When does WCF NetTcpBinding need full trust on the client? - wcf

I'm using WCF to communicate to several servers.
For my local server netTcpBinding works like expected, no problems.
But when I try to connect to my remote server (Azure) using the following netTcpBinding in app.config, this will crash the application on initialization since the netTcpBinding can't be created without full trust.
This binding in the app.config file,
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_IService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="524288"
maxBufferSize="65536" maxConnections="10" maxReceivedMessageSize="65536">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="None" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
It will result in this error:
An error occurred creating the configuration section handler for "system.serviceModel/bindings": That assembly does not allow partially trusted callers. (K:\Somepath\Testing.exe.Config line 6)
The strange thing: In the app.config file I got client endpoints connecting to other netTcpBindings (without declaring them explizitely in the binding section).
Why do these generic netTcpBindings work in partial trust, but the one I showed above does not?
Or am I just confused by this error message and the problem is not about full trust?
Update: If I remove the <binding> section the stuff will run without problems. So I'm allowed to use netTcpBinding in partial trust, but I'm not allowed to modify the parameters? This is a pity since I'd like to have some form of encryption on my communication.

NetTcpBinding in general is not supported in partial trust environments.
While the basic communication works fine (as you've seen in other environments), features like TransportSecurity and ReliableMessaging (which you have on your sample configuration) are explicitly not supported on partial trust (it sucks, big time).

Related

Web Service - The Remote name could not be resolved

We have an existing web service that is running fine - recently added another and everything seemed to be OK until the connection was no longer from our own LAN, otherwise it throws..
There was no endpoint listening at http://hasoftware002/HOA3_Service/Service2.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
System.Net.WebException: The remote name could not be resolved: 'hasoftware002'
It's picking up the server name not the domain name. I've tried to compare everything with the service that works to this but can't find where it's messing up. Any pointers would be appreciated.
Did check that it was not a configuration problem with the client but can't spot anything there either and it's certainly pointing to a domain name not a server name....
Thanks
===================
UPDATE
Some of the references in the client config documents are referencing the server name, not the domain name - can edit them and it runs, but updating the service reference just overwrites them again. Head, wall, thud............
Turns out that the answer was to add this under binding
<security mode="Transport">
Now it picks up the domain name and runs as it should. I spent hours, and hours trying so many things, hope this will help someone else.
Edit - added more context re question
<binding name="BasicHttpBinding_IService1" closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="524288000" maxBufferPoolSize="524288000" maxReceivedMessageSize="524288000"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
<readerQuotas maxDepth="32000" maxStringContentLength="8192" maxArrayLength="524288000" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Transport"> '<--------- Add this
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>

Can you test a certificate-secured WCF service with SoapUI?

I have a WCF service that is:
Using the BasicHttpBinding (if you can answer for WsHttpBinding even better!)
Using TransportWithMessageCredential Security
Using X.509 Certificates for Transport and Message security
I would like to be able to test this service with SoapUI.
However, when I attempt to do so it appears that SoapUI signs more of the message than WCF expects, leading to this error (detected in the Application log after enabling ServiceModel auditing):
CryptographicException: Unable to resolve the '#id-100' URI in the signature to compute the digest.
Alternatively, when I use a WsHttpBinding I get the exception:
MessageSecurityException: The message received over Transport security has unsigned 'To' header.
Similar issues have been raised before:
WCF rejects messages with additional signed elements
http://connect.microsoft.com/VisualStudio/feedback/details/481030/wcf-signed-parts
Getting WCF to accept unsigned 'To' Header
This does not strike me as a "Java talking to MS WCF" issue - I have a Java test client working without issue. Likewise, I can use WCFStorm to test the service. However, SoapUI has become a bit of a de facto test standard, particularly for non-Windows consumers.
So, has anyone managed to overcome these issues and test a certificate-secured WCF service using SoapUI?
Thanks
I believe this issue is irresolvable, based on my own testing and a 250 bounty not yielding an answer.
The "web.config" is generated dynamically, but it's effectively matching either of the following bindings:
<wsHttpBinding>
<binding name="WSHttpBinding_ITwoWayAsync" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:10:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="250000" maxReceivedMessageSize="250000"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate" proxyCredentialType="None" realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="false"
establishSecurityContext="false"
algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
<basicHttpBinding>
<binding name="BasicHttpBinding_ITwoWayAsync" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:10:00"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="250000" maxReceivedMessageSize="250000"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate" proxyCredentialType="None" realm="" />
<message clientCredentialType="Certificate" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
This was impossible with SoapUI and I had to use another tool called WCFStorm.
I had exactly the same issue. I haven't it working with BasicHttpBinding but do have it working with WsHttpBinding. I had the error The message received over Transport security has unsigned 'To' header as well. I created a blogpost for solving this issue. Se the blogpost Connect SoapUI to WCF service certificate authentication for more information.
You have to set the parts in the signature. By default SoapUI signs the whole request but that isn’t the default by WCF so we have to set the parts that we want to sign. So add as Name “To”, Namespace “http://www.w3.org/2005/08/addressing” (this is my namespace but check yours) and set Encode to “Element”. Also check the WS-A panel in your request. Check addressing and set the default "To" checkbox.
I have been able to do this with a custom binding in WCF and a PFX certificate file. I had to use a custom binding because I needed to restrict access to one certificate - which is outside the scope of this question. My certificate pfx file had both the public key and the private key. The private key was password protected. I could not get to this work with any other certificate format.
In SoapUI, I go to File -> Preferences -> SSL Settings:
-->Keystore Name: path_to_PFX_file
-->KeyStore password: your_private_key_password
Here are my web.config settings which are pretty much the same as a basicHttpBinding:
<customBinding>
<binding name="MyServiceBindingConfiguration">
<security authenticationMode="UserNameOverTransport" includeTimestamp="false" requireDerivedKeys="false" securityHeaderLayout="Lax" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<localClientSettings maxClockSkew="00:30:00" />
<localServiceSettings maxClockSkew="00:30:00" />
<secureConversationBootstrap />
</security>
<textMessageEncoding messageVersion="Soap11">
<readerQuotas maxDepth="32" maxStringContentLength="524288" maxArrayLength="524288" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpsTransport requireClientCertificate="true" />
</binding>
</customBinding>
Hope this helps.

