is it possible to have BasicHttpBinding with an Custom UserNamePasswordValidator and have transport security?
I have tried with wsHttpBinding but when I cant make an php soap client explained in this link.
Using SOAP wsHttpBinding from PHP
and in this guide they talk as if custom UserNamePasswordValidator wont get called in basicHttpBinding.
http://www.codeproject.com/Articles/36396/Difference-between-BasicHttpBinding-and-WsHttpBind
I just get InvalidSecurity from php soap and if I trace the error Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security.
currently im using basicHttpBinding with TransportWithMessageCredential with clientCredentialType="UserName" />
i'll include the config if its necessary but I just need to know if it can be done or else I guess I have to call the validate method inside every [OperationContract]? havent tested this yet but seen others talk about it.
ok I dont know how it works but apperently I did right all along. what made it to work was that in my php code when i specify username and password that the parameters was named.
$soapClient = new SoapClient("https://wsdl"), array('login' => "user123",
'password' => "pass123"));
and the same in my custom username password validator. i had userName and Password before on both places and that didnt work. So i dont know the difference but it works now... maybe someone else can answer why it works this way.
Related
I know there are lots of Q&As here for the error "could not establish secure channel for SSL/TLS with authority" topic but i am not able to find an answer or convincing reason for my problem.
Below is my problem:
I have a vendor service (soap service), which is protected with Username/Pwd authentication (Basic auth i assume). When i try to test this service using SOAP UI tool with supplying the username/password - it works just fine with no issues.
But when i use the same in my c# code (console app), its throwing the above error
could not establish secure channel for SSL/TLS with authority '....'
After researching this error, i also set the logic as below:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
I tried attempting the above with all the options like SSL3, TLS, TLS1, TLS2 and all sorts of combinations but for any such, i dont get the error but again, it doesnt take any effect. no error, no response.
what could be the possible cause to handle in code while it works fine in SOAP UI?
After few more research, i also noticed that the Fiddler DO_NOT_TRUST related cert and removed them from my machine. And to add, i am using this console app from my Win 10 machine, on VS 2017 under development. After removing that and when i attempted again, i get the below error now:
System.ArgumentException HResult=0x80070057 Message=The provided URI
scheme 'https' is invalid; expected 'http'. Parameter name: via
Source=System.ServiceModel
Update-2:
I did installed the CERT to my local machine Trusted root and having the below lines to use the cert exactly but still no luck
client.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.Root, X509FindType.FindBySerialNumber, findValue: "<serial-number>");
Any help?
Huh.. finally i figured the solution myself.
below are the ones helped me really.
Looked up in the developer tools of this asmx in Chrome/IE. It did show the below
Security tab in Chrome for the service
That tells me that its on TLS1.2, was not able to figure out how the SOAP UI was able to manage this without having the CERT in the machine store.
Along with the clientCredentials passed, i also added
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
Config for binding:
<binding name="mysoapCredBinding">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
Still - i had the certificate installed in the store but i dont think its needed at all with the above. It made me tricky when i started researching with teh above error and most of them directed me to the CERTs issue and thats the confusion. We also dont need to pass these creds in HEADERS explicitly but with the above config, should do good.
-- for folks having the similar issue like mine, please note - CERTIFICATE setup is not the first and only solution. This one may also be a solution if any of your problem is very similar to mine (with credentials to invoke service).
After a lot of googling, i ask for your help for a problem who seems to be easy but... really not.
How can i use custom login/password like in this tutorial with basichttpbinding instead of WSHttpBinding ?
http://codebetter.com/petervanooijen/2010/03/22/a-simple-wcf-service-with-username-password-authentication-the-things-they-don-t-tell-you/
I need this because clients for my webservice could be in PHP and i found that WSHttpBinding don't works with PHP Soap implementation.
Thank's by advance !
Although the actual code in this MSDN example uses wsHttpBinding, the custom user/password validator code is also applicable for basicHttpBinding use. Look at the code in this blog post to see the basicHttpBinding specific configuration for using a custom validator. Just remember that WCF, by default, will only support secure communication between the client and service. This means the basicHttpBinding configuration shown in the blog post must be over HTTPS.
Ok so finally i'm done without HTTPS but it works !
I used the following links to generate a clean webservice :
http://channel9.msdn.com/Shows/Endpoint/Endpoint-Screencasts-Creating-Your-First-WCF-Service
http://laedit.developpez.com/PHP/CSharp/Interoperabilite/#LIV (in french, show the wcf par)
And then, i finally make a app.config file who works : http://pastebin.com/cVGC88Gj .This is a modified version of the example made in the second link.
And this is the custom authentification code : http://pastebin.com/QucGKqZt
Remember that this code NEVER HAD TO BE IN PRODUCTION. PASSWORDS ARE SENT IN CLEAR IN HEADERS. But for developing it's clean and simple ;-)
My first question is, is it even possible to use a custom UserNamePasswordValidor with basicHttpBinding?
I have a asp.net web site using Forms authentication and a custom membership provider. I realise that I could use the built in System.Web.ApplicationServices.AuthenticationService to authenticate my client (a WPF app) but I don't want two service calls (one for auth service, one for logic).
