binding / endpoint from config file that I am using.
<system.serviceModel>
<serviceHostingEnvironment>
<baseAddressPrefixFilters>
<clear/>
<add prefix="http://myqa2.abcdefg.com"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
<bindings>
<basicHttpBinding>
<binding name="IISIntegratedAuthBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="TestWCFFromSL.Web.WCFTrxnServiceBehavior">
<serviceMetadata httpGetEnabled="true" httpGetUrl="http://myqa2.abcdefg.com/fmc/WCFNotesService.svc"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="TestWCFFromSL.Web.WCFTrxnService" behaviorConfiguration="TestWCFFromSL.Web.WCFTrxnServiceBehavior">
<endpoint
address="http://myqa2.abcdefg.com/trxn/WCFTrxnService.svc"
binding="basicHttpBinding"
bindingConfiguration="IISIntegratedAuthBinding"
contract="TestWCFFromSL.Web.IWCFTrxnService" />
</service>
</services>
<!--<serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>-->
if a website is protected by SiteMinder, WCF / SOAP calls don't work. But a different solution to this problem is working.
The URL myqa2.abcdefg.com/trxn/WCFTrxnService.svc is protected by SiteMinder, but
myqa2/trxn/WCFTrxnService.svc is not protected by siteminder, Looks like SiteMinder only protects FQDN (Fully Qualified Domain Names). So I configured the application to call WCF service using short url instead FQDN. I also had to use crossdomainpolicy because the application considers myqa2.abcdefg.com and myqa2 as 2 seperate domains.