I have some WCF services that have been working for a while now on HTTP.
I'm moving them to deployment server now and they need to be HTTPS only.
I got the certificate and when I initially set the up they worked over both HTTP and HTTPS.
...at this point I wanted to drop the non-secure access to the services.
So I'm trying to make amendments to my web.config to make this happen:
Service Behaviours:
<serviceBehaviors>
<behavior name="MetaEnabledBahavior">
<serviceMetadata httpsGetEnabled="true"/>
</behavior>
</serviceBehaviors>
Service Endpoints:
<service name="Services.BookingService" behaviorConfiguration="MetaEnabledBahavior">
<!-- Service Endpoints -->
<clear/>
<endpoint address="https://website.com/services/BookingService.svc" binding="wsHttpBinding"
bindingConfiguration="TransportSecurity" contract="Services.IBookingService"/>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
</service>
Bindings:
<bindings>
<wsHttpBinding>
<binding name="TransportSecurity" maxReceivedMessageSize="2000000">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
What I have ended up with at the moment is my HTTP services are still accessible, but the HTTPS access just sends a blank page.
I need HTTP to return an error/page must be viewed by secure channel and HTTPS to be the ones that work only.
How do I fix this?
Smithy try replacing your endpoint with the following:
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="TransportSecurity" contract="Services.IBookingService"></endpoint>
And your binding with a basicHttpBinding
<basicHttpBinding>
<binding name="TransportSecurity" maxReceivedMessageSize="2000000">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
Hope this helps.
In the <protocolMapping> section of Web.Config, add a <remove scheme="http" /> element.
Related
I've tried a lot of tips on this one but I cannot get it working. On the client I have:
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="[binding_name]">
<security mode="Transport" />
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="/[service_name].svc"
binding="basicHttpBinding"
bindingConfiguration="[binding_name]"
contract="[contract_name]"
name="[endpoint_name]" />
</client>
</system.serviceModel>
</configuration>
And on the server:
...<service name="[service_name]">
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="[binding_name]"
contract="[contract_name]"
name="[endpoint_name]"/>
<endpoint contract="IMetadataExchange"
binding="mexHttpsBinding"
address="mex" />
</service><behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors><bindings>
<basicHttpBinding>
<binding name="[binding_name]">
<security mode="Transport">
<transport clientCredentialType ="None"/>
</security>
</binding>
</basicHttpBinding>...
One potential clue is that when I navigate to https://[server_name]/[service_name].svc?wsdl, I see the location is correct on
<wsdl:import namespace="http://[namespace]" location="https://[server_name]/[service_name].svc?wsdl=wsdl0"/>
but incorrect on
<wsdl:port name="[binding_name]" binding="tns:[binding_name]">
<soap:address location="http://[machine_name]/[service_name].svc"/>
</wsdl:port>
Notice location="http://[machine_name]/[service_name].svc" Is that expected? If not, what could be the problem?
I've also made sure that [service_name] in the server configuration is the FQN of the service implementation. Everything worked as expected before I enabled SSL on the server and changed the security mode to transport, etc.
The problem in my case was the fact that though the service_name in <service name="[service_name]"> was the correct FQN of the service implementation, it did not match the Service attribute in the *.svc file. In that case it seems that WCF creates a default name for the endpoint, which is something like BasicHttp_service_name. That worked until SSL was enabled and was looking for the endpoint with a URL starting with https.
As for the machine_name issue, it was because I didn't set the host name for https in the IIS site bindings.
I have added a binding to the config below:
<services>
<service name="MyNamespace.Service.ServiceName.ServiceEndPoint">
<endpoint address="http://localhost:8012/ServiceEndPoint" binding="webHttpBinding" contract="MyNamespace.Service.ServiceName.IServiceEndPoint" behaviorConfiguration="webHttp" name="ServiceName"/>
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="webHttp">
<webHttp/>
</behavior>
</endpointBehaviors>
</behaviors>
So I've added the binding="webHttpBinding" as I'd like to secure the end point. Here's the corresponding config I have:
<bindings>
<wsHttpBinding>
<binding name="ServiceName">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
but this appears to not be securing the end point. I've tried this with Firefox to confirm IE isn't automatically authenticating and checked the headers in firebug.
Can anyone point me in the direction of the right config for doing this?
Thanks,
Matt
you forget to set bindingConfiguration
<endpoint address="http://localhost:8012/ServiceEndPoint" binding="webHttpBinding" contract="MyNamespace.Service.ServiceName.IServiceEndPoint" behaviorConfiguration="webHttp" name="ServiceNameEndpoint" bindingConfiguration="ServiceName"/>
In your binding you have configured a wsHttpBinding and in your service endpoint you have specified a webHttpBinding. I think you want your endpoint binding to be set to wsHttpBinding.
Check this link on WCF Bindings.
I'm trying to secure my WCF service using transport security model. I've successfully deployed my service to AppHarbor. But I'm getting the following exception when I try to access service page:
[InvalidOperationException: Could not find a base address that matches scheme https for the endpoint with binding BasicHttpBinding. Registered base address schemes are [http].] ...
