I have a asp.net 2.0 web site with WCF service hosted inside it running on .NET 3.5 framework. The website is setup with Integrated Windows Authentication only. The web server is IIS 6 with load balancing on Windows 2003 Sp2 (2 servers). I am unable to access the WCF service (.svc) using the full url (http://myqa2.abcdefg.com/trxn/WCFTrxnService.svc). Also note that the server is configured with multiple host headers. The website is protected by siteminder. Initially I was getting an error
This collection already contains an address with scheme http. There can be at most one address per scheme in this collection. Parameter name: item
So added the following config entry
<serviceHostingEnvironment>
<baseAddressPrefixFilters>
<clear/>
<add prefix="http://myqa2.abcdefg.com"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
That error went away, but now I am being prompted for login by the browser. For same website, I am able to access .aspx page. The login prompt is appearing only for .svc file.
Here is the binding / endpoint from config file that I am using.
<system.serviceModel>
<serviceHostingEnvironment>
<baseAddressPrefixFilters>
<clear/>
<add prefix="http://myqa2.abcdefg.com"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
<bindings>
<basicHttpBinding>
<binding name="IISIntegratedAuthBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="TestWCFFromSL.Web.WCFTrxnServiceBehavior">
<serviceMetadata httpGetEnabled="true" httpGetUrl="http://myqa2.abcdefg.com/fmc/WCFNotesService.svc"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="TestWCFFromSL.Web.WCFTrxnService" behaviorConfiguration="TestWCFFromSL.Web.WCFTrxnServiceBehavior">
<endpoint
address="http://myqa2.abcdefg.com/trxn/WCFTrxnService.svc"
binding="basicHttpBinding"
bindingConfiguration="IISIntegratedAuthBinding"
contract="TestWCFFromSL.Web.IWCFTrxnService" />
</service>
</services>
<!--<serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>-->
if a website is protected by SiteMinder, WCF / SOAP calls don't work. But a different solution to this problem is working.
The URL myqa2.abcdefg.com/trxn/WCFTrxnService.svc is protected by SiteMinder, but
myqa2/trxn/WCFTrxnService.svc is not protected by siteminder, Looks like SiteMinder only protects FQDN (Fully Qualified Domain Names). So I configured the application to call WCF service using short url instead FQDN. I also had to use crossdomainpolicy because the application considers myqa2.abcdefg.com and myqa2 as 2 seperate domains.
Related
I have three different WCF services deployed on server separately in there own application directory under "Default WebSites" in IIS. One of the service is deployed by me and two other services are deployed by some other client. There is a single server certificate deployed in IIS to which i have bind my service.
But when i try to access my service form https I get this error in popup:
"Address Mismatched.
The security certificate presented by this website was issued for a different website's address.
This problem might indicate an attempt to fool you or intercept any data you send to the server."
Thee web.config file of my service is as following
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<identity impersonate="false" />
</system.web>
<system.serviceModel>
<services>
<service name="WcfApp.Service">
<endpoint address="customer"
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding"
contract="WCFApp.ICustomerService" />
<endpoint address="order"
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding"
contract="WcfApp.IOrderService" />
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior >
<serviceMetadata httpsGetEnabled="True" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceThrottling maxConcurrentCalls="21" maxConcurrentSessions="50" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<directoryBrowse enabled="true" />
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
</configuration>
Interesting thing is that when I hit the following URL:
https://myserverurl.com/applicationfolder/service.svc?wsdl
to get the wsdl, it runs perfectly and returns me the wsdl description but the original call is not working.
Why am I getting the "Mismatched Address"? Is there need to add host base address? if yes how and where exactly to add it in web.config and is there need to add it in other two wcf services deployed? Is port conflicting with certificate? I am new to wcf please help me resolve this issue?
I am using .net 4.0, IIS 7.0, windows server 2008.
Thanks in advance.
The error message says (basically) that the certificate that you are using for your site doesn't match the DNS name that is being used (from the client's browser) to connect to the site.
My guess is that you are implementing virtual hosting; i.e. multiple services with different DNS names that are being served from one IIS instance. This won't work ... unless you either use a different certificate for each service, or you use a wild-card certificate that matches all of the service DNS names.
Apparently, name-based SSL virtual hosting is not supported by IIS prior to 7.0. This article describes how to configure it for IIS 7.0. But note that the names in the respective certificates must match the corresponding virtual host names ...
