Silverlight WCF + SSL security error - crossdomain.xml never requested - wcf

(I see several questions related to my problem but none of the solutions work for me as I am encountering this problem in production, not during local development, and I've already tried all of the proposed fixes.)
I have a Silverlight 4 application that uses WCF services hosted by IIS. In production these services are accessed over HTTPS. Despite having a valid crossdomain.xml file I still get the famous "Security error" when accessing the service:
An error occurred while trying to make a request to URI
'https://MYDOMAIN/MYSERVICE.svc'. This could be due to attempting to
access a service in a cross-domain way without a proper cross-domain
policy in place, or a policy that is unsuitable for SOAP services. You
may need to contact the owner of the service to publish a cross-domain
policy file and to ensure it allows SOAP-related HTTP headers to be
sent. This error may also be caused by using internal types in the web
service proxy without using the InternalsVisibleToAttribute attribute.
Please see the inner exception for more details. --->
System.Security.SecurityException --->
System.Security.SecurityException: Security error...
Using Fiddler I can see that no request is made to crossdomain.xml or clientaccesspolicy.xml. There is a CONNECT request to the server but that is all.
I've read that this error, though it indicates a problem with crossdomain.xml/clientaccesspolicy.xml, can also be raised when the server issues an invalid certificate. This does not seem to be the case in my scenario.
I am certain the following is set up correctly:
1. crossdomain.xml is valid and hosted in the root of the site
2. The services do work (We have other clients in various technologies that use them, including Adobe Flex which relies on crossdomain.xml.)
3. The Silverlight app does work (It works just fine with local services and services on a shared development server***)
4. The Silverlight app does not even try to request crossdomain.xml or clientaccesspolicy.xml (as confirmed by Fiddler)
5. The Silverlight app uses the proper config for accessing WCF over https. Below is the configuration:
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IMyServices" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="Transport" />
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://MYDOMAIN/MYSERVICE.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IMyServices" contract="Services.IMyServices" name="BasicHttpBinding_IMyServices" />
</client>
</system.serviceModel>
</configuration>
What else can cause this kind of problem? Could it be because the web servers are load balanced? Or is there a problem with the certificate that I haven't noticed? If you can at least point me in the right direction that would be much appreciated.
(***Something worth pointing out: I came upon a similar problem in our development environment. The Silverlight app was unable to access WCF services on a shared development server, despite having a proper crossdomain.xml and not using HTTPS. I worked around it by adding the development server as a trusted site in IE. However this same workaround does not work for production, and even then it wouldn't be an acceptable workaround. But the fact that I had to do this in the development environment makes me worried that I've missed something along the way...)

The problem was that I was missing clientaccesspolicy.xml. Having crossdomain.xml was not sufficient in this case. I think this is because the WCF invocation was not just cross-browser but also cross-protocol (the Silverlight app was served via http but the services were served via https).
In addition, my clientaccesspolicy.xml had to explicitly allow access for http as follows:
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<!-- IMPORTANT! Include these lines -->
<domain uri="http://*"/>
<domain uri="https://*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
It now works like a charm.
A couple of things that tripped me up along the way:
My browser was caching clientaccesspolicy.xml and crossdomain.xml. I would have to clear my cache every time I changed one of those files or it wouldn't recognize the newer version, despite the fact that IIS is configured to prevent client caching of this file.
The requests to clientaccesspolicy.xml and crossdomain.xml were not always showing up in Fiddler. I would often see CONNECT requests instead. I don't understand the reason for this but I've learned not to rely on Fiddler to confirm these requests are being made. Perhaps I have some rogue setting somewhere (it's not the "Decrypt HTTPS traffic" setting because I already disabled it).

I have the same error, when I try to make a call to my site over http and my service was over https it failed. This error occured because my ISS had no certificate, so, when the app tried to download the clientaccesspolicy, it failed.
Take a look in any debug tool on your browser and look for clientacccesspolicy file, then check that if it is being downloaded.

