Why doesn't my WCF endpoint throw a Max Clock Skew exception? - wcf

With almost all of the (secure) WCF service endpoints in my application, if the client's system clock is set too far in the future or past, I get an exception from WCFs Clock Skew mechanism (described here: http://www.danrigsby.com/blog/index.php/2008/08/26/changing-the-default-clock-skew-in-wcf/).
However the one endpoint where my Login() method is implemented never throws this exception even though it has transport security enabled (naturally no credentials are required for it).
Why isn't the "Clock Skew mechanism" working for this endpoint? Maybe it's because clientCredentialType is set to "None"?
As an example, here's a simplified version of my configuration:
<services>
<service name="Foo">
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="binding1"
contract="IFoo" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="binding1" maxReceivedMessageSize="100000000">
<readerQuotas maxDepth="1000000000" maxArrayLength="1000000000" maxStringContentLength="1000000000" />
<security mode="Transport">
<transport clientCredentialType ="None"/>
</security>
<reliableSession enabled="false" />
</binding>
</wsHttpBinding>
</bindings>

The security mode - security mode="Transport" - does not include time stamp in the message which cause the MaxClockSkew validation to ignore the message and not throws a security exception.
Change the security mode to security mode="TransportWithMessageCredential" which include time stamps and allow the MaxClockSkew validation to test the message for time delta.

Other people have a similar problem:
Triggering MaxClockSkew when accessing WCF service
So I do not think that it is a problem with your configuration.
It appears to be, that if it does not use machine time, it does not check if there is a difference in time between the machines.
You could program your way around it, send the client machine time as a parameter in your login method, if it is different, throw an exception.

Related

Page crahses if repsonse time is more

Im using Silverlight with wcf for my application. When the page requests it goes to the service for the output. But if the response(database operation) takes a bit of time to provide the output then my silverlight page is getting crashed. Can any help me what is the problem.
Sounds like you need to set the timeout settings for the WCF service to be higher to cater for the potential delays. The timeout settings are usually set in the bindings defined in the
<system.serviceModel>
<bindings>
section of the config file.
You will need to make sure that the 'receiveTimeout' in the client config, and the 'sendTimeout' in the service config are set to appropriate values that are high enough to cater for your particular service's timings.
An example 'basicHttpBinding' for the client-side, with a 'receiveTimeout' of 1 minute, 30 seconds could look like this (the important item to note being the 'receiveTimeout'):
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBindingConfig" receiveTimeout="00:1:30">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>

MSMQ + WCF, IIS7 - Messages are being journaled, but never hitting the service

Standard set up I think. I've followed: http://blogs.msdn.com/b/tomholl/archive/2008/07/12/msmq-wcf-and-iis-getting-them-to-play-nice-part-1.aspx mainly, but used other sources as needed.
So far here is what happens:
Client sends a message
I see the message in the Journal Messages for the appropriate queue
Service never seems to be called. I have a ton of logging that would output logs on service called and / or errors in the service method.
I have shut down the service and the message still ends up in the Journal Messages - not sure why that is.
Queue: bretrace/bretraceservice.svc (anonymous access, with full permissions granted)
Client Web.config
<netMsmqBinding>
<binding name="MsmqBreTrace" receiveErrorHandling="Move">
<security mode="None" />
</binding>
</netMsmqBinding>
<endpoint address="net.msmq://wcfserver/private/bretrace/bretraceservice.svc" binding="netMsmqBinding"
bindingConfiguration="MsmqBreTrace" name="MsmqBreTraceService"
contract="C.BusinessRuleController.Services.BoschProxy.Trace.IQueuingTraceContract"/>
Service Web.config
<bindings>
<netMsmqBinding>
<binding name="MsmqBreTraceReader" receiveErrorHandling="Move">
<security mode="None" />
</binding>
</netMsmqBinding>
</bindings>
<services>
<service name="C.BusinessRuleController.Services.QR.BreTraceService">
<endpoint address=""
binding="netMsmqBinding" bindingConfiguration="MsmqBreTraceReader"
contract="C.BusinessRuleController.Services.BoschProxy.Trace.IQueuingTraceContract" />
</service>
</services>
I have also activated system.diagnostics, and it seems to be calling the service, under activity I see:
"Process Action: 'http://tempuri.org/IQueuingTraceContract/LogTrace'." I'm not sure if the tempuri.org is a problem or not?
"Execute C.BusinessRuleController..." as another activity.
Couple of things solved this problem for me:
First, I had to set security mode='transactional' in the bindings
<netMsmqBinding>
<binding name="MsmqBreTrace" receiveErrorHandling="Move">
<security mode="Transactional" />
</binding>
</netMsmqBinding>
Second, I had to installed MSMQ Active Directory Integration - I didn't have to actually enable it, but it had to be installed even when it wasn't used. This was what threw me the most, I didn't want AD Integration, so I figured I didn't need it. Turns out I was wrong.

