UsernameToken and SSL in WCF 4 web service - but with basicHttpBinding - wcf

A few months ago I asked about UsernameToken and SSL in WCF 4 web service and received a good answer using wsHttpBinding.
However now we have had to revert to using basicHttpBinding due to incompatibilities with a Java client. I've tried switching the configuration as follows....
<bindings>
<basicHttpBinding>
<binding name="secureBinding">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None"/>
<message clientCredentialType="UserName"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
And then using this config in the service...
<service name="ServiceName">
<endpoint binding="basicHttpBinding" bindingConfiguration="secureBinding" contract="ContractType" />
</service>
However when I try to make a call to this service I am getting back an error...
The provided URI scheme 'https' is invalid; expected 'http'.
Parameter name: via
Is there something else I need to configure to make this work with basicHttpBinding?
(Please note: My original requirements are still the same - SSL, usernametoken)

As per my comments (below the original question) this was actually a problem when using WCFStorm as the client.
The solution to this was found as one of the answers on this question The provided URI scheme 'https' is invalid; expected 'http'. Parameter name: via
This was to click on the "Config" settings option (NOT THE "Client Config") in WCFStorm. After clicking on that, click on the "Security" tab on the dialog that pops up. Make sure "Authentication Type" is set to "None" (The default is "Windows Authentication").

Related

WCF client https request

I am trying to send SOAP message to endpoint starting with HTTPS. This is one way SSL, so I should not need certificate to send request.
While using the config from below I get following exception:
Could not establish secure channel for SSL/TLS with authority 'some.domain.com/endpoint'.
I tried many different transport settings, sometimes it asks for username or certification in ClientCredentials, but hey - I should not need them! I could visit the requested endpoint via browser window without any authentication.
Am I missing something in configuration? I feel a little confused right now.
<bindings>
<basicHttpBinding>
<binding name="PublisherBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://some.domain.com/endpoint"
binding="basicHttpBinding" bindingConfiguration="PublisherBinding"
contract="PublisherContract" name="NotificationsEndpoint"/>
</client>
unfortunately wcf test client does not support invalid certificates. you can make it work like this Is it possible to force the WCF test client to accept a self-signed certificate? or you can use wcfstorm. second solution is better.

Authentication on WCF Service using BasicHttpBinding and Authorization header

I'm having some issue with authentication on a third party's WCF service. I don't know how it's configured, it's like a black box for me. The only thing that I know, that those webservice should use Basic authentication, but may not.
I've added fiddler, and even wireshark to analyze what's happening inside of those requests, and found out that requests with authorization header do get authenticated. So basically, using a SoapUI I was able to authenticate on those WCF service.
I've generated a test client using svcutil and specified config file like this:
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_1" useDefaultWebProxy="false" >
<security mode="Message" >
<message clientCredentialType="UserName" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://theurl.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_1"
contract="CA_TestMediaSaturn.IDCIntegration" name="BasicHttpBinding_2" />
</client>
Also I've added authorization information to client in code file:
client.ClientCredentials.UserName.UserName = "one";
client.ClientCredentials.UserName.Password = "two";
But I wasn't able to get those Authorization header encoded in base64.
I wonder how can I configure my client to obtain those header in order to get authorized on webservice side. I did found an article describing how to make it on your own. But maybe there is a way to make it a lot easier?
UPDATE 1:
I've just receiver service configuration settings from 3rd party vendor. Mb it can somehow help in finding out the reason of error.
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_1" >
<security mode="TransportCredentialOnly">
<message clientCredentialType="UserName"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
you should set mode="Transport" instead of "Message". This will generate Authorization header. current setting is message security so authentication is inside SOAP.
EDIT: seems like you need pre-authenitcate.
in general wcf will first not send authorization header, and if the service returns a challenge to do it then it will send the message again with the header. some servers do not support this challenge mechanism and will require to send authorization header already at first shot. this is called pre authentication in .net 2. unfortunetely wcf does not support it. but you could do it yourself: first set security mode to None so WCF will not send security at all. then see example here how to add this header yourself to the wcf call.

