I'm confused about what the identity element on a client endpoint really does. I've understood that a identity dns value like is supposed to tell WCF to assert that the service's certificate is issued to myserver.local. And that this should allow me to point the endpoint address to https://localhost/MyService.svc instead of https://myserver.local/MyService.svc.
But this fails I don't understand why. I have myserver.local pointing to 127.0.0.1 in my host file and I have self-created certificate issued to myserver.local. It works fine with myserver.local but when I change the endpoint address to localhost it stops working because it "can't establish a SSL/TLS trust".
Can anyone explain why?
Thanks
If you want to know what the WCF Identity DNS value is for, and what to put in it, see this question:
WCF client endpoint identity - configuration question
It helped me to understand what it's for.
Related
Let's assume that the client wants to authenticate himself to a HTTP proxy. The proxy is configured with kerberos, and has clearly the service name HTTP/proxy.foo.bar set in it's configs. How does the client know which service name to request the ticket to ? Does it request the ticket to the domain name he's making request to (in this case it is proxy.foo.bar indeed), or does it receive the name in the authentication sequence, in a 407 reply in this case (which doest contain the negotiate challenge, but I just don't know if there's a way to look into it) ?
I'm trying to debug the kerberos errors on a proxy which suddenly stopped authenticating some clients. The thing is, that looking in the Wireshark, I see that the client is requesting a ticket not for a service name configured on a proxy (same name he's instructed to use), HTTP/proxy.foo.bar, but for a name that the proxy IP resolves to, HTTP/host.foo.bar (well, at least it's the name that the proxy resolves to, may be though the client gets it some other way), and TGS just cannot find one, thus an error happens.
So you’ve got two questions in here (you didn't ask how to actually solve the problem, to do that more details would be needed - see comments).
You asked "The proxy is configured with kerberos, and has clearly the service name HTTP/proxy.foo.bar set in it's configs. How does the client know which service name to request the ticket to?"
A. It works pretty much like this. The client types in a URL in the web browser or clicks on a hyperlink. It looks up the IP host in DNS domain which matches the host name in the URL. Then it goes to that IP host, looking for the service defined in the URL, in this case it is the HTTP service. If it receives an HTTP 401 Negotiate challenge (it's 401, not 407) from the web server, due to it being Kerberos-protected, it goes to its KDC and requests a Kerberos service ticket for HTTP/proxy.foo.bar, zips back to proxy.foo.bar and presents the ticket to that host for the HTTP service running on it. The host validates this ticket and if all is well and the client web browser renders the HTML. You've seen the Kerberos ticket ticket when you ran klist on the client. I don't have any web references for you, this is all off the top of my head.
You also asked “Does it request the ticket to the domain name he's making request to (in this case it is proxy.foo.bar indeed), or does it receive the name in the authentication sequence, in a 407 reply in this case (which doest contain the negotiate challenge, but I just don't know if there's a way to look into it) ?”
A. Your question was a bit hard to follow but if I am understanding you correctly, the answer is the web client requests a ticket as a result of the HTTP 401 Negotiate authentication challenge from the web server (see above).
There’s many diagrams sequencing this process on the web, including here: http://www.zeroshell.org/kerberos/Kerberos-operation/
I have a server with SSL certificate and would like to implement a WCF service with username authentication. Can anyone point me to a simple current example?
I find lots that use the 509 certificate and I don't understand why that additional piece would be needed. I don't think I want to give the certificate I have for the SSL to the client either.
I think to use SSL is just setting up the web.config appropriately with wshttpbinding and using https: in the uri that calls the service.
In this case I will have only one or two users (applications at the client actually) that need to use the service so I don't see the overhead for building a database for the store for lots of login credentials or anything like that. I've read you can pass the credentials in the request header. I hope I can just have the service itself check them without tons of overhead.
I'm really struggling to get how a simple authenticate can work for a service but I know I need something in addition to the service being SSL encrypted.
Edit: Hummm having read more I get the impression that using https binding for the message circumvents any notion of username credentials without something mysterious with certificates going on. I hope I haven't wasted money on the ssl certificate for the server at this point.
Can the IP of the requestor be used to allow the service for a known client only?
If you only need a couple of users, then use the inbuilt Windows authentication - create Windows user accounts, put the right security option in your binding config and you're done. If you're using SOAP from a non-windows client you'll have to perform some tricks to make it communicate properly (typically we found using NTLM authentication from PHP client required the use of curl rather than the PHP SOAP client library, but I understand that if you use AD accounts this becomes much easier).
WCF docs have a full description of auth options for you.
The error I am getting is:
Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'MYSERVER' but the remote endpoint provided DNS claim 'myserver.mycompany.com'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'myserver.mycompany.com' as the Identity property of EndpointAddress when creating channel proxy.
I have googled and found lots of problem getting this but none of the solutions have worked for me.
My questions 1) where exactly does the 'expected DNS identity' come from and 2) where is the DNS claim coming from?
From what I can tell the answer to question #2 is the with the element.
One thing that is different from the other posts I have seen is that this only broken on one of our servers so I am thinking this might be a DNS issue with this particular server.
We're trying to connect to external HTTPS service in Tibco?
However upon clicking SSL url, it asked for certificate PEM file. May I know what's the reason?
The issue is external HTTPS service that I am trying to connect is authenticated by user name & password, and not via certificate.
Any information or reference is appreciated.
Thanks!
He is asking actually about the public certificate of the server you want to connect to. That the way to check that the server is really who it says it is, and therefore you ensure that the connection is trusted, and you are connecting where really you want.
What is the significance of this tag in the WCF client config? What does it actually mean. I have seen people put the name of their certificates in this tag like
<dns value="CertificateName">
Can any WCF experts out there give me a detailed explanation...
I am assuming that the dns tag is the client -> endpoint -> indentity -> dns tag.
In that case the value is the name of the server that the client expects to be talking to.
http://msdn.microsoft.com/en-us/library/ms733130.aspx
If you want to use a certificate to identify the service you would use the certificate tag or the rsa tag.
The service is identifying itself by means of a certificate installed on the machine where your service is running.
The <dns> tag defines what the "subject name" (or identity) of that service certificate is going to be, so that the client can check to see whether the certificate presented by the service to "prove" its identity is really what it expected it to be.
There's a really good set of blog post here that talk about WCF security scenarios - one of them (part 4) is Internet scenario which mentions the service authenticating itself by means of a certificate as well.
Hope this helps a bit
Marc