I'm trying to secure my WCF service using transport security model. I've successfully deployed my service to AppHarbor. But I'm getting the following exception when I try to access service page:
[InvalidOperationException: Could not find a base address that matches scheme https for the endpoint with binding BasicHttpBinding. Registered base address schemes are [http].] ...
I haven't uploaded any certificates, just using piggyback SSL there. I've downloaded the build and deployed it on my machine. It works fine.
Here is my system.serviceModel section of web.config:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="TransportSecurity">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="AuthService.AuthServiceBehavior" name="AuthService.AuthService">
<host>
<baseAddresses>
<add baseAddress="https://auth.apphb.com/AuthService.svc" />
</baseAddresses>
</host>
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="TransportSecurity" contract="AuthService.IAuthService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="AuthService.AuthServiceBehavior">
<serviceMetadata httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
I've already tried this Hosting a WCF Web API app on AppHarbor?
Can somebody please explain me what I'm doing wrong?
This issue frequently appear when you communicate with the wcf web service thru the LB (AppHarbor one of the example of it).
You should know several things about such kind of communications.
1) Communication between yours client application and LB is secured (https is in use). So you should leverage security binding on the client side.
<basicHttpBinding>
<binding name="BasicHttpBinding_IAuthService">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
2) Communication between LB and web-front uses http, so server binding should be basicHttpBinding without extra configuration.
<endpoint binding="basicHttpBinding" contract="AuthService.IAuthService" />
Summarizing all that stuff we have
Client
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IAuthService">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://auth.apphb.com/AuthService.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IAuthService"
contract="AuthService.IAuthService" name="BasicHttpBinding_IAuthService" />
</client>
</system.serviceModel>
</configuration>
Server
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<protocolMapping>
<add scheme="http" binding="basicHttpBinding" />
</protocolMapping>
<bindings>
<basicHttpBinding/>
</bindings>
<services>
<service behaviorConfiguration="AuthService.AuthServiceBehavior" name="AuthService.AuthService">
<endpoint binding="basicHttpBinding" contract="AuthService.IAuthService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="AuthService.AuthServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
Your approach is not going to work right off the bat. This is because SSL is terminated at the load balancers and the app servers see http traffic. You can read more about AppHarbor load balancers here.
You might be able to fool WCF with this module.
There are also some hints in this discussion: http://support.appharbor.com/discussions/problems/829-transportwithmessagecredential-https-ssl
Related
I am unable to connect to a WCF service hosted on our dev server but I am able to browse to it.
I am just trying to add a service reference via Visual Studio and when I click on Go, it gives me the following error.
An error occurred while receiving the HTTP response to http://...Service.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details.
My other colleagues are able to add the service reference and connect to this service with no issues, which makes it harder for me to understand the cause of this issue.
Web.config - system.serviceModel:
<serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding" maxReceivedMessageSize="2147483646">
<readerQuotas maxStringContentLength="2147483646" />
<security mode="None">
<!-- **WARNING** Changes to the security binding must also be made in client binding code -->
<transport clientCredentialType="None" proxyCredentialType="None" />
<message clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="X.X.X.RepositoryService" behaviorConfiguration="repositoryServiceBehavior">
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding"
contract="X.X.X.ICatalogServiceContract" />
<!-- ** NOTE Metadata not supported SSL at this time **-->
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="repositoryServiceBehavior">
<serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true" />
<serviceMetadata httpGetEnabled="true" httpGetUrl=""/>
<dataContractSerializer maxItemsInObjectGraph="2147483646"/>
</behavior>
</serviceBehaviors>
</behaviors>
Currenlty there is a Wcf service hosted as windows service in one of our client side machine, actually currently this is working with normal http call. As we need to use https instead of http, for that we modified app.config but after starting the service the https url not working.Then we tried URL reservation by using netsh http add urlacl url=https://+:18732/Peripheral/ user=Everyone.Then we restared the service again it's not able to access the https url.
we are getting the error in the URl browser •Make sure that TLS and SSL protocols are enabled.
Is this related to any certificate issue? if so how we can able to solve this issue?
The web.config is provied below:-
<system.serviceModel>
<standardEndpoints />
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
<bindings>
<basicHttpBinding>
<binding name ="soapBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
<webHttpBinding>
<binding name="Bind1" crossDomainScriptAccessEnabled="true">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</webHttpBinding>
</bindings>
<services>
<service name="Peripheral.Server.Impl.PeripheralServiceImpl" behaviorConfiguration="SvcBhvr">
<host>
<baseAddresses>
<add baseAddress="https://localhost:18732/Peripheral/" />
</baseAddresses>
</host>
<endpoint address="https://localhost:18732/Peripheral/" binding="webHttpBinding" behaviorConfiguration="EndPBhvr" bindingConfiguration="Bind1"
contract="Peripheral.Server.Contract.IPeripheralService">
<!--<identity>
<dns value="localhost" />
</identity>-->
</endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="EndPBhvr">
<webHttp />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="SvcBhvr">
<serviceMetadata httpsGetEnabled="true" httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
Anyone knows how to fix this and what we needed to do so that we could able to access the url as https from windows services?
