Im trying to host my SSL WCF service locally on my PC (IIS 7) and for some reason i cant connect to it. What i need is to use SSL and send in credntials to authenticate the user before calling some function.
When i connect to it, i get There was no endpoint listening at https://[computer name]/YYY.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
the inner message is The remote server returned an error: (404) Not Found.
What i have noticed is that when i access the WSDL (hosted over https) the endpoint address is not http*S* and i think that is why my service is probably failing.
here is part of my WSDL
<wsdl:service name="WSNAME">
<wsdl:port name="WSHttpBinding_INams" binding="tns:WSHttpBinding_INams">
<soap12:address location="http://[computer name]/YYY.svc" />
<wsa10:EndpointReference>
<wsa10:Address>http://[computer name]/YYY.svc</wsa10:Address>
<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
<Spn>host/[computername]</Spn>
</Identity>
</wsa10:EndpointReference>
This is my service config file
<service behaviorConfiguration="test" name="NewServiceType">
<endpoint address="https://[computer name]/YYY.svc" binding="wsHttpBinding"
bindingConfiguration="WsBinding" name="WS" contract="Authentication2.INams" />
<endpoint address="mex" binding="mexHttpBinding" name="MX" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="https://[computer name]/XXX.svc" />
</baseAddresses>
</host>
can anyone point out what am i doing wrong?
my web.config
<system.serviceModel>
<protocolMapping>
<remove scheme="http" />
<add scheme="http" binding="wsHttpBinding" />
</protocolMapping>
<bindings>
<wsHttpBinding>
<binding name="wsbinding">
<security mode="TransportWithMessageCredential">
<transport proxyCredentialType="Basic" />
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="NewServiceType">
<endpoint address="/WS" binding="wsHttpBinding"
bindingConfiguration="wsbinding" name="WS" contract="Authentication3.IService1" />
<endpoint address="mex" binding="mexHttpBinding" bindingConfiguration=""
name="MX" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"
httpsGetUrl="https://[computerName]/Service1.svc" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="false" />
FOUND IT !!
WCF service returns 404 over https but not http
the problem is that my service element name was what the editor adds by default "MyNewService" or whatever the default name is. You HAVE to use the fully qualified name..
<services>
<service name="[Namespace].[service class name]">
This cost me over 2 long days of constant work and research. If this works for you, please vote that guys answer up - NO ONE has ever mentioned this point .. i couldnt because im still new
Your endpoint has a bindingConfiguration attribute defined of WsBinding. There should be a section of the web.config that defines this configuration, including the security mode to be used (presumably transport or transportWithMessageCredential if you want to use SSL).
For example:
<bindings>
<wsHttpBinding>
<binding name="WsBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
Additionally you'll need to configure IIS with a binding listening on 443, referencing an appropriately named SSL certificate.
For a credential type of windows:
This corresponds to integrated Windows authentication in IIS. When set
to this value, the server is also expected to exist on a Windows
domain that uses the Kerberos protocol as its domain controller.
More details on this on the MSDN WCF transport security page
Alternatively you can use TransportWithMessageCredential. This uses SSL to encrypt the connection, and the credentials are passed in the message itself (effectively username and password in the SOAP header). In that case your binding configuration looks more like:
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="Username" />
</security>
You then need to define a password validator behavior on the service to check the user and password. Here's some more info on that: http://msdn.microsoft.com/en-us/library/aa354508.aspx
Related
We use IIS 7.5 to host our intranet applications, which are configured to use Windows Authentication.
Within one of the applications, I have a WCF service I'm trying to host/call into. This must have Anonymous authentication, so I can host it with the following setting:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="myServiceBehaviour">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="basicHttpBindingOverSslAnonymous">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
<services>
<service behaviorConfiguration="myServiceBehaviour"
name="xxx.yyy.Web.Mvc.Client.Services.MyService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBindingOverSslAnonymous" name="BasicHttpEndpoint" contract="xxx.yyy.Wcf.IMyService">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
But, despite the server being configured to allow Anonymous authentication and disable Windows authentication, all I get is the following exception message:
The HTTP request is unauthorized with client authentication scheme
'Anonymous'. The authentication header received from the server was ''
Note the empty authentication header. Googling for this was futile, as all responses had something in the quotes (despite using the phrasal search operator).
This is based on my client which has the following configuration:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpEndpoint">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://xxx.local/xxx.yyy.Web.Mvc.Client/services/MyService.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpEndpoint"
contract="MyService.IMyService" name="BasicHttpEndpoint" />
</client>
</system.serviceModel>
Turning on Windows authentication works fine from a browser, but I don't want to have to send credentials.
