Configuring WCF Security (wsHttpBinding) - wcf

I have two websites hosted on the same IIS server. SiteA contains WCF services that need to be accessed by SiteB, as well as anything else that is authenticated on the domain.
The service is configured with a wsHttpBinding and thus I believe uses Windows security by default. Right now I can call the services from a console app running on my local machine, as well as from a web application running in the default Visual Studio web server, so I am taking that the authentication is working.
However, when SiteB tries to access the services, it fails with this error:
The caller was not authenticated by the service.
SiteB runs on the same machine than SiteA so I don't understand why it could not be authenticated. SiteB uses Forms Authentication and I mapped Anonymous access to a domain user.
Here are the config bits:
SiteA (service):
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
<services>
<service behaviorConfiguration="wcfServiceBehaviour" name="MyService">
<endpoint address="" binding="wsHttpBinding" contract="IServiceContract" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="wcfServiceBehaviour">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
SiteB (client):
<system.serviceModel>
<client>
<endpoint address="http://xxxxx/Services/xxService.svc"
binding="wsHttpBinding"
contract="IServiceContract" />
</client>
</system.serviceModel>

You are correct - wsHttpBinding configured in WCF will use Windows Authentication by default.
There is a suggestion here - WCF - changing endpoint address results in securityexception - that the Identity block will not work with Windows Authentication - try removing it.

When SiteB impersonates another user, does your code specify the impersonation level?
My guess is that your are not specifying a high enough level of impersonation. (Delegation is the highest, allowing SiteB to pass the permissions to a different service).
I suspect that fixing up the SiteB impersonation code will be enough to solve the problem.
If not, try passing the allowable impersonation level to the server:
<system.serviceModel>
<client>
<endpoint address="http://xxxxx/Services/xxService.svc"
binding="wsHttpBinding"
contract="IServiceContract"
behaviorConfiguration = "ImpersonationBehavior" />
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ImpersonationBehavior">
<clientCredentials>
<windows allowedImpersonationLevel = "Delegation" /> <!-- The highest level -->
</clientCredentials>
</behavior>
<endpointBehaviors>
</behaviors>
</system.serviceModel>

If you're using a self hosted site like me, the way to avoid this problem (as described above) is to stipulate on both the host and client side that the wsHttpBinding security mode = NONE.
When creating the binding, both on the client and the host, you can use this code:
Dim binding as System.ServiceModel.WSHttpBinding
binding= New System.ServiceModel.WSHttpBinding(System.ServiceModel.SecurityMode.None)
or
System.ServiceModel.WSHttpBinding binding
binding = new System.ServiceModel.WSHttpBinding(System.ServiceModel.SecurityMode.None);

