I have a WPF application, and I'm using WCF to consume a php webservice over Https, I've created a self-singed certificate on the server to test it and configured the client to use this certificate, but an exception appeared and tell me that I need to pass the client certificate also.
Actually I just want to secure the transmitted message, I don't need to authenticate the client, so how could I disable the client authentication.
I'm using security model "Transport" with clientCredentialType "Certificate" and .Net 3.5.
thanks in advance for opinions..
UPDATE
As I've mentioned, I don't need the service to verify the identity of the client so I have used Transport Security with an Anonymous Client instead of Transport Security With Certificate Authentication, the following is the client configurations:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="bindingName" closeTimeout="00:0:04"
openTimeout="00:00:04" receiveTimeout="00:00:04" sendTimeout="00:00:04"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647">
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://myServer/myApp/myWebService"
binding="wsHttpBinding" bindingConfiguration="bindingName"
contract="xx.yy" name="zz">
</endpoint>
</client>
Now the issue is: when I called the service a timeout error appears "The HTTP request to {My Service URL} has exceeded the allotted timeout".
Additional Info: The service worked fine over HTTP, the issues appear only when I moved to the HTTPS, and I can see the service WSDL if I open it through the internet browser, but the browse told me that there are insecure resources and I should enforce it to show me all resources in order to see the WSDL.
Probably your issue is:
// Create the endpoint address. Note that the machine name //
must match the subject or DNS field of the X.509 certificate //
used to authenticate the service.
So review your client config, and check certificate section findValue attribute to match you certificate's one.
Like
<clientCertificate findValue="contoso.com"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
See more about Transport Security with Certificate Authentication.
Related
I am trying to send SOAP message to endpoint starting with HTTPS. This is one way SSL, so I should not need certificate to send request.
While using the config from below I get following exception:
Could not establish secure channel for SSL/TLS with authority 'some.domain.com/endpoint'.
I tried many different transport settings, sometimes it asks for username or certification in ClientCredentials, but hey - I should not need them! I could visit the requested endpoint via browser window without any authentication.
Am I missing something in configuration? I feel a little confused right now.
<bindings>
<basicHttpBinding>
<binding name="PublisherBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://some.domain.com/endpoint"
binding="basicHttpBinding" bindingConfiguration="PublisherBinding"
contract="PublisherContract" name="NotificationsEndpoint"/>
</client>
unfortunately wcf test client does not support invalid certificates. you can make it work like this Is it possible to force the WCF test client to accept a self-signed certificate? or you can use wcfstorm. second solution is better.
I have a WCF service hosted on IIS with Windows Aut, I am able to connect to the service from my client application (WPF) on my local machine, but when I try to access the service from some other machine I get the following error
The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
I checked the providers in my IIS and there "Negotiate" is the first one and then the "NTLM". I also tried removing "NTLM" but that also did not help.
I have following configuration in my App.config
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding" maxReceivedMessageSize="2147483647"
receiveTimeout="00:30:00" sendTimeout="00:30:00"
openTimeout="00:10:00" closeTimeout="00:10:00">
<readerQuotas maxStringContentLength="2147483647" maxArrayLength="20971520" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
You may need to enable anonymous access in IIS.
I'm a new member in this fantastic website and this is my first question here ..
I wish I can find the solution..
I'm building a website and I need to secure the communications between clients and the server.
I should Use WCF in the implementation.
My project's requirements :
use WCF
binding: ws2007HttpBinding
security: HTTPS
client: Sign
I should use HTTPS for securing the communications and I should make the client sign the message (it's important).
I install certificates in both server and Client But I don't knoe how to make the clients sign the message.
I can't use message security in the wcf because I need HTTPS. Anyone can help me to know what is the TransportWithMessageCredential do for signing and how to implement such a thing??