how do I use my web reference in MVC?

greeting folks, I need to reference an external service in my MVC app.
I'm using this service to validate an authentication token that one of our clients has requested we use.
I'm porting an older project to MVC.
I added a web reference.
The config was generated like so:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="ExternalServicesSoap" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://myapps.test.com/ExternalServices/ExternalServices.asmx"
binding="basicHttpBinding" bindingConfiguration="ExternalServicesSoap"
contract="AssertionService.ExternalServicesSoap" name="ExternalServicesSoap" />
</client>
In the older ASP.NET world, I could do the following on the specific service I am referencing, using the Assertion object defined in the external service reference.
var service = new ExternalServices();
Assertion assertion = service.Validate(Id);
if(assertion.Valid){}
This doesn't seem to be the exact case in the MVC project.
I seem to be working with WCF.
I'm not sure if I'm approaching this properly in the MVC world.
All I have to work with is an ExternalServiesSoap interface or an ExternalServicesSoapChannel interface.
None of which return an Assertion object like in the ASP.Net world.
They both have the Validate method but return a ValidateAssertionResponse.
The response object doesn't have any useful properties; just a response body.
The Assertion class is still accessible but it doesn't seem to be returned by any of the interface methods.
Can anyone help me with how to properly use one of these interfaces?
thanks
Rather than adding a Service Reference, add a Web Reference. Right click on your project, select "Add Service Reference...". In the Add Service Reference dialog, click "Advanced", then click "Add Web Reference". This will generate a proxy that is appropriate for use with ASMX based services.

Calling SOAP UI mock service with WCF: "The provided URI scheme 'https' is invalid; expected 'http'."

A colleague of mine gave me a copy of a mock service project for SOAP UI. I can open and run this mock service fine on my machine.
It is running at address: http://localhost:8088/mockShipmentInformationService
The WSDL is provided on address: http://localhost:8088/mockShipmentInformationService_SOAPBinding?WSDL
Using the WSDL provided, I added a Service Reference to the application project. In order to test the methods calling the service, I also added the service reference to the Unit testing project.
For both projects, the following is added to the app.config:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="ShipmentInformationService_SOAPBinding" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:8088/mockShipmentInformationService_SOAPBinding"
binding="basicHttpBinding" bindingConfiguration="ShipmentInformationService_SOAPBinding"
contract="ShipmentInformationService.ShipmentInformationService"
name="ShipmentInformationServicePort" />
</client>
</system.serviceModel>
As you can see, the URL is using the normal http protocol, not https. Also, my security mode is set to "none". Yet, I keep on getting the following error message, when attempting to call the service method:
The provided URI scheme 'https' is invalid; expected 'http'.
Parameter name: via
What gives? Might there be some URLs defined somewhere that are wreaking havoc? Where should I look?
I just discovered that it was all in the app.config files. The application project had a wrong URL in the applicationSettings section and the URL wasn't present there for the unit testing project. I can now at least call the service, although I am having some other issues now.

WCF Client consuming multiple services

I'm trying to figure out how to set up my web.config (the client) to consume two different WCF web services one using the other using
I have the two endpoint, I guess I need two different Binding configurations. This is my current binding node:
<basicHttpBinding>
<binding name="WebServiceProxyServiceSoapBinding" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:01:00" sendTimeout="00:01:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="2147483647" maxBufferPoolSize="524288" maxReceivedMessageSize="2147483647"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
I can't add another basicHttpBinding node. The thing is if ALL I changed was the mode parameter in <security mode="Transport"> then the binding will work great for one or the other endpoint.
This seems like a common issue, but have not found an answer. Overall I'm not very experiences with WCF (if that is not obvious) outside the simple consume and call. Any help would be GREAT!
This article was close but not quite the same issue as they did not need a different security mode.:
How to consume multiple WCF services from one client
Thanks in advance.
You just need to add another <binding> node, with a different name and whatever different options you like, under the <basicHttpBinding> node.
Then, obviously, just make sure each client is configured to use the binding that's specific to them by setting the appropriate name in the bindingConfiguration attribute for each <endpoint> node.
I have the two endpoint, I guess I
need two different Binding
configurations. This is my current
binding node:
Not necessarily - if these two services use the same settings and same protocols, one binding configuration will do.
What you need to add two of is a client element:
<system.serviceModel>
<bindings>
..... (as you already have it) ....
</bindings>
<client>
<endpoint name="Service1Endpoint"
address="http://yourserver/service1.svc"
binding="basicHttpBinding"
bindingConfiguration="WebServiceProxyServiceSoapBinding"
contract="IWCFService1" />
<endpoint name="Service2Endpoint"
address="http://yourserver/service2.svc"
binding="basicHttpBinding"
bindingConfiguration="WebServiceProxyServiceSoapBinding"
contract="IWCFService2" />
</client>
</system.serviceModel>
That should do.
Of course, if your second service uses another binding, or needs different security settings, then yes, you'd need to add a second <binding name="something else" .....> under your <basicHttpBinding> node and reference that second binding configuration from one of your two client endpoints here.