Related

WCF Self hosted REST server (https) keeps asking for client authentication

I created a self hosted WCF REST server (w/o IIS). When I enable SSL support, I am keep asked for a Client Certification when I test the site in Chrome.
Below is my app.config of which I believe I disabled the client authentication. Is there anything that I am missing here?
photo :
Chrome asking for client certificate
App.config code :
<system.serviceModel>
<services>
<service behaviorConfiguration="ADConnectorLibrary.Service1Behavior" name="ADConnectorLibrary.ADConnectorLibrary">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpTransportSecurity" behaviorConfiguration="web" contract="ADConnectorLibrary.IADConnectorLibrary" >
</endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
<host>
<baseAddresses>
<add baseAddress="https://ADDRESS:8888/ADConnectorLibrary/"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ADConnectorLibrary.Service1Behavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="False"/>
**<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="None" />
</clientCertificate>
</serviceCredentials>**
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="web">
<webHttp/>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding name="webHttpTransportSecurity">
<security mode="Transport">
**<transport clientCredentialType="None" />**
</security>
</binding>
</webHttpBinding>
</bindings>
The only thing you need to do is disable the SSL setting when hosting the service in IIS.
On my side, I create a console application to host the service and bind the sslcert to the specified port with the following command. when the client calls it via browser, it does not pop up a dialog box and prompted me to select the client certificate.
netsh http add sslcert ipport=0.0.0.0:8000
certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6
appid={00112233-4455-6677-8899-AABBCCDDEEFF}
Maybe we don't need to open the support client certificate,or disable it.
clientcertnegotiation=disable
Here is the official document, wish it is useful to you.
https://learn.microsoft.com/en-us/windows/desktop/http/add-sslcert
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-configure-a-port-with-an-ssl-certificate
Feel free to let me know if there is anything I can help with.
Since you are using TransportSecurity, I believe you need to assign a certificate to your service otherwise it will not be able to encrypt the message via SSL over HTTPS.
Likewise the client would have to trust that certificate, or will get one of these reponses when the client tries to access the service via HTTPS in a brower, and calls from code will fail.
You probably need to use netsh, since you are not using IIS. You might need to reseach netsh a bit to fit your needs.
Something like this to register the cert to the port and map to the application guid: This is a pure made up example: netsh http add sslcert ipport=127.0.0.1:8000 certhash=c20ed305ea705cc4e36b317af6ce35dc03cfb83d appid={c9670020-5288-47ea-70b3-5a13da258012} clientcertnegotiation=enable
you probably don't need this since you are not apply a certificate:
**<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="None" />
</clientCertificate>
</serviceCredentials>**

WCF Service Hosted on IIS10. Can browse the .svc file but the wsdl does not show up

I have a test WCF service that I hosted on IIS. I added a new application to the default website and used default app pool to host my test service. I am able to browse the .svc file from the content view in IIS and the success page along with a link to wsdl opens up on Windows IE. However, on clicking the wsdl link, a HTTP 404(Not found) error is thrown.(everything is on my localhost being accessed internally)
I have added the metadata endpoint and this is the relevant portion of my web.config file.
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="mexBehaviour">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="mexBehaviour" name="ClassLibrary1.HelloWorldService">
<endpoint address="HelloService" binding="basicHttpBinding" bindingConfiguration=""
contract="ClassLibrary1.IHelloWorldService" />
<endpoint address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost:17000"/>
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>
Can someone please guide me about what I can be missing? Could it be a permissions issue or anything else?
Thanks.
There is no need to add the base address to service contract which will be provided by the IIS web server.
The default wcf application configuration enable the service metadata and we are able to access the metadata by the svc page or we directly use the following url.
http://localhost:90/Service1.svc?wsdl
Feel free to contract me If the problem still exists.

