I have a WCF app hosted in IIS6 (and 7 in dev environment) with one wsHttp (SOAP) and two webHttp (REST) bindings.
I want to secure the services when publishing to production site and disable metadata and webHttp help page and ENABLE SSL for the bindings. At the same time i would like to have HTTP disabled. I'm aware of the option in IIS to "Require Secure Channel" but I was wondering if the same can be achieved in web.config?
I was under the impression that
<security mode="Transport">
would "disable" http access (ie. https required) but in my case it didn't.
Her is the ServiceModel part of web.config:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="SoapTransportSecurityBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
<message establishSecurityContext="false"/>
</security>
</binding>
</wsHttpBinding>
<webHttpBinding>
<binding name="RestTransportSecurityBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</webHttpBinding>
</bindings>
<services>
<service name="CustomerWcfService" behaviorConfiguration="Web.ServiceBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="SoapTransportSecurityBinding" contract="ICustomerWcfService">
<identity>
<dns value="ws.somecompany.com"/>
</identity>
</endpoint>
</service>
<service name="SentShipmentsWcfRestService" behaviorConfiguration="webHttpServiceBehavior">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="RestTransportSecurityBinding" contract="ISentShipmentsWcfRestService"
behaviorConfiguration="RestEndpointBehavior"/>
</service>
<service name="InsuranceInfoWcfRestService" behaviorConfiguration="webHttpServiceBehavior">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="RestTransportSecurityBinding" contract="IInsuranceInfoWcfRestService"
behaviorConfiguration="RestEndpointBehavior"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="Web.ServiceBehavior">
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
<behavior name="webHttpServiceBehavior">
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="RestEndpointBehavior">
<webHttp helpEnabled="false"/>
</behavior>
</endpointBehaviors>
</behaviors>
It looks it couldn't be achieved in web.config. But in the binding settings you can set
<security mode="Transport">
In this case endpoints will not be valid if there is no SSL required.
Related
I'm having a really hard time finding how to host a WCF service in an IIS site that works on both HTTP and HTTPS. I've done about 10 hours of research including just about every link on StackOverflow that relates to this issue and tried many different combinations and have not yet been able to get both working at the same time. Right now only HTTPS works with the below configuration:
<system.serviceModel>
<bindings>
<webHttpBinding>
<binding name="http">
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None" />
</security>
</binding>
<binding name="https">
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None" />
</security>
</binding>
</webHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="MyWcfServiceAspNetAjaxBehavior">
<enableWebScript />
</behavior>
</endpointBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true">
</serviceHostingEnvironment>
<services>
<service name="MyWcfService">
<endpoint address="" behaviorConfiguration="MyWcfServiceAspNetAjaxBehavior" binding="webHttpBinding" bindingConfiguration="http" contract="IMyWcfService" />
<endpoint address="" behaviorConfiguration="MyWcfServiceAspNetAjaxBehavior" binding="webHttpBinding" bindingConfiguration="https" contract="IMyWcfService" />
</service>
</services>
</system.serviceModel>
I think you need to specify different endpoint "address" values in your service configuration.
For example:
<services>
<service name="MyWcfService">
<endpoint address="" behaviorConfiguration="MyWcfServiceAspNetAjaxBehavior" binding="webHttpBinding" bindingConfiguration="http" contract="IMyWcfService" />
<endpoint address="secure" behaviorConfiguration="MyWcfServiceAspNetAjaxBehavior" binding="webHttpBinding" bindingConfiguration="https" contract="IMyWcfService" />
</service>
</services>
I want to enable SSL/HTTPS in my WCF Service.
So I have found a site of Microsoft: http://msdn.microsoft.com/en-us/library/hh556232.aspx
But it doesn't function.
Is there something missing?
This is what I have:
<system.serviceModel>
<services>
<service name="Service.Service">
<endpoint address="" binding="webHttpBinding" contract="Service.IService" bindingConfiguration="webHttpsBinding" behaviorConfiguration="restBehavior"></endpoint>
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="restBehavior">
<webHttp />
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding name="webHttpsBinding" closeTimeout="00:00:20">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</webHttpBinding>
</bindings>
</system.serviceModel>
I want to call the service from jquery. Use ajax and getjson.
I'm trying to secure my WCF service using transport security model. I've successfully deployed my service to AppHarbor. But I'm getting the following exception when I try to access service page:
[InvalidOperationException: Could not find a base address that matches scheme https for the endpoint with binding BasicHttpBinding. Registered base address schemes are [http].] ...
I haven't uploaded any certificates, just using piggyback SSL there. I've downloaded the build and deployed it on my machine. It works fine.
Here is my system.serviceModel section of web.config:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="TransportSecurity">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="AuthService.AuthServiceBehavior" name="AuthService.AuthService">
<host>
<baseAddresses>
<add baseAddress="https://auth.apphb.com/AuthService.svc" />
</baseAddresses>
</host>
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="TransportSecurity" contract="AuthService.IAuthService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="AuthService.AuthServiceBehavior">
<serviceMetadata httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
I've already tried this Hosting a WCF Web API app on AppHarbor?