Note that the requirement that the hostnames and certificates must match is fundamental to SSL security. It is what allows the browser / user to know that it is talking to the expected server (based on the DNS name) and not some imposter site.
I am trying to configure a basic IIS 7 hosted WCF service that uses Windows Authentication to authorize users. I have seen many examples that demonstrate how to flow credentials using basicHttpBinding with <security mode="TransportCredentialOnly"> and SSL. When I configure my service to use TransportCredentialOnly, I get the following error if I try to view the svc file in IE:
Could not find a base address that matches scheme http for the
endpoint with binding BasicHttpBinding. Registered base address
schemes are [https].
I am hosting in IIS 7. SSL is configured with a valid certificate. Windows Authentication is on. Anonymous authentication is off. Application pool is ASP.Net v4.0 running under the ApplicationPoolIdentity
Here is the config file for my service:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
</roleManager>
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="svcTest" >
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" httpsHelpPageEnabled="true" httpHelpPageEnabled="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpEndpointBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="WCF_Test.Service1" behaviorConfiguration="svcTest">
<endpoint name ="Service1Endpoint"
address="EndpointTest"
binding="basicHttpBinding"
bindingConfiguration="BasicHttpEndpointBinding"
contract="WCF_Test.IService1">
</endpoint>
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
If I change the binding to use Transport instead of TransportCredentialOnly then I am able to view my service file in IE. I can then create a proxy to my web client and call a method on the service from my client and attempt to authorize the user from the service method using this code:
if(System.Web.Security.Roles.IsUserInRole(#"Admins"))
This code does not work because it uses the identity of the account running IIS on the server (IIS APPPOOL\ASP.NET v4.0) and not that of the user calling the web service from a web page.
How do I configure IIS 7 with a valid SSL certificate to use basicHttpBinding with security mode="TransportCredentialOnly"?
How do I flow my users Windows credentials client to the web service so I can authorize users on the web service using this code?
[PrincipalPermission(SecurityAction.Demand, Role = "Admins")]
or this code
if(System.Web.Security.Roles.IsUserInRole(#"Admins"))
Any help would be greatly appreciated.
Thank You
Probably the problem is in the configuration of IIS, before it gets to your code or your web.config.
If IIS has anonymous authentication turned on, the request coming into ASP.net will look like it came from the user identity of IIS.
In the IIS config you must turn off anonymous authentication and turn on windows authentication.
My guess is you need to use the basicHttp s Binding instead.
This is driving me nuts. I have a .net 4, wcf service that is outputting jsonp. It works using the built in web server with vs.net however if i try to host in iis7 on windows 7 64bit i don't get any response.
If I try to navigate to svc file while hosted in iis7 I get
"Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service."
If trying to access via client jquery jsonp request i don't get any response from the service being hosted in iis7
So, the configuration of the service (web.config) is fine when hosted within vs.net web server (just doesn't work with iis)
Here is the config
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="webHttpBehavior">
<webHttp />
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding name="webHttpBindingWithJsonP" crossDomainScriptAccessEnabled="true" />
</webHttpBinding>
</bindings>
<services>
<service name="ServiceSite.CustomersService">
<endpoint address="" binding="webHttpBinding"
bindingConfiguration="webHttpBindingWithJsonP" contract="ServiceSite.CustomersService"
behaviorConfiguration="webHttpBehavior"/>
</service>
</services>
</system.serviceModel>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
The site must be ntlm/windows secured.
I added the following to the web.config bindings section
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm"/>
</security>
When browsing the svc file I now get Cross domain javascript callback is not supported in authenticated services
Really? Is this true jsonp is not supported?
This is probably symptomatic of misconfiguration of the web site. Go to Authntication feature of the website on the IIS Manager and make sure it is setup.
I'm pretty sure because of how JSONP cross domain works with today's shortcomings that you always have to implement your own custom security system.
I use SSL and HMAC security for JSONP cross domain authentication. I do the authentication myself on the service.
When doing JSONP you cannot set headers, or anything, on the request because it's done through adding tags, not an actual XMLHTTP request object.
I have seen loads of questions about this, I've spent over a day researching and trying to fix it but I've drawn a blank.
I want to deploy a WCF service onto a server connecting with HTTPS and using basic authentication. Here is my service web.config
I am using an extremely simple Calculator as a test which has a single method which adds together two numbers.