WCF unable to find netTcpBinding

I am trying to create a WCF service that is accessible through both webHttpBinding and netTcpBinding. I have been successful in getting the webHttpBinding to be accessible through a Java client and now I'm working on trying to get the netTcpBinding working.
I have set up the configuration like this;
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="httpBehavior">
<webHttp/>
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<services>
<service name="MR_Jukebox_Service.JukeboxService">
<host>
<baseAddresses>
<add baseAddress="http://localhost:8732/Design_Time_Addresses/MR_Jukebox_Service/"/>
<add baseAddress="net.tcp://localhost:8523/Design_Time_Addresses/MR_Jukebox_Service/net/"/>
</baseAddresses>
</host>
<endpoint address=""
behaviorConfiguration="httpBehavior"
binding="webHttpBinding"
contract="MR_Jukebox_Service.IJukeboxService" />
<endpoint address="mex"
binding="mexHttpBinding"
contract="MR_Jukebox_Service.IJukeboxService" />
<endpoint address="net.tcp://localhost:8523/Design_Time_Addresses/MR_Jukebox_Service/net"
binding="netTcpBinding"
bindingConfiguration=""
contract="MR_Jukebox_Service.IJukeboxService" />
</service>
</services>
</system.serviceModel>
In the same solution, I have a test application that I wish to connect to the netTcpBinding, I've right clicked on "Service References" and chosen "Add Service Reference...".
When I click on "Discover" it finds the service although says;
There was an error downloading 'http://localhost:8732/Design_Time_Addresses/MR_Jukebox_Service'.
The request failed with HTTP status 404: Not Found.
Metadata contains a reference that cannot be resolved: 'http://localhost:8732/Design_Time_Addresses/MR_Jukebox_Service'.
There was no endpoint listening at http://localhost:8732/Design_Time_Addresses/MR_Jukebox_Service that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
The remote server returned an error: (404) Not Found.
If the service is defined in the current solution, try building the solution and adding the service reference again.
But I am also unable to see the netTcpBinding in order for me to create a service reference to it.
I was wondering whether anyone can see what I am doing wrong as its probably something rather simple, but due to my lack of experience with WCF haven't noticed.
Thanks for any help in advance.
Try changing your mex endpoint to this:
<endpoint address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange" />
You were using your service's contract for the mex endpoint, which I don't believe will work.
You can set up a similar one for the NetTcpBinding:
<endpoint address="net.tcp://localhost:8523/Design_Time_Addresses/MR_Jukebox_Service/net/mex"
binding="mexTcpBinding"
contract="IMetadataExchange" />
I have been successful in getting the webHttpBinding to be accessible through a Java client and now I'm working on trying to get the netTcpBinding working.
Are you trying to get the netTcpBinding to work with a java client ? Because, netTcpBinding only works with a .net client.
NetTcpBinding is not designed for interop, it's designed for performance when both the server and client are .net

Exposing WCF Services Via HTTP when not hosted in IIS

Like the title says, we need to set up WCF services between a .NET app, and a Adobe AIR app. We don't want to run IIS on the machine, and would much prefer to install and run the WCF services hosted within a windows service.
However, I am uncertain of doing that will let us use HTTP as the transport, of does that only work within IIS? I was able to set things up to use the TCP transport, but that doesn't interop with AIR nearly as nice as using HTTP.
EDIT: Some test code I've been using to see if this works:
Regular console app:
static void Main()
{
using (ServiceHost host = new ServiceHost(typeof(TestService)))
{
host.Open();
}
Console.WriteLine("Waiting...");
Console.ReadLine();
}
TestService is a simple HelloWorld type service.
In the App.Config:
<configuration>
<system.serviceModel>
<services>
<service name="WCFExample2.TestService" behaviorConfiguration="WCFExample2.TestServiceBehavior">
<host>
<baseAddresses>
<add baseAddress = "http://localhost:8731/Design_Time_Addresses/WCFExample2/Service1/" />
</baseAddresses>
</host>
<!-- Service Endpoints -->
<!-- Unless fully qualified, address is relative to base address supplied above -->
<endpoint address ="" binding="wsHttpBinding" contract="WCFExample2.ITestService">
<!--
Upon deployment, the following identity element should be removed or replaced to reflect the
identity under which the deployed service runs. If removed, WCF will infer an appropriate identity
automatically.
-->
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<!-- Metadata Endpoints -->
<!-- The Metadata Exchange endpoint is used by the service to describe itself to clients. -->
<!-- This endpoint does not use a secure binding and should be secured or removed before deployment -->
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="WCFExample2.TestServiceBehavior">
<!-- To avoid disclosing metadata information,
set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="True"/>
<!-- To receive exception details in faults for debugging purposes,
set the value below to true. Set to false before deployment
to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="False" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
You should have no trouble setting up a Windows NT Service which hosts your WCF service and exposes HTTP endpoints - no need for IIS (but the WCF runtime will use the http.sys kernel mode driver).
Have you tried and failed? If so - can you show us what you had, and how and where it failed?
As a bare minimum, you'd probably want to have something like this config on your service side:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="Default">
<serviceMetadata httpGetEnabled="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="Default"
sendTimeout="00:05:00"
maxBufferSize="500000"
maxReceivedMessageSize="500000" >
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="Namespace.MyWCFService"
behaviorConfiguration="Default">
<host>
<baseAddresses>
<add baseAddress="http://MyServer:8282/MyWCFService/"/>
</baseAddresses>
</host>
<endpoint
address="basic"
binding="basicHttpBinding" bindingConfiguration="Default"
contract="Namespace.IMyWCFService" />
</service>
</services>
</system.serviceModel>
Of course, you might need to tweak things like the timeout settings, buffer size settings etc. on your binding, the security mode, and quite possibly other settings as you need them to be.
Marc
You could skip all the config and use the WebServiceHost class (which will do it all for you in a fairly standard way). Get that working then look into tailoring the config manually to meet any extra requirements you may have.
All the info you need is here WebServiceHost on MSDN it's a very straightforward way to get started on a custom (i.e. non IIS) hosted http service.
Mike
Apart from the config file settings one more thing to consider.
If you selfhost in a windows service, a http endpoint then
Make the service login account a local admin on the machine
or
You have to register the service account for the http namespace with http.sys.
This step has to be done by a local admin but only once in each machine. You can use the HttpSysCfg tool to do this in XP/win 2003. For vista/win 2008 use netsh.

