I'm trying to get WCF to use SSL with ANYTHING for FIVE DAYS now. I've gone through countless walkthroughs, generated more certificates than a mail order diploma company, even tried hot fixes. After working with MS dev tools since VB1, I am now considering flipping burgers as a career option. WCF, as far as I can see, is a complete lemon.
Anyway, to get to my actual question: If I run through this walkthrough:
http://msdn.microsoft.com/en-us/library/ff648840.aspx
I get to step 11 (adding the service reference) and get "There was an error downloading metadata from the address. Please verify that you have entered a valid address".
Details of the error gives: There was an error downloading 'https://localhost/SSL6/Service.svc'.
Unable to connect to the remote server
No connection could be made because the target machine actively refused it 127.0.0.1:443
I'm using VS2008 on Windows 7 with IIS7. I followed the walkthrough exactly (apart from step 5 which was different on IIS7- I went into "SSL Settings" for the VD), so it shows my config (yes I've used httpsGetEnabled and mexHttpsBinding).
Anyone care to save my sanity and job?
EDIT: If I go into IIS, select the VD in content view, right-click on the svc file and browse, I get "Internet Explorer cannot display the webpage". Chrome gives "Google Chrome could not connect to localhost".
IE troubleshooting gives "the remote device or resource won't accept the connection".
If I browse using the IP address rather than using localhost via http, it says that it's secured with https ok. If I browse using the IP and https, I get HTTP error 503. The service is unavailable.
So it looks to me like a DNS issue combined with... something.
When I try to just run the service site project, I get "Unable to start debugging on the web server. Unable to connect to the web server. Verify that the web server is running and that incoming HTTP requests are not blocked by a firewall". I've checked the firewall and it's ok.
Finally cracked it. There were at least three issues at play.
1) A DNS issue of some kind with localhost. It's still unresolved on my machine, but I can work around it by using the IP addy.
2) Another issue may have been that apparently, WCF doesn't work with IIS 7 OOTB. So you need to run command prompt as administrator, and run the following command -
"%windir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe" -r -y
3) After I got through the certificate stuff I was still getting HTTP error 503, "Service unavailable". That ended up being leftovers from my previous attempts, still listening to ports:
http://blogs.msdn.com/webtopics/archive/2010/02/17/a-not-so-common-root-cause-for-503-service-unavailable.aspx
So to get a hello world level service happening with WCF and SSL took me a whole week, and in my travels I discovered many pilgrims who had taken about the same amount of time. Microsoft: You have failed.
Are you using IIS or self hosting? If you're using IIS, it sounds like it's incorrectly configured, because it seems it's not accepting connections on port 443; I guess you're probably missing a protocol binding (https to port 443). There's a detailed discussion of setting up SSL on IIS7 here that might be useful.
Of course, you could easily verify this using the browser, you should be able to connect to the site using SSL from it.
When I have had this error occur, I have found it very useful to run the service from Visual Studio to get additional information. Right-click on the service, and then select Debug -> Start New Instance from the pop-up menu. VS will launch the service using the WcfTestClient.exe.
WcfTestClient will display all the services and endpoints in your service project. A healthy launch will list your services in the a panel on the left, and provide a Start Page tab in a panel on the right. What will happen in your case, however, is that you'll get a list of services in a panel on the top and an "Additional Information" box along the bottom. Your problem service(s) will have a Status of Error.
Click on a problem service in the upper panel, and the Additional Information box will fill with an error message and stack trace. The message will tell you exactly what that problem mex (metadata exchange) address is. That may be enough of a hint for you to solve the problem. If not, post the Additional Information here and I'll be happy to take a look at it.
Related
First of all let me describe my system.
I have a virtual server (Windows Server 2012 R2 with IIS 8.5) with two running systems.
One is for receiving Informations from Devices and the other one is for presenting and combining the users information with the device information.
The two systems are combined by a reference (via VS2012).
Problem:
If I have a look on my website for the system which gives me the user and device information in get an error, so I try to debug it on my own pc.
While debugging I want to access the service to display me all devices and it gives me:
System.ServiceModel.Security.MessageSecurityException
The HTTP request was forbidden with client authentication scheme 'Anonymous'.
I also have a WCF-Tracelog which shows me:
WCF-Tracelog
I'm now facing that problem for days and I was browsing stackoverflow a lot. I guess that it should be a problem with my certificates. At the moment I got a SSL-certificate (received from my university). I also "registered" it to a specified port and added the right bindings in my IIS (IIS 8.5). I am very new to WCF,IIS,SOAP and certificates but I guess my problem is the understanding of the certificates.