It's as if WCF is ignoring my IIS configuration:
Anonymous authentication
Impersonation
Basic authentication
Forms authentication
Windows authentication
Why could this be?
Interestingly, dropping a test.txt file in the same folder works fine with anonymous setting. It's as if this only effects WCF.
The issue was that configuring Anonymous authentication within IIS is not the only step.
The following removes the intranet-style denial rule from the /Services folder that contained my services.
<location path="Services">
<system.web>
<authorization>
<allow users="*" />
</authorization>
<identity impersonate="false" />
</system.web>
</location>
The net effect of this is that .NET assets within the /Services folder are permitted for Anonymous authentication.
Currenlty there is a Wcf service hosted as windows service in one of our client side machine, actually currently this is working with normal http call. As we need to use https instead of http, for that we modified app.config but after starting the service the https url not working.Then we tried URL reservation by using netsh http add urlacl url=https://+:18732/Peripheral/ user=Everyone.Then we restared the service again it's not able to access the https url.
we are getting the error in the URl browser •Make sure that TLS and SSL protocols are enabled.
Is this related to any certificate issue? if so how we can able to solve this issue?
The web.config is provied below:-
<system.serviceModel>
<standardEndpoints />
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
<bindings>
<basicHttpBinding>
<binding name ="soapBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
<webHttpBinding>
<binding name="Bind1" crossDomainScriptAccessEnabled="true">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</webHttpBinding>
</bindings>
<services>
<service name="Peripheral.Server.Impl.PeripheralServiceImpl" behaviorConfiguration="SvcBhvr">
<host>
<baseAddresses>
<add baseAddress="https://localhost:18732/Peripheral/" />
</baseAddresses>
</host>
<endpoint address="https://localhost:18732/Peripheral/" binding="webHttpBinding" behaviorConfiguration="EndPBhvr" bindingConfiguration="Bind1"
contract="Peripheral.Server.Contract.IPeripheralService">
<!--<identity>
<dns value="localhost" />
</identity>-->
</endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="EndPBhvr">
<webHttp />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="SvcBhvr">
<serviceMetadata httpsGetEnabled="true" httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
Anyone knows how to fix this and what we needed to do so that we could able to access the url as https from windows services?
You may need also to bind ssl certificate to the specific port number using netsh or HttpConfig tool depending from OS version. Detailed instructions can be found here
In your case it could be:
netsh http add sslcert ipport=0.0.0.0:18732 certhash=<certhash> appid={<guid>} clientcertnegotiation=enable
where
certhash = your certificate Thumbprint(X509Certificate2.Thumbprint)
appid = could be just Guid.NewId()
I've tried a lot of tips on this one but I cannot get it working. On the client I have:
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="[binding_name]">
<security mode="Transport" />
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="/[service_name].svc"
binding="basicHttpBinding"
bindingConfiguration="[binding_name]"
contract="[contract_name]"
name="[endpoint_name]" />
</client>
</system.serviceModel>
</configuration>
And on the server:
...<service name="[service_name]">
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="[binding_name]"
contract="[contract_name]"
name="[endpoint_name]"/>
<endpoint contract="IMetadataExchange"
binding="mexHttpsBinding"
address="mex" />
</service><behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors><bindings>
<basicHttpBinding>
<binding name="[binding_name]">
<security mode="Transport">
<transport clientCredentialType ="None"/>
</security>
</binding>
</basicHttpBinding>...
One potential clue is that when I navigate to https://[server_name]/[service_name].svc?wsdl, I see the location is correct on
<wsdl:import namespace="http://[namespace]" location="https://[server_name]/[service_name].svc?wsdl=wsdl0"/>
but incorrect on
<wsdl:port name="[binding_name]" binding="tns:[binding_name]">
<soap:address location="http://[machine_name]/[service_name].svc"/>
</wsdl:port>
Notice location="http://[machine_name]/[service_name].svc" Is that expected? If not, what could be the problem?
I've also made sure that [service_name] in the server configuration is the FQN of the service implementation. Everything worked as expected before I enabled SSL on the server and changed the security mode to transport, etc.
The problem in my case was the fact that though the service_name in <service name="[service_name]"> was the correct FQN of the service implementation, it did not match the Service attribute in the *.svc file. In that case it seems that WCF creates a default name for the endpoint, which is something like BasicHttp_service_name. That worked until SSL was enabled and was looking for the endpoint with a URL starting with https.
As for the machine_name issue, it was because I didn't set the host name for https in the IIS site bindings.