Can somebody please explain me what I'm doing wrong?
This issue frequently appear when you communicate with the wcf web service thru the LB (AppHarbor one of the example of it).
You should know several things about such kind of communications.
1) Communication between yours client application and LB is secured (https is in use). So you should leverage security binding on the client side.
<basicHttpBinding>
<binding name="BasicHttpBinding_IAuthService">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
2) Communication between LB and web-front uses http, so server binding should be basicHttpBinding without extra configuration.
<endpoint binding="basicHttpBinding" contract="AuthService.IAuthService" />
Summarizing all that stuff we have
Client
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IAuthService">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://auth.apphb.com/AuthService.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IAuthService"
contract="AuthService.IAuthService" name="BasicHttpBinding_IAuthService" />
</client>
</system.serviceModel>
</configuration>
Server
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<protocolMapping>
<add scheme="http" binding="basicHttpBinding" />
</protocolMapping>
<bindings>
<basicHttpBinding/>
</bindings>
<services>
<service behaviorConfiguration="AuthService.AuthServiceBehavior" name="AuthService.AuthService">
<endpoint binding="basicHttpBinding" contract="AuthService.IAuthService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="AuthService.AuthServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
Your approach is not going to work right off the bat. This is because SSL is terminated at the load balancers and the app servers see http traffic. You can read more about AppHarbor load balancers here.
You might be able to fool WCF with this module.
There are also some hints in this discussion: http://support.appharbor.com/discussions/problems/829-transportwithmessagecredential-https-ssl
I tried to setup a service for testing using a net.tcp binding. I also set a http endpoint. The configuration is as follows:
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="Inbound_REST">
<webHttp />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="InboundHttpConfiguration">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="InboundTcpConfiguration">
<serviceMetadata httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="InboundTcpConfiguration" name="Inbound">
<endpoint address="" binding="netTcpBinding" contract="IContract">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:6969/Inbound" />
</baseAddresses>
</host>
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<client>
<endpoint name="httpEndPoint" address="http://localhost:1568/Inbound.svc" binding="basicHttpBinding" contract="IContract" />
<endpoint name="tcpEndPoint" address="net.tcp://localhost:6969/Inbound" binding="netTcpBinding" contract="IContract" />
</client>
<bindings>
<basicHttpBinding>
<binding name="httpbind">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
<netTcpBinding>
<binding name="tcpbind">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</netTcpBinding>
</bindings>
</system.serviceModel>
When I attempt to consume the service using the net.tcp binding, it always return me the error:
Could not connect to net.tcp://localhost:6969/Inbound. The connection attempt lasted for a time span of 00:00:00.9531494. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:6969.
By the way, the http binding works fine. I think it could be some machine configuration, but wasn't able to find what's the root cause.
If you are trying to run your WCF service through visual studio netTcpBinding is not supported. Sorry!
Check out this post for a more detailed explanation.
Why did you leave out the ".svc" for the net.tcp address for the client? Maybe it should be "net.tcp://localhost:6969/Inbound.svc"
What hosting you are using..IIS7 or console or others?
1)Check all tcp services are running in services.msc
2)Turn off your fire wall or add firewall exception to your tcp port
if you are hosting in iis7 check this link
IIS7 support for non http protocols
Even though anonymous access is enabled on the Virtual Directory of the WCF service and Integrated Authentication is disabled, I still get the error:
The HTTP request is unauthorized with client authentication scheme
'Anonymous'. The authentication header received from the server was
'Negotiate,NTLM'.
This is what the security definition on client binding configuration looks like:
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="None" negotiateServiceCredential="false" />
</security>
And the endpoint definition:
<endpoint address="https://url.com/Service.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService"
contract="IService" name="WSHttpBinding_IService">
<identity>
<servicePrincipalName value="spn" />
</identity>
</endpoint>
I've already tried adding:
client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
But it doesn't seem to have any effect.
Is there something on IIS that I need to change?
[EDIT]
Service configuration:
<behaviors>
<endpointBehaviors>
<behavior name="defaultBehavior"/>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="metadataSupport">
<serviceMetadata httpsGetEnabled="true" httpsGetUrl=""/>
<useRequestHeadersForMetadataAddress>
<defaultPorts>
<add scheme="https" port="443" />
</defaultPorts>
</useRequestHeadersForMetadataAddress>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="ServiceLibrary.Service"
behaviorConfiguration="metadataSupport">
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="wsSecureBinding"
contract="ServiceLibrary.IService"/>
<endpoint address="mex"
binding="wsHttpBinding"
bindingConfiguration="wsSecureBinding"
name="mexHttps"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="wsSecureBinding">
<security mode="Transport"/>
</binding>
</wsHttpBinding>
</bindings>
Modify your binding configuration in service to:
<bindings>
<wsHttpBinding>
<binding name="wsSecureBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
It expects Windows credentials by default.