Related

Configuring WIF/WCF using Identity and Access Tool to a Thinktecture.IdentityServer

note: A github repo has been constructed to demonstrate the issue causing these questions.
In creating a WIF secured WCF service, the MSDN documentation recommends using the Identity and Access Tool for visual studio. Upon running the tool on the service project, the following node is added to the web.config [commit 0472287]:
<ws2007FederationHttpBinding>
<binding name="">
<security mode="Message">
<message>
<issuerMetadata address="https://localhost/adfs/services/trust/mex" />
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
The identity tool adds an incorrect issuerMetadata address and does not include the issure node at all. All of the nodes which reference certificate thumbprints are, thankfully, created correctly. Adding a service reference to a client project for this service results in an invalid configuration on the client. Upon changing the content of the message node as follows, creating a service reference to the service leaves a nearly usable client (see second question) [commit 758052d].
<message>
<issuer address="https://localhost:44300/issue/wstrust/mixed/username" binding="ws2007HttpBinding" bindingConfiguration="" />
<issuerMetadata address="https://localhost:44300/issue/wstrust/mex" />
</message>
First Question Is there something I am doing wrong in setting up the identity tool that is causing the binding to not be configured properly? The address that is generated does not exist in the STS FederationMetadata.xml file so I am not sure where it is coming from.
After properly configuring the service, the service reference for the client is nearly plug and play. For some reason, it doesn't specify a binding configuration for the issuer in the WS2007FederationHttpBinding. Adding a binding and creating a binding configuration for the WIF client to get a token from will cause the client to be in a working state [commit 39a4cbc].
Second Question Updating the service web.config allowed the rest of the client configuration to be generated automatically. Am I missing something for the client to also get the binding auto configured?
All of these missing elements are able to be looked up in the FederationMetadata.xml file the identity tool requires as well as on the FederationMetadata service which both projects become aware of. It seems that there should be something to cause these to be configured correctly without need of manual intervention.
note: A github repo has been constructed to demonstrate the issue causing these questions.

WCF service is not communicating with silverlight4 application on Windows 8. IE 10. IIS 8.0

There are two modules one is silverlight application(like a client) and another one is wcf service which is self hosted service . Here both the application works like client and server communication. Those two applications are communicating properly in windows 7 and previous versions but not in win 8.
There is an error like "
An error occurred while trying to make a request to URI "localhost:8283/MyTestService". This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. This error may also be caused by using internal types in the web service proxy without using the InternalsVisibleToAttribute attribute. Please see the inner exception for more details."
I tried a many ways which i referred from internet but not able to create connection between them in windows 8.
I tried these ways :
1).added two files clientaccesspolicy.xml and crossdomain.xml to the IIS8(wwwroot) folder as referred by MSN..
2).Giver all permissions to respective folders.
what may be the possible solutions for this ?
1). any security issues might be there
2). windows 8 is enterprise edition
If any more details required let me know in comments.
I am looking forward for your respond..
After so much of R&D , i got the solution to work silverlight and WCF service in windows 8 environment. I am answering to my question if it may helpful to anybody caught in this type of error ..
Actual Cause :
No communication is creating in between CVT Service(WCF service) and CVT pages(silver light application) as client side. Whenever it compiled in windows 8 environment . Then the error caught was “ An error occurred while trying to make a request to URI ‘http://localhost:8283. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. Please see the inner exception for more details. “.
Resolution :
The actual problem is present in WCF service . Below steps to be followed to run the WCF service successfully and make it communicate properly with silver light application in windows 8 environment. In windows 7 and previous versions the settings related to WCF service work will be enabled by default but in win 8 few features might not be enabled in that case you can follow these below steps.
step 1 :
create and add two XML files to wwwroot folder. This folder is located in this path “C:\inetpub\wwwroot”.
a). clientaccesspolicy.xml :
<xml version="1.0" encoding="utf-8">
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
</xml>
b). crossdomain.xml :
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain- policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*" headers="SOAPAction,Content-Type"/>
</cross-domain-policy>
Step 2 : If this feature is not activated , enable this feature by following the below steps.
Hit Windows+x.
Select Programs and Features(first item on list).
Select Turn Windows Features on or off on the left.
Expand .Net Framework 4.5 Advanced Services.
Expand WCF services.
Enable HTTP Activation.
Step 3 : Adding MIME Type and new managed handler
WCF services don’t run on IIS 8 with the default configuration, because the web server doesn’t know, how to handle incoming requests targeting .svc files. You can teach it in two steps:
Refer below link :
https://gyorgybalassy.wordpress.com/2012/09/24/
Step 4 : Application should be compiled in windows 8 environment .
We need to follow these steps to run this application in windows 8 environment.

