I have a WCF service, which is currently hosted on two servers behind an NLB.
The two server addresses are (for example) t001.mydomain.com and t002.mydomain.com and the NLB address is services.mydomain.com. Both t001 and t002 have an SSL certificate for services.mydomain.com
We moved several ASMX services to a new WCF model. When I first put the services on both servers I had a problem consuming the WSDL. One service was working, but the others gave me an error that they could not create a secure connection, since the certificate was invalid.
I put the URLs in to Chrome and I noticed that the service that was working had a WSDL URI like this: http://services.mydomain.com/services/service1.svc and the services that did not work had a URI of http://t001.mydomain.com/services/service2.svc. So I get why the certificate was not valid for these services.
What I did to fix this (after looking at the differences in the config files) is add the following line to the config files of the services that were not working:
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
Now, I kind of understand why this works. I know its a solutions, but I dont know if it is THE solution to my issue.
Is this the way around this issue? Is there a better / more recommended way to get around this? Maybe someone can point me at an authoretive source explaining this, since I couldnt really find one.
This did not work, because cert. Domain part is different. See
A thing about host names - some systems will not work properly unless you use the fully qualified domain name. Others are not so picky. In any case - the certificate's Subject DN should uniquely describe the service, application or server it represents.
From this post Mutual WCF certificate authentication/SSL in cluster environment
More details can be found here: http://technet.microsoft.com/en-us/library/dd439393(v=exchg.80).aspx
Related
I have a WCF service that I want to secure with Client Certificates but I cannot get it to work on Azure.
I removed Azure from the equation by hosting the service on a standard Windows Server on Amazon. I installed both the service and client certificates (none are self-signed) into the Local Machine 'Personal' store on this server including the chained certificates and it all worked as expected, called from my local PC, with the client cert set against the binding/behavior. It did not work without the certificate being specified so it definitely worked correctly this way.
I then deployed the service to Azure. The client and server certificates are uploaded to the portal and set in the config against "Local Machine/My" and the CA and root certificates are uploaded and I tried them in various stores including "My", "Trusted" and "CA". Every variation I try, I continue to get "The HTTP request was forbidden with client authentication scheme 'Anonymous'" called from exactly the same program locally with the only change being the client endpoint address.
As another detail, I can get it to work without certificates so there is no problem with the web service but I am unsure how to work out what is actually happening with the certificate handshake between client and service.
I have finally got it to work, and have written a guide here: Blogspot.co.uk
I'm not sure what I had got wrong before since I have not done anything too weird to make it work. I think perhaps I had a small defect somewhere in configuration that I eventually fixed by starting again. Anyway, it DOES work and provides some useful security on Azure.
See my answer to this SO post - bottom line, cert in LocalMachine/My and run with elevated privileges in csdef file add:
<Runtime executionContext="elevated" />
I would like do use Atomic Transactions between WCF and Weblogic, but I'm facing many problems to configure it.
I've already turned on the Wsat on Windows and associated it a valid certificate. I also enabled the SSL on IIS and configured the https port.
My main doubts are about the right WCF binding configurations and how and where I import the IIS certificate on Weblogic.
I imported my Wsat certificate in Demo.jks file (Weblogic keystore), but it did not work.
Best regards,
ps: Forgive my poor english :)
So, I previously posted about my troubles in moving a working WCF service from my local machine to the development server. The problem was that when moving it over all of the references were by machine name rather than ip. Since i was not accessing it on the domain, I couldn't see the machine name and couldn't access the references. Here was my previous post (.NET WCF service references use server name rather than IP address causing issues when consuming).
I found a solution, but wanted to make sure that this is the proper solution to my issue. And also ask if anyone else had any other input? The solution was to change the IIS site binding. I found the solution at (http://blogs.msdn.com/wenlong/archive/2007/08/02/how-to-change-hostname-in-wsdl-of-an-iis-hosted-service.aspx). The only thing is that I may have to do this for every site as the application that i work with is not hosted and is a web-based solution installed at each site. So i'm possibly going to have to include a script in the build for each site.
I would think that I would be able to make this change in the .config file?
The right way to handle this is to set and explicit host-header in IIS for the Web Site instance. Now, assuming you've only got one host-header applied to the Web Site instance that should be all that you need. However, if you have multiple host-headers configured you will also need to explicitly tell WCF which host to expose itself via. This is done with the configuration element under the element to bind the service to that specific domain.
This is probably a basic networking issue, but I am new to this stuff and just do not know the answer.
I have written a wcf service and client. I can use one of the http bindings and get the service to work correctly when I put my machine's network IP address as the endpoint address and run the client and server from the same machine. Now, I want to be able to connect to this service from a different machine over the internet. Clearly it does not work when I use my network IP address in this scenario, but simply putting in my router's broadband IP address does not seem to be doing the trick, either. Am I just missing a firewall port that I need to open up, or am I trying to do something that should not be possible?