protecting and signing messages in WCF

I'm a new member in this fantastic website and this is my first question here ..
I wish I can find the solution..
I'm building a website and I need to secure the communications between clients and the server.
I should Use WCF in the implementation.
My project's requirements :
use WCF
binding: ws2007HttpBinding
security: HTTPS
client: Sign
I should use HTTPS for securing the communications and I should make the client sign the message (it's important).
I install certificates in both server and Client But I don't knoe how to make the clients sign the message.
I can't use message security in the wcf because I need HTTPS. Anyone can help me to know what is the TransportWithMessageCredential do for signing and how to implement such a thing??
Here is part of the app.config of the server:
<bindings>
<ws2007HttpBinding>
<binding name="ServiceWS2007HttpBindingConfg">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="Certificate" negotiateServiceCredential="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<services>
<service name="Service">
<endpoint address="https://MAHER-PC/EBPP/Service.svc" binding="ws2007HttpBinding"
bindingConfiguration="ServiceWS2007HttpBindingConfg" contract="IService" />
</service>
</services>
thanks....
Depends on what you're planning to sign.
A good place to start would be to have a look at setting the ProtectionLevel for your service in the service contract.
Information:
http://msdn.microsoft.com/en-gb/library/aa347692.aspx
How to:
http://msdn.microsoft.com/en-gb/library/aa347791.aspx

UsernameToken and SSL in WCF 4 web service

I am creating a web service that will be consumed by a single client in another part of the world. I don't have any knowledge or control over the technology they are using but have been asked to
"use SSL to encrypt the message during transport and use UsernameToken
for client authentication"
I'm planning to use WCF4 to create the service and know generally how to set this all up. However I'm struggling to find the correct configuration for bindings etc. Google gives me lots of results around WSE 3.0 but I'm pretty sure (please correct me if I'm wrong) that I shouldn't be using WSE for a WCF service.
This article initially seems to suggest I should be using a custom binding but then also says I should "consider using the WCF system-defined bindings with appropriate security settings instead of creating a custom binding". However I can't see any examples of what this should be.
I would be grateful if anyone can point me in the right direction.
tl;dr: What are the WCF4 config settings to support SSL and UsernameToken?
Take a look at the WsHttpBinding. You can use a security mode of TransportWithMessageCredential to use SSL and a message credential of UserName. If you are hosting in IIS set up SSL there.
You can set up the binding in config as follows.
<bindings>
<wsHttpBinding>
<binding name="secureBinding">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
You can then use this binding config as follows
<services>
<service name="ServiceName">
<endpoint address="" binding="wsHttpBinding" contract="ContractType" bindingConfiguration="secureBinding" />
</service>
</services>
Both these elements are children of the system.serviceModel element in config.

WCF Error: Stream Security is required at http://www.w3.org/2005/08/addressing/anonymous, but no security context was negotiated

We have a windows service that we are trying to use as WCF host for a WPF application. It works fine in development but when we have tried to move to our production environment we have had nothing but problems. From reading posts from others, we figured out how to turn on WCF logging and this was a big help. It turned out that our security bindings on the service and the client did not match. We set them both to use windows security but still no luck now we are trying to set the security mode to 'None' but it still is not working. Here is the bindings section of our service config file:
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="netTcp">
<security mode='None'>
</security>
</binding>
</netTcpBinding >
</bindings>
<services>
<service name="CompanyService">
<endpoint
address= "our.url.com/CompanyService"
binding="netTcpBinding"
contract="CompanyServices.ICompanyService" />
</service>
</services>
</system.serviceModel>
Here is the serviceModel section of our client app config:
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_Config" >
<security mode="None">
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="our.url.com/CompanyService" binding="netTcpBinding" bindingConfiguration="NetTcpBinding_Config" contract="CompanyServiceProxy.ICompanyService" name="NetTcpBinding_ICompanyService" />
</client>
</system.serviceModel>
If I need to supply additional infor please tell me what I need to supply.
Thanks
Standard net.tcp binding uses Windows credentials by default, and those really require client and service to be in the same Windows domain. Is this the case here??
OK, sorry, you mentioned security=None (your listings weren't properly formatted so I only saw a fraction of the actual config).
I guess your problem really lies in the addresses used:
address= "our.url.com/CompanyService"
When using net.tcp binding, you have to specify that before the address, so change this on both the client and the server to:
address= "net.tcp://our.url.com/CompanyService"
Also, what I don't quite understand is your title: it mentions "streaming" - have you specified streaming mode anywhere? In your config or your service contracts?
Marc