WCF no endpoint listening for larger files

I have a WCF 4.0 service deployed on a 2K8R2 dev server and hosted under IIS 7.5. I'm calling it locally from a test app (WPF). I'm running into a problem sending largish files (via a byte array) where I get the following error when attempting to send a 23MB (or larger) file.
There was no endpoint listening at
http:///FileStorageClone/FileStorage.svc that
could accept the message. This is often caused by an incorrect address
or SOAP action. See InnerException, if present, for more details.
Up to a 19MB works fine. I've upped the timeout settings and set max buffer, received message and array sizes all at 2GB in the web.config file. The exception is thrown almost immediately (not long enough to have timed out).
It's running using basicHttpBinding, though as that's solidified next steps will be other binding types.
I first worked out the connections with small files, then moved to larger. At 64KB I ran into max buffer and received message sizes. At 4MB I learned I needed to bump up the httpRuntime under system.Web from the default 4GB value.
It feels like an IIS or site-level issue to me. Any idea where I may be missing?
It looks like this is a setting more at the IIS level. Setting requestFiltering in the web.config or via appcmd.exe are two viable options. In the web.config, the following example sets the limit to 2.2 billion bytes:
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="2200000000" />
</requestFiltering>
</security>
</system.webServer>
Thanks to: http://www.dantor.com/support/misc/web-config-requestFiltering-user-agent.aspx
Also, via appcmd.exe, see: http://forums.iis.net/t/1066272.aspx

WCF Service behind ISA

I have created a wcf service, successfully deployed to a development server(not behind an ISA Server) and was able to add a service reference to to the service in a test web app. My network administrators deployed the same service to our staging box which is behind an ISA server, when I try to add a service reference through vs2008 or use the svcutil utility I get the following:
Metadata contains a reference that cannot be resolved:
'http://tstsrvr.Testdmz.staging:5910/myService/TestService.svc?wsdl'.
There was an error downloading 'http://tstsrvr.Testdmz.staging:5910/myService/TestService.svc?wsdl'.
The remote name could not be resolved: 'tstsrvr.Testdmz.staging'
Metadata contains a reference that cannot be resolved:
'https://stg-ww2.Test.com/myservice/Testservice.svc'.
Metadata contains a reference that cannot be resolved:
'https://stg-ww2.Test.com/myservice/Testservice.svc'.
If the service is defined in the current solution, try building the solution and
adding the service reference again.
I am able to hit the .svc link through a web browser and then able to click the link
svcutil.exe https://stg-ww2.myserver.com/TestService/TestService.svc?wsdl
which seems to work fine, I am pretty new to wcf so any help is appreciated.
Thanks
Mark
svcutil.exe uses IE's proxy settings.
Uncheck "use a proxy server" from IE > Tools > Internet Options > Connections > LAN Settings and see if that solves your problem.
If you still have a problem, consider adding the system.net section in your configuration file.
<system.net>
<defaultProxy >
<proxy autoDetect ="True" />
</defaultProxy>
</system.net>
and set
<transport proxyCredentialType="Windows"/>

Disable proxy for entire application?

Ever since upgrading to Visual Studio 2010, I'm running into an issue where the first web request of any type (WebRequest, WebClient, etc.) hangs for about 20 seconds before completing. Subsequent calls work quickly. I've narrowed down the problem to a proxy issue.
If I manually disable proxy settings, I don't experience this delay:
Dim wrq As WebRequest = WebRequest.Create(Url)
wrq.Proxy = Nothing
What's strange is that there are no proxy settings enabled on this machine in Internet Options. What I'm wondering is if there is a way to disable proxy settings for my entire project in one shot without explicitly disabling as above for every web object.
The main reason I want to be able to do this is that I'm trying to use an API (http://code.google.com/p/google-api-for-dotnet/) which uses web requests, but does not provide any way to manually disable proxy settings.
I have found some information suggesting that I need to add some proxy information to the app.config file, but I get errors building my program if I make an edits to that file.
Can anyone point me in the right direction?
Brent - that's the correct solution : adding a defaultProxy element to your application's configuration file.
So for a website, it's the web.config. For an .exe application, it's .config.
And those settings are also correct :-
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.net>
<defaultProxy enabled="false" useDefaultCredentials="false">
<proxy/>
<bypasslist/>
<module/>
</defaultProxy>
</system.net>
</configuration>
Instead of turning off the proxy setting altogether you can try using the bypasslist to turn it off for the servers that you're having problems with.
See http://msdn.microsoft.com/en-us/library/kd3cf2ex.aspx for details and a sample.
If you're having problems changing the app.config I suggest posting the errors and possibly the app.config as well.