UsernameToken and SSL in WCF 4 web service

I am creating a web service that will be consumed by a single client in another part of the world. I don't have any knowledge or control over the technology they are using but have been asked to
"use SSL to encrypt the message during transport and use UsernameToken
for client authentication"
I'm planning to use WCF4 to create the service and know generally how to set this all up. However I'm struggling to find the correct configuration for bindings etc. Google gives me lots of results around WSE 3.0 but I'm pretty sure (please correct me if I'm wrong) that I shouldn't be using WSE for a WCF service.
This article initially seems to suggest I should be using a custom binding but then also says I should "consider using the WCF system-defined bindings with appropriate security settings instead of creating a custom binding". However I can't see any examples of what this should be.
I would be grateful if anyone can point me in the right direction.
tl;dr: What are the WCF4 config settings to support SSL and UsernameToken?
Take a look at the WsHttpBinding. You can use a security mode of TransportWithMessageCredential to use SSL and a message credential of UserName. If you are hosting in IIS set up SSL there.
You can set up the binding in config as follows.
<bindings>
<wsHttpBinding>
<binding name="secureBinding">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
You can then use this binding config as follows
<services>
<service name="ServiceName">
<endpoint address="" binding="wsHttpBinding" contract="ContractType" bindingConfiguration="secureBinding" />
</service>
</services>
Both these elements are children of the system.serviceModel element in config.

Why doesn't WSDL from WCF service include the custom binding for the STS?

I'm writing a C# WCF service that publishes an endpoint using a WSHttpFederationBinding. We have our own security token server providing tokens, for which callers need to use a custom binding.
This is all working fine for a C# client I've written: this has a custom binding in its app.config like so:
<bindings>
<customBinding>
<binding name="CustBind">
<security authenticationMode="UserNameForCertificate" requireDerivedKeys="true"
messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
requireSecurityContextCancellation="false"
requireSignatureConfirmation="false">
<secureConversationBootstrap/>
</security>
<httpTransport/>
</binding>
</customBinding>
<wsFederationHttpBinding>
<binding name="FedBind">
<security>
<message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
negotiateServiceCredential="false">
<issuer address="http://STSHost/MySTS" binding="customBinding"
bindingConfiguration="CustBind">
<identity>
<certificateReference x509FindType="FindBySubjectName" findValue="localhost"/>
</identity>
</issuer>
</message>
</security>
</binding>
</wsFederationHttpBinding>
</bindings>
However, what I want is for users to be able to generate their own clients in whatever language they want, just given the WSDL that the WCF service publishes. The problem with this is that when I try such a thing with Developer Studio's "Add Service Reference" functionality, the resulting client doesn't work.
The reason it doesn't work is because the generated client's app.config is clearly wrong: while the STS is there in the "issuer" element, there's no sign of the custom binding. Looking at the WSDL this isn't too surprising, as there's no mention of anything there other than the issuer address.
Is there any way to get WCF to add something to the WSDL to describe this situation? My server's app.config bindings look okay to me: the "issuer" element is exactly the same as for the working client, including the address and details of the custom binding. Does anyone know why WCF seems to be ignoring this when generating the WSDL?

WCF Authentication With SSL

I am very new to WCF and I have created a service to be consumed via a windows mobile app using the basicHttpBinding. I am now looking at how to implement encrpytion and authenticaion and I am not getting very far.
I have added the following to my server side service configuration (which I believe is correct):
<basicHttpBinding>
<binding name="SecurityByTransport">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
<transport clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
Now after installing a temporary certificate on my IIS instance I can navigate to my service via https.
At this point I used visual studios built in tool for running svcutil.exe and generated my proxy, which connects just fine.
The issue I have is in the client config, in that the endpoint reference is using http and not https. If I change this I get the following error:
The provided URI scheme 'https' is invalid; expected 'http'.
Which obviously I do not want.
Also in my client config the security specified seems to be "None", is this right?