<configuration>
<system.web>
<compilation debug="false" targetFramework="4.0" />
<customErrors mode="Off" />
</system.web>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="UsernameWithTransport">
<security mode="Transport">
<transport clientCredentialType="Basic" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="Service">
<endpoint address="https://myserver.mydomain.co.uk/CalculatorService"
binding="wsHttpBinding"
bindingConfiguration="UsernameWithTransport"
name="BasicEndpoint"
contract="TestCalculator" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
In IIS 6.0 I have enabled basic authentication and required HTTPS.
I can browse to the .svc file and it asks for my credentials. I provide them and it displays the default page. However it says:
You have created a service.
To test this service, you will need to create a client and use it to
call the service. You can do this using the svcutil.exe tool from the
command line with the following syntax:
svcutil.exe
http://myserver.mydomain.co.uk/CalculatorService/Service.svc?wsdl
This will generate a configuration file and a code file that contains
the client class. Add the two files to your client application and use
the generated client class to call the Service. For example: ......
Basically, the issue seems to be that the path to the .wsdl is a http:// not an https:// and I don't think I understand why.
I am now trying to create a C# console application to test consuming the service. I cannot add the reference to the .svc path directly because it just goes around and around in a loop asking me for my username and password. If I add the reference to the .svc?wsdl then that did work but then invoking the service gives a "Method not allowed" because it is trying to use HTTP not HTTPS.
Hope I have expained this well enough. Thanks for any help.
You requires HTTPS but in the same time you allow WSDL only over HTTP. Change this:
<serviceMetadata httpGetEnabled="true"/>
To this:
<serviceMetadata httpsGetEnabled="true"/>
Now you will be able to access WSDL over https://..../....svc?wsdl but you will still have to authenticate because authentication is global for your deployed site.
Help please!!
I had the following set up working perfectly:-
WCF Service Library hosted in web site on local IIS 7
Silverlight Application on a web site on local IIS 7 using above services
The solution I am writing is for intranet and not internet use, however I have been told by my bosses that it needs to be over Https. I am using Windows Authentication.
Below is a chunk of the config file for one of the service endpoints (changed to remove company info etc):-
<services>
<service behaviorConfiguration="stdHttpBehavior" name="WcfServiceLibrary.StaticDataService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="windowsHttpBinding"
name="StaticDataService" contract="WcfServiceLibrary.ServiceContracts.IStaticDataService" />
<endpoint address="mex" binding="mexHttpBinding" name="" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost/WcfServiceLibrary/StaticDataService/" />
</baseAddresses>
</host>
</service>
<behaviors>
<serviceBehaviors>
<behavior name="stdHttpBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
</behavior>
</serviceBehaviors>
</behaviors>
To experiment with Https I created a 'Self-Signed Certificate'. I then added https to the Default Web Site bindings and changed the two web sites to require SSL and also changed the relvant URIs in the config files. I managed to get this to work but now I want to go back to standard Http and finish the project in that mode as it was easier to work with. I changed all the settings back (and I have checked these extremely carefully).
Now I get this error if I try to downoad the Service definition in the Silverlight project: -
'Could not find a base address that matches scheme https for the endpoint with binding BasicHttpBinding. Registered base address schemes are [http].'
If I put back the certificate and binding in IIS. The Service definition appears to download OK, however it references an https URI and therefore none of the actual service calls work as they are http adresses!
I tried adding a new web site to host the service but got the same errors.
I have been trying to solve this for the last couple of days but cannot find an answer. It seems as though there is a hidden reference somewhere and not in my project as it continued with a new web site added to IIS.
To use SSL over HTTP under Basic HTTP binding, you need to switch your endpoint to use Transport-level security. In your case you will also want to indicate the client credential type:
<bindings>
<basicHttpBinding>
<binding name="windowsHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
<message />
</security>
</binding>
</basicHttpBinding>
</bindings>
It may seem obvious, but did you change the security mode on the windowsHttpBinding binding configuration to BasicHttpSecurityMode.None?
<bindings>
<basicHttpBinding>
<binding name="windowsHttpBinding">
<security mode="None" />
</binding>
</basicHttpBinding>
</bindings>
Related resources:
Transport Security Overview
BasicHttpSecurityMode Enumeration