I have some WCF services that have been working for a while now on HTTP.
I'm moving them to deployment server now and they need to be HTTPS only.
I got the certificate and when I initially set the up they worked over both HTTP and HTTPS.
...at this point I wanted to drop the non-secure access to the services.
So I'm trying to make amendments to my web.config to make this happen:
Service Behaviours:
<serviceBehaviors>
<behavior name="MetaEnabledBahavior">
<serviceMetadata httpsGetEnabled="true"/>
</behavior>
</serviceBehaviors>
Service Endpoints:
<service name="Services.BookingService" behaviorConfiguration="MetaEnabledBahavior">
<!-- Service Endpoints -->
<clear/>
<endpoint address="https://website.com/services/BookingService.svc" binding="wsHttpBinding"
bindingConfiguration="TransportSecurity" contract="Services.IBookingService"/>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
</service>
Bindings:
<bindings>
<wsHttpBinding>
<binding name="TransportSecurity" maxReceivedMessageSize="2000000">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
What I have ended up with at the moment is my HTTP services are still accessible, but the HTTPS access just sends a blank page.
I need HTTP to return an error/page must be viewed by secure channel and HTTPS to be the ones that work only.
How do I fix this?
Smithy try replacing your endpoint with the following:
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="TransportSecurity" contract="Services.IBookingService"></endpoint>
And your binding with a basicHttpBinding
<basicHttpBinding>
<binding name="TransportSecurity" maxReceivedMessageSize="2000000">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
Hope this helps.
In the <protocolMapping> section of Web.Config, add a <remove scheme="http" /> element.
I understand that there are many posts about this, and I've been through all of them that came up on my search and implemented everything that was mentioned. I have a WCF web service that works on my local system on HTTP, and it worked on the server on HTTP. But the client requires that this works through HTTPS. The miriad of posts on this and other sites shows me that this is not as straight forward as it should be, since before this, the ASMX web service "just worked" and didn't need complicated configuration.
I'm getting the following error with my current configuration:
Could not find a base address that matches scheme https for the
endpoint with binding WSHttpBinding. Registered base address schemes
are [http].
Here is my code as of this moment, after trying for days to configure this to work to no avail:
<system.serviceModel>
<!-- -->
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" >
<baseAddressPrefixFilters>
<add prefix="https://mysite.com"/>
<add prefix="http://mysite.com"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
<!-- Set up Custom Behaviors -->
<behaviors>
<endpointBehaviors>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="WebPostService.WebPostServiceBehavior">
<serviceMetadata httpsGetEnabled="true" httpsGetUrl="WebPostServices.svc/mex" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<!-- Set up the binding configuration -->
<bindings>
<wsHttpBinding>
<binding name="SOAPBinding"
>
<security mode="Transport">
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service
behaviorConfiguration="WebPostService.WebPostServiceBehavior"
name="WebPostService.WebPostService"
>
<host>
<baseAddresses>
<add baseAddress="https://mysite.com/Services/WebPostService.svc"/>
</baseAddresses>
</host>
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="SOAPBinding"
contract="WebPostService.IWebPostService"
>
<identity>
<dns value="mysite.com" />
</identity>
</endpoint>
<endpoint
address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange"
>
</endpoint>
</service>
</services>
</system.serviceModel>
What am I doing wrong and how can I get this to work over HTTPS? I'm frustrated that this is not as simple as it should be. I have been burried in WCF documentation at MSDN for the months working on this project, and have a good grasp of services, end-points and bindings --- enough to frustrate me even more than if I had no knowledge at all.
UPDATE: Still working on this, I had an odd error when trying to put the full URL for the mex address. I changed to this:
address="https://prcwebs.com/Services/WebPostService.svc/mex"
and got the error:
Security settings for this service require Windows Authentication but
it is not enabled for the IIS application that hosts this service.
I'm not trying to use Windows Authentication, the security setting wasn't changed and is still set to
<security mode="Transport" />
Could not find a base address that matches scheme https for the endpoint with binding WebHttpBinding. Registered base address schemes are [http]
- was not helpful, nothing mentioned that would help
Could not find a base address that matches scheme http for the endpoint with binding WSHttpBinding
- I'm using transport security, this does not apply. tried changing to different security modes, still could not get site to work.
Add multipleSiteBindingsEnabled="true" to the serviceHostingEnvironment and update the security to disable client credentials:
<security mode="Transport">
<transport clientCredentialType="None"></transport>
</security>
EDIT
My final working version under windows 2003 was with the following config.