IIS hosted WCF-service + Windows auth in IIS + TransportCredentialOnly/Windows auth in basicHttpBinding

I want to create a WCF-service hosted in IIS6 and disable anonymous authentication in IIS. And don't use SSL.
So only way I have is to use basicHttpBinging with TransportCredentialOnly, itsn't it?
I create a virtual directory, set Windows Integrated Auth and uncheck "Enable Anonymous Access".
Here's my web.config:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="MyBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="Samples.ServiceFacadeService" behaviorConfiguration="ServiceFacadeServiceBehavior">
<endpoint address="" binding="basicHttpBinding" bindingName="MyBinding"
contract="Samples.IServiceFacadeService">
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceFacadeServiceBehavior">
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
You can see that I even haven't included MEX-enpoint for metadata exchange. Just one endpoint and one binding for it with TransportCredentialOnly security.
But when I tries to start service (invoking a method throught client proxy) I got such exception in the EventLog:
Exception:
System.ServiceModel.ServiceActivationException:
The service
'/wcftest/ServiceFacadeService.svc'
cannot be activated due to an
exception during compilation. The
exception message is: Security
settings for this service require
'Anonymous' Authentication but it is
not enabled for the IIS application
that hosts this service.. --->
System.NotSupportedException: Security
settings for this service require
'Anonymous' Authentication but it is
not enabled for the IIS application
that hosts this service.
I have no idea why my service require Anonymous auth? Why?
The answer found jezell. Thanks.
I mixed up bindingName and bindingConfiguration :
<endpoint address="" binding="basicHttpBinding" bindingName="MyBinding"
contract="Samples.IServiceFacadeService">
</endpoint>
That's right:
<endpoint address="" binding="basicHttpBinding" **bindingConfiguration**="MyBinding"
contract="Samples.IServiceFacadeService">
</endpoint>
The MEX endpoint may still be the problem (see this post). Try disabling MEX like this:
<services>
<!-- Note: the service name must match the configuration name for the service implementation. -->
<service name="MyNamespace.MyServiceType" behaviorConfiguration="MyServiceTypeBehaviors" >
<!-- Add the following endpoint. -->
<!-- Note: your service must have an http base address to add this endpoint. -->
<endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceTypeBehaviors" >
<!-- This disables it. -->
<serviceMetadata httpGetEnabled="false" />
</behavior>
</serviceBehaviors>
</behaviors>
Here is a good post on securing MEX.
Use basicHttpBinding for your mex endpoint and apply the same bindingConfiguration:
To get VS wcf service project (new sample project) to work with authentication under IIS, you have to:
1) Allow Anonymous access in IIS
2) Prefix your public methods with a attribute like this:
[PrincipalPermission(SecurityAction.Demand, Role = "MyADGroup")]
public string SendMyMessage(string Message)
{...}