You may need also to bind ssl certificate to the specific port number using netsh or HttpConfig tool depending from OS version. Detailed instructions can be found here
In your case it could be:
netsh http add sslcert ipport=0.0.0.0:18732 certhash=<certhash> appid={<guid>} clientcertnegotiation=enable
where
certhash = your certificate Thumbprint(X509Certificate2.Thumbprint)
appid = could be just Guid.NewId()
I've tried a lot of tips on this one but I cannot get it working. On the client I have:
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="[binding_name]">
<security mode="Transport" />
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="/[service_name].svc"
binding="basicHttpBinding"
bindingConfiguration="[binding_name]"
contract="[contract_name]"
name="[endpoint_name]" />
</client>
</system.serviceModel>
</configuration>
And on the server:
...<service name="[service_name]">
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="[binding_name]"
contract="[contract_name]"
name="[endpoint_name]"/>
<endpoint contract="IMetadataExchange"
binding="mexHttpsBinding"
address="mex" />
</service><behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors><bindings>
<basicHttpBinding>
<binding name="[binding_name]">
<security mode="Transport">
<transport clientCredentialType ="None"/>
</security>
</binding>
</basicHttpBinding>...
One potential clue is that when I navigate to https://[server_name]/[service_name].svc?wsdl, I see the location is correct on
<wsdl:import namespace="http://[namespace]" location="https://[server_name]/[service_name].svc?wsdl=wsdl0"/>
but incorrect on
<wsdl:port name="[binding_name]" binding="tns:[binding_name]">
<soap:address location="http://[machine_name]/[service_name].svc"/>
</wsdl:port>
Notice location="http://[machine_name]/[service_name].svc" Is that expected? If not, what could be the problem?
I've also made sure that [service_name] in the server configuration is the FQN of the service implementation. Everything worked as expected before I enabled SSL on the server and changed the security mode to transport, etc.
The problem in my case was the fact that though the service_name in <service name="[service_name]"> was the correct FQN of the service implementation, it did not match the Service attribute in the *.svc file. In that case it seems that WCF creates a default name for the endpoint, which is something like BasicHttp_service_name. That worked until SSL was enabled and was looking for the endpoint with a URL starting with https.
As for the machine_name issue, it was because I didn't set the host name for https in the IIS site bindings.
I have a WCF app hosted in IIS6 (and 7 in dev environment) with one wsHttp (SOAP) and two webHttp (REST) bindings.
I want to secure the services when publishing to production site and disable metadata and webHttp help page and ENABLE SSL for the bindings. At the same time i would like to have HTTP disabled. I'm aware of the option in IIS to "Require Secure Channel" but I was wondering if the same can be achieved in web.config?
I was under the impression that
<security mode="Transport">
would "disable" http access (ie. https required) but in my case it didn't.
Her is the ServiceModel part of web.config:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="SoapTransportSecurityBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
<message establishSecurityContext="false"/>
</security>
</binding>
</wsHttpBinding>
<webHttpBinding>
<binding name="RestTransportSecurityBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</webHttpBinding>
</bindings>
<services>
<service name="CustomerWcfService" behaviorConfiguration="Web.ServiceBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="SoapTransportSecurityBinding" contract="ICustomerWcfService">
<identity>
<dns value="ws.somecompany.com"/>
</identity>
</endpoint>
</service>
<service name="SentShipmentsWcfRestService" behaviorConfiguration="webHttpServiceBehavior">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="RestTransportSecurityBinding" contract="ISentShipmentsWcfRestService"
behaviorConfiguration="RestEndpointBehavior"/>
</service>
<service name="InsuranceInfoWcfRestService" behaviorConfiguration="webHttpServiceBehavior">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="RestTransportSecurityBinding" contract="IInsuranceInfoWcfRestService"
behaviorConfiguration="RestEndpointBehavior"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="Web.ServiceBehavior">
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
<behavior name="webHttpServiceBehavior">
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="RestEndpointBehavior">
<webHttp helpEnabled="false"/>
</behavior>
</endpointBehaviors>
</behaviors>
It looks it couldn't be achieved in web.config. But in the binding settings you can set
<security mode="Transport">
In this case endpoints will not be valid if there is no SSL required.
I tried to setup a service for testing using a net.tcp binding. I also set a http endpoint. The configuration is as follows:
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="Inbound_REST">
<webHttp />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="InboundHttpConfiguration">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="InboundTcpConfiguration">
<serviceMetadata httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="InboundTcpConfiguration" name="Inbound">
<endpoint address="" binding="netTcpBinding" contract="IContract">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:6969/Inbound" />
</baseAddresses>
</host>
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<client>
<endpoint name="httpEndPoint" address="http://localhost:1568/Inbound.svc" binding="basicHttpBinding" contract="IContract" />
<endpoint name="tcpEndPoint" address="net.tcp://localhost:6969/Inbound" binding="netTcpBinding" contract="IContract" />
</client>
<bindings>
<basicHttpBinding>
<binding name="httpbind">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
<netTcpBinding>
<binding name="tcpbind">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</netTcpBinding>
</bindings>
</system.serviceModel>
When I attempt to consume the service using the net.tcp binding, it always return me the error:
Could not connect to net.tcp://localhost:6969/Inbound. The connection attempt lasted for a time span of 00:00:00.9531494. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:6969.
By the way, the http binding works fine. I think it could be some machine configuration, but wasn't able to find what's the root cause.
If you are trying to run your WCF service through visual studio netTcpBinding is not supported. Sorry!
Check out this post for a more detailed explanation.
Why did you leave out the ".svc" for the net.tcp address for the client? Maybe it should be "net.tcp://localhost:6969/Inbound.svc"
What hosting you are using..IIS7 or console or others?
1)Check all tcp services are running in services.msc
2)Turn off your fire wall or add firewall exception to your tcp port
if you are hosting in iis7 check this link
IIS7 support for non http protocols