Here is part of the app.config of the server:
<bindings>
<ws2007HttpBinding>
<binding name="ServiceWS2007HttpBindingConfg">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="Certificate" negotiateServiceCredential="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<services>
<service name="Service">
<endpoint address="https://MAHER-PC/EBPP/Service.svc" binding="ws2007HttpBinding"
bindingConfiguration="ServiceWS2007HttpBindingConfg" contract="IService" />
</service>
</services>
thanks....
Depends on what you're planning to sign.
A good place to start would be to have a look at setting the ProtectionLevel for your service in the service contract.
Information:
http://msdn.microsoft.com/en-gb/library/aa347692.aspx
How to:
http://msdn.microsoft.com/en-gb/library/aa347791.aspx
Is it possible to create a WebService using JAX-WS, that whould then be consumed by a WCF client using such a binding?
<bindings>
<basicHttpBinding>
<binding name="CaseObjectServicePortBinding" >
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>
I created such a service without WSIT for now, just a plain service and wanted to just ignore the "Security" header in incoming SOAP message. But it fails with:
"Could not establish secure channel for SSL/TLS with authority 'xxxxxxxxxx'."
If I change:
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="Certificate" />
</security>
to:
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="Certificate" />
</security>
everything works flawlessly. Any ideas what am I doing wrong?
The answer is yes. You can use BasicHttpBinding or WsHttpBinding
The error was occurred because when you use TransportWithMessageCredential, the WCF client will impose additional security to your message sent through the wire, which is interoperable only to WCF service.
Once you changed it to Transport, only transport security( SSL using certificate) is applied , so that why both client and service can understand how to communicate with each other.
Cheers.
When defining security as TransportWithMessageCredential you say: I want a service which will communicate over secured transport channel (HTTPS) and I want to pass client credentials in SOAP header.
If you define Certificate credential type in message element you say: The SOAP header will transport client credentials as x.509 Certificate token profile. It is interoperable format which requires WS-Security on the service.
If you define Certifiate credential type in transport element you say: I want mutual SSL authentication. I'm actually not sure if this is used if you define TransportWithMessageCredential
This happened on the step of initiating the request; the TLS exception pops out to you because the certificate set on the client is not trusted. Use a certificate with the common destination name, if you are using the service on public use the domain name else use the destination IP address as a common name and it will work just fine .
PS: Use the 'basichttps' binding in case you want to proceed with the https content type 'text/xml' soap 11 the the default from jaxws
I have a WCF service hosted in a Windows Service. Clients from various platforms will access the service. Now I would like to add a basic security mechanism. Ideally, the clients should use username/password for authentication.
Which binding settings do I have to use in this scenario and how can I authenticate the client? Interoperability is more important than a very secure solutions. If possible the client should not be forced to use a certificate or something the like. Additionally, authentication should not be strongly coupled with a SQL Server database. I would like to manually inspect the client credentials.
Thanks for your help
The best for your case can be BasicHttpBinding with security set to TransportWithMessageCredentials and credential type set to UserName. In this case your service will be secured with HTTPS (requires server certificate for SSL which has to be trusted on clients) and authentication will be provided on message level with UserName Token Profile (SOAP header). You can implement your own password validator.
BasicHttpBinding configuration skeleton:
<bindings>
<basicHttpBinding>
<binding name="Secured">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</basicHttpBinding>
</bindings>
If you don't want to use HTTPS you can create custom binding with HttpTransport, TextMessageEncoding and with security mode set to UserNameOverTransport. But you have to set allowInsecureTransport to true (be aware that there is some bug with WSDL generation in this setting).
Custom binding configuration skeleton:
<bindings>
<customBinding>
<binding name="Secured">
<security authenticationMode="UserNameOverTransport" allowInsecureTransport="true" />
<textMessageEncoding messageVersion="Soap11" />
<httpTransport />
</binding>
</cutomBinding>
</bindings>
See the Internet section of the Application Scenarios for guides on how to achieve this:CodePlex Application Scenarios