I haven't uploaded any certificates, just using piggyback SSL there. I've downloaded the build and deployed it on my machine. It works fine.
Here is my system.serviceModel section of web.config:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="TransportSecurity">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="AuthService.AuthServiceBehavior" name="AuthService.AuthService">
<host>
<baseAddresses>
<add baseAddress="https://auth.apphb.com/AuthService.svc" />
</baseAddresses>
</host>
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="TransportSecurity" contract="AuthService.IAuthService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="AuthService.AuthServiceBehavior">
<serviceMetadata httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
I've already tried this Hosting a WCF Web API app on AppHarbor?
Can somebody please explain me what I'm doing wrong?
This issue frequently appear when you communicate with the wcf web service thru the LB (AppHarbor one of the example of it).
You should know several things about such kind of communications.
1) Communication between yours client application and LB is secured (https is in use). So you should leverage security binding on the client side.
<basicHttpBinding>
<binding name="BasicHttpBinding_IAuthService">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
2) Communication between LB and web-front uses http, so server binding should be basicHttpBinding without extra configuration.
<endpoint binding="basicHttpBinding" contract="AuthService.IAuthService" />
Summarizing all that stuff we have
Client
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IAuthService">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://auth.apphb.com/AuthService.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IAuthService"
contract="AuthService.IAuthService" name="BasicHttpBinding_IAuthService" />
</client>
</system.serviceModel>
</configuration>
Server
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<protocolMapping>
<add scheme="http" binding="basicHttpBinding" />
</protocolMapping>
<bindings>
<basicHttpBinding/>
</bindings>
<services>
<service behaviorConfiguration="AuthService.AuthServiceBehavior" name="AuthService.AuthService">
<endpoint binding="basicHttpBinding" contract="AuthService.IAuthService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="AuthService.AuthServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
Your approach is not going to work right off the bat. This is because SSL is terminated at the load balancers and the app servers see http traffic. You can read more about AppHarbor load balancers here.
You might be able to fool WCF with this module.
There are also some hints in this discussion: http://support.appharbor.com/discussions/problems/829-transportwithmessagecredential-https-ssl
How do I ensure my WCF service is over HTTPS and all communication is over HTTPS?
Theres nothing in my web.config file of the service that says http://... or https://....
HTTPS is set up in IIS and I can access the web service via http and https.
Or is this not required if it's encrypted anyway with message level security?
<bindings>
<wsHttpBinding>
<binding name="Binding1" maxReceivedMessageSize="20000000">
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
HTTPS is HTTP over Transport-Layer Security (TLS). To enable it, you need to configure your binding to use transport security in addition to the existing message-level security:
<bindings>
<wsHttpBinding>
<binding name="Binding1" maxReceivedMessageSize="20000000">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
here is config for https:
<services>
<service name="WcfTransport.Service1" behaviorConfiguration="MyHttpsBehaviour">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="TransportSecurityBinding" contract="WcfTransport.IService1"/>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors >
<behavior name="MyHttpsBehaviour" >
<serviceMetadata httpsGetEnabled="true" httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="TransportSecurityBinding">
<security mode="Transport">
<transport clientCredentialType="Windows"></transport>
</security>
</binding>
</wsHttpBinding>
</bindings>
note that httpsGetEnabled is set to true and httpGetEnabled is set to false. You can also remove mex endpoint if you don't need metadata exchange.
p.s. Message security is for message encryption, but of course, you can use message security with https.
I have a WCF service with two endpoints defined by the configuration file below:
<system.serviceModel>
<services>
<service name="SyncService" behaviorConfiguration="SyncServiceBehavior">
<endpoint name="Data" address="Data" binding="basicHttpBinding" bindingConfiguration="windowsAuthentication" contract="ISyncService"/>
<endpoint name="File" address="File" binding="basicHttpBinding" bindingConfiguration="httpLargeMessageStream" contract="ISyncService"/>
<endpoint address="mex" binding="webHttpBinding" bindingConfiguration="windowsAuthentication" contract="IMetadataExchange"/>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="httpLargeMessageStream" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647" transferMode="Streamed" messageEncoding="Mtom" />
<binding name="windowsAuthentication" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm=""></transport>
<message algorithmSuite="Default" clientCredentialType="UserName"/>
</security>
</binding>
</basicHttpBinding>
<webHttpBinding>
<binding name="windowsAuthentication">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"></transport>
</security>
</binding>
</webHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="SyncServiceBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<dataContractSerializer maxItemsInObjectGraph="2147483647"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true"></serviceHostingEnvironment>
</system.serviceModel>
I want to use windows authentication for the Data endpoint, but have recently discovered that you cannot use windows authentication for streaming over HTTP. I removed the security element for the File endpoint, but still get the following error:
HTTP request streaming cannot be used in conjunction with HTTP
authentication. Either disable request streaming or specify anonymous
HTTP authentication. Parameter name: bindingElement
Is it possible to have two endpoints on the same service use different authentication methods like this? Why can't I use windows authentication for streaming?
I have also tried what was suggested in this thread, but to no avail:
Which authentication mode of basichhtpbinding can be used to secure a WCF Service using Streaming?
Unfortunately this is not supported.