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="false" />
<!-- Set up Custom Behaviors -->
<behaviors>
<endpointBehaviors>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="WebPostService.WebPostServiceBehavior">
<serviceMetadata httpsGetEnabled="true" httpsGetUrl="WebPostServices.svc/mex" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<!-- Set up the binding configuration -->
<bindings>
<wsHttpBinding>
<binding name="SOAPBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="WebPostService.WebPostServiceBehavior"
name="WcfService2.Service1">
<host>
<baseAddresses>
<add baseAddress="https://localhost/Service/Service1.svc"/>
</baseAddresses>
</host>
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="SOAPBinding"
contract="WcfService2.IService1">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange">
</endpoint>
</service>
</services>
</system.serviceModel>
You can access the website with https so I guess the certificate part of the installation is correct. If you have anything you want to compare with my setup, let me know.
You are using the wrong bindings for HTTPS.
There is two separate binding classes. wsHttpBinding and wsHttpsBinding notice the s.
You need to add a wsHttpsBinding for HTTPS under bindings and you need a new endpoint for that binding.
Also the particular error you are seeing typically I get to see if IIS hasn't been setup for https from that location.
Open IIS Manager
Open Sites
Right click on Default Web Site.
Edit Bindings
Ensure that there is an entry for https as well as http.
Open IIS Manager
Find your application (I think its going to be Default Web Site).
Right click
Manage Website/Application
Advanced Settings
Enabled Protocols
http,https
I used this and it worked for me, maybe it can help you
To enable the Https on WCF WsHttp bindings, there are some simple steps that should be changed in the web.config file.
Those steps are:
Enable transport level security in the web.config file of the service:
In this step you need to change the security mode from none to Transport. The code below shows how you can do it:
<bindings>
<wsHttpBinding>
<binding name="TransportSecurity">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
Tie up the binding and specify the HTTPS configuration
You need to now associate the bindings, the previews step, with the end points. use the bindingConfiguration tag to specify the binding name. You also need to specify the address where the service is hosted. The code below shows how you can do it
<service name="WCFWSHttps.Service1" behaviorConfiguration="WCFWSHttps.Service1Behavior">
<!-- Service Endpoints -->
<endpoint address=https://localhost/WCFWSHttps/Service1.svc binding="wsHttpBinding" bindingConfiguration="TransportSecurity" contract="WCFWSHttps.IService1"/>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
</service>
.
you also need to change httpGetEnabled to httpsGetEnabled in the serviceMetaData. The code below shows how you can it:
<serviceMetadata httpsGetEnabled="true"/>
Hope it helped
I've used your exact configuration in 3.5 setting and it works with Transport mode using clientCredentialType="None" as mentioned below in Luuk's answer. But just to be sure, I went ahead an created a sample project to simulate as much of your environment as I could gather from the information here.
To simulate your environment I set my IIS (7.5) to use standard Asp.Net 2.0 Integrated app pool. I added 3 http bindings and 3 https bindings in order to simulate your "can have only one address per scheme issue" and baseAddressPrefixFilters works with that.
I only did a search and replace on mysite.com to localhost. Below is the copy paste of exact configuration that I used to produce the screenshot:
web.config
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" />
<authentication mode="None"/>
<customErrors mode="Off"/>
</system.web>
<system.serviceModel>
<!-- -->
<serviceHostingEnvironment aspNetCompatibilityEnabled="true">
<baseAddressPrefixFilters>
<add prefix="https://localhost"/>
<add prefix="http://localhost"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
<!-- Set up Custom Behaviors -->
<behaviors>
<endpointBehaviors/>
<serviceBehaviors>
<behavior name="WebPostService.WebPostServiceBehavior">
<serviceMetadata httpsGetEnabled="true" httpsGetUrl="WebPostServices.svc/mex"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<!-- Set up the binding configuration -->
<bindings>
<wsHttpBinding>
<binding name="SOAPBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="WebPostService.WebPostServiceBehavior" name="WebPostService.WebPostService">
<host>
<baseAddresses>
<add baseAddress="https://localhost/Services/WebPostService.svc"/>
</baseAddresses>
</host>
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="SOAPBinding" contract="WebPostService.IWebPostService">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
</service>
</services>
</system.serviceModel>
</configuration>
Here's the result:
You'll notice that WebPostService.svc appears twice in mex full url. You need to drop httpsGetUrl to be only mex instead of WebPostService.svc/mex (or drop it out altogether, and it still works fine on my side)
If you'd like to discuss this or what could be different between our envinronments besides IIS version, I'm in WPF chat room almost all day (another 5-6 hours).