If you want users from the internet to be able to connect to your service, you'll have to consider a few points:
binding: the lowest common denominator is the basicHttpBinding which is SOAP 1.1 with basically no additional features available - just like ASMX webservices. Just about anyone can connect to that. For more advanced clients, you might also want to expose a wsHttpBinding endpoint on your service
security: how (if at all) do you want to secure access to your web service? Do you have username/password credentials that callers must supply? Check out the WCF Security Guidance for a whole slew of information bits on the various security scenarios
authenticating your service: typically, you should strive to make your service authenticate itself to the rest of the world - this requires a server certificate and enables secured communication (messages signed + encrypted) on the wire
make sure your service endpoint(s) is reachable from the internet, through all firewalls and proxies and everything :-)
Hope that helps a bit!
You need to set up port forwarding on your router. Perhaps someone on ServerFault or SuperUser would be able to help you. Or even a google search now that you know what it's called. The instructions will be different depending on the router. The port you need to forward will be the port you've picked in the WCF config file.
I host WCF services through IIS, but it took me ages to work out how. At the moment I put the files on the webserver and enable websharing on the root folder. Then you can assign them to an appropriate Application Pool in IIS, and add a service reference to any client projects using the URL of the wsdl.
I'm not sure if this is the best way to do it but its the only way I've worked out so far.
Here's the simple solution.
I am assuming that you have made a working WCF application and hosted over the IIS.
The next thing to do is to browse the application from the IIS. It will give you url in the address bar something like:
http://localhost/myservice/service.svc
Next go to www.whatismyip.com. this will give you your system's WAN IP (say, 45.34.56.200).
Replace the URL you got in step 2 with: http://45.34.56.200/myservice/service.svc
Now you can use this URL any where in this world to consume your service.
I found a good Article and it is working fine for me, on the following the Main steps:
1-First you should create WCF Service.
2-add application on IIS and give alias for your virtual directory and set path from your local drive.
3-Make sure your default app pool set to .NET CLR V4.0.
4-test your WCF service is running successfully on localhost.
5-To access the same via LAN (Local Area Network) you must disable Firewall for you Private network.
6- try to use ngrok.com, you will get Temp URL to use via internet to access your LocalHost anywhere.
Then Everything will be fine.
For More Information Check the following Link:
https://www.codeproject.com/Tips/813650/Host-WCF-on-LocalHost-and-access-via-Internet
We use BigIP to load balance between our two IIS servers. We recently deployed a WCF service hosted on by IIS 6 onto these two Windows Server 2003R2 servers.
Each server is configured with two host headers: one for the load balancer address, and then a second host header that points only to that server. That way we can reference a specific server in the load balanced group for debugging.
So when we run We immediately got the error:
This collection already contains an address with scheme http. There can be at most one address per scheme in this collection.
Parameter name: item
I did some research and we can implement a filter to tell it to ignore the one of the hosts, but then we cannot access the server from that address.
<serviceHostingEnvironment>
<baseAddressPrefixFilters>
<add prefix="http://domain.com:80"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
What is the best solution in this scenario which would allow us to hit a WCF service via http://domain.com/service.svc and http://server1.domain.com/service.svc?
If we should create our own ServiceFactory as some sites suggest, does anyone have any sample code on this?
Any help is much appreciated.
EDIT: We will need to be able to access the WCF service from either of the two addresses, if at all possible.
Thank you.
On your bigIP Create 2 new virtual servers
http://server1.domain.com/
http://server2.domain.com/
create a pool for each VS with only the specific server in it - so there will be no actual load balancing and access it that way. If you are short on external IP'S you can still use the same IP as your production domain name and just use an irule to direct traffic to the appropriate pool
Hope this helps
The URL it uses is based on the bindings in IIS. Does the website have more than one binding? If it does, or is the WCF service used by multiple sites? If it is, then you are SOL AFAIK. We ran into this issue. Basically, there can be only one IIS binding for HTTP, otherwise it bombs.
Also, here's info on implementing a ServiceHostFactory. That WILL work if it's possible that your WCF service only be accessible through 1 address (unfortunately for us, this was not possible).
When you need to test a specific machine, you could "bypass" the load balancing and ensure the correct host-header is sent to keeep WCF happy by editing the "hosts" file on the machine you're testing from so, for example:
10.0.0.11 through 10.0.0.16 are the six hosts that are in the cluster "cluster.mycompany.local", with a load balanced IP address of 10.0.0.10. When testing you could add a line to the machines hosts file that says "10.0.0.13 cluster.mycompany.local" to be able to hit the third machine in the cluster directly.