So it seems that a custom UserNamePasswordValidator would be perfect for the job. In my client I can then have:
var service = new MyServiceClient();
service.ClientCredentials.UserName.UserName = "username";
service.ClientCredentials.UserName.Password = "password";
MessageBox.Show(service.SayHello());
I've seen this working with wsHttpBinding but ideally would like to test without an SSL certificate.
Alternatively, is it possible to make use of the AuthenticationService from within another WCF service?
To clarify what I mean above regarding authentication service, I don't want to have 2 service calls i.e:
if (authService.Login("username", "password"))
// then call my service
I know this a minor thing but the external developer of the client app is expecting just one service that takes the credentials and returns the required data.
Thanks,
Ben
check ClearUserName binding: http://webservices20.blogspot.com/2008/11/introducing-wcf-clearusernamebinding.html It should solve your problem.
I use UserNamePasswordValidator over basicHttpBinding on a couple of my current projects. It works great; however, like Brett Robi mentioned in the comments, you need to have your Security mode set to Message or TransportWithMessageCredentials in order for the validator to be called. These security modes require SSL through.
So in short - Yes you can over basicHttpBinding; however, only with SSL. Removing the security mode and SSL removes the credential validations from being called.
I have a situation where by I have un ticked the anonymous authentication in IIS, so the designers and clients are able to see the work but no one else. I need to get the WCF Service to work under these conditions but I am not sure how.
Does anyone have any idea what I would need to do?
You can attach the credential to the URL as querystring. your WCF services( in message inspector ) can check it for authentication purposes. You might also want to enable https.
I have a WCF service up and running and am able to communicate between the service and a .Net 2.0 Client using basicHttpBinding.
I now need to lock down the WCF service so that it can only be called by authenticated clients.
I have control over the clients that will be calling my service. The clients are part of a product that will be installed in the wild and "phoning home" to push and pull data. The client app is written for .Net 2.0 framework and cannot be upgraded to 3.0 or 3.5 at this time. I cannot add windows user accounts to the client machines.
What are my options for securing the WCF Service and being able to authenticate from my .Net 2.0 clients? Also, data needs to be passed over https.
I've been searching the web, and feel like I'm on a wild goose chase.
You can configure a WCF endpoint to use 2-way SSL authentication. That means that you can require clients to present an X.509 certificate that confirms their identity whenever they make a request to the service.
On the server side of things, you can use one of the built-in validation schemes in WCF or provide your own validation logic to check the X.509 certificate.
If you were hosting your service in IIS, it would be trivial to configure SSL to require client certificates at the transport-level. However, you can find a good guide on how to implement this behaviour in a self-hosted WCF service here:
http://leastprivilege.com/2007/08/25/certificate-based-authentication-and-wcf-message-security/
I haven't tried this myself but, since this creates a security requirement at the message-level, I think you will have to use wsHttpBinding to enforce it in your WSDL contract, since imposing security requirements to access a web service is part of the WS-* standards.
If you have to use basicHttpBinding, you can try this solution instead that moves things up at the transport-level:
http://leastprivilege.com/2007/08/26/certificate-based-authentication-and-wcf-mode-independent/
Hope this helps
OK so, with SSL you have transport level security; which is fine, that protects the message from sniffing and changing.
So now you have options; do you need the validation to be silent, or can you prompt the user for a username/password when your program starts? If it must be silent then you can go the client side certificate as mentioned (although that is painful, you will need to generate the certificates yourself and validate them, so you need to look at running your own certificate authority). Or you can embed a custom header in the message which contains a client ID and do it the kludgey way.
If however you can prompt for a username and password then you authenticate that way and plug it into a database lookup quite easily using a custom authenticator, or even using the ASP.NET membership database.
Here is what I ended up doing which seemed to be the simplest solution in our situation, which is pretty small scale with only a handful of web services exposed:
Secured the transport with SSL
Clients first login to the web service by calling a Login method on the web service. If the login succeeds, it returns an encrypted FormsAuthenticationTicket to the client.
Clients must then supply the forms authentication ticket with each web service call. Each method checks if the ticket is valid and if so it does its work. If the ticket has expired or is invalid, clients must re-authenticate.
Hope that helps someone...
You security will be covered by the ssl.
For authentication you have two options - basic (username and password) or certificate.
Here is a video that demonstrates configuring certificate authentication.
In that you are configuring the security elements of the basicHttpBinding shown below:
<basicHttpBinding>
<binding name="basicHttp">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
There is also a good page on this here. Google on clientCredentialType and you should find yourself on the right track soon enough.
For setting up the client certificates you are after the wse* policy file.
You will need to work out how you will provide the client certificate to the various sites.- that depends on security concerns of the project. There are various ways (none of which I can remember sorry, I last did this for wse* to wse* about two years ago so the details are forgotten, but it is certainly possible, took a few days solid research to find a good method).
Using SSL certificate is the only option for .NET 2.0 client accessing WCF service as basicHttpBinding provides no security. By using SSL, you are securing the whole transport channel.
Check the link http://www.codeplex.com/WCFSecurityGuide/Release/ProjectReleases.aspx?ReleaseId=15892 . It covers WCF Security covering all scenarios.
To get free SSL certificate please visit http://www.comodo.com/ or http://www.instantssl.com/ and try out in your application.