Question:
Which certificates do I have to create for my "Server-Website/Client"-System and which do I have to create for my own "Client" and where do I have to copy them (at the moment I'm familiar with the MMC => Snap-In)? And where do I need to keep my SSL-certificate located?
I hope someone faced the same Problem and can help me to fix this soon. Sorry for my bad english and if you need more information let me know!
EDIT:
I fixed my certificate-problem but now i receive 403.4 (SSL is required)
my problem solved, i have enabled "IP Address and Domain Restriction" and i added an "allow" option to this section, thus another ip got that error
I am trying to monitor https traffic with Fiddler, using current newest version:2.4.4.5
I've successfully set up https, certificates and I can see the full https encrypted traffic for example browsing my bank's web site.
...however...
When I trying to monitor an other server I got this error message in the response window:
"Failed to secure existing connection for 77.87.178.160. A call to SSPI failed, see inner exception. InnerException: System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm"
For full Fiddler window see:
The client is not a in this case browser, but a custom client program, which communicates with its own server.
My question: Is this exception misleading and in reality some other error prevents the secure channel to set up?
...or...
We have still chance to monitor this https communication?
Thx in advance
What is the client program?
This error typically indicates that that client application is only offering certain HTTPS ciphers, and those ciphers are not supported by Fiddler.
However, in this case, the specific problem here is almost certainly this: http://blogs.msdn.com/b/ieinternals/archive/2009/12/08/aes-is-not-a-valid-cipher-for-sslv3.aspx
The client is trying to use AES with SSLv3, but that isn't one of the valid ciphers for SSL3. As a consequence, the connection fails.
You might be able to workaround this by clicking Rules > Customize Rules. Scroll down to the Main() function and add the following line within the function:
CONFIG.oAcceptedServerHTTPSProtocols =
System.Security.Authentication.SslProtocols.Ssl3;
Please let me know if this works.
NOTE Current versions of Fiddler offer a UI link for this: Look at the lis of enabled protocols on the HTTPS tab.
Unbelievably this issue is still present some 6 years later.
Just installed the latest version of Fiddle (v5.0.20194.41348), and sure enough on Win7 using Chrome or IE it keeps failing with the dreaded error:
"fiddler.network.https> HTTPS handshake to google.com (for #1) failed. System.ComponentModel.Win32Exception The client and server cannot communicate, because they do not possess a common algorithm"
After some hours of testing, I found a middle ground solution which seems to work with virtually all websites. The aim was to get the highest possible security with no errors in the log. Without needing to add any code, simply changing this line under Tools > Options > HTTPS > Protocols is what worked for me (just copy and paste it):
<client>;ssl3;tls1.1;tls1.2
Basically removed the ssl2 and tls1.0 protocols which leaves us with some pretty decent security and no errors so far. Having spent hours of frustration with this error, hope someone out there might find this useful, and a big thanks to EricLaw who discovered the root of the problem.
Yes I too have seen this error when working outside of fiddler and it was connected with AuthenticateAsServer but only went wrong when using IE10 and not Chrome as the browser.
Odd thing is that it did not break all the time for IE10 using SslProtocols.Tls for the protocol so I will add a bit of code to switch the protocol if one fails
The protocol that can be used also seems to change on if you are using a proxy server like Fiddler or using an invisible server by hijacking the DNS via the hosts file to divert traffic to the server
I'm about a month away developing my silverlight application (this is my first). Everything went rather smoothly until today, when out of the blue I started getting this message:
An error occurred while trying to make a request to URI 'http://localhost:2682/Services/Authentication/LoginService.svc'. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. This error may also be caused by using internal types in the web service proxy without using the InternalsVisibleToAttribute attribute. Please see the inner exception for more details.
I'm using WCF Services and this issue never appeared until now.
I've added a clientdomain.xml and clientaccesspolicy.xml file to my [projectname].web folder, and re-wrote them about a 1000 different ways.
I've also used Fiddler and it shows me that the error is on both those files, the error is
[Fiddler] The socket connection to localhost failed. ErrorCode: 10061. No connection could be made because the target machine actively refused it 127.0.0.1:2682
I've searched the error "10061" and it has to do with socket definition. But I couldn't find any solution to that.
Don't know if it has anything to do with it, but my "ASP.net Development Server" port is 6939.
Keep in mind that the app has NOT been deployed, so this is only happening locally. I'm using MS VS 2010 and MS SQL Server 2008.
Am I doing anything wrong or is this a silverlight issue??
On a last note, I haven't changed anything on Port, socket or service configuration. Last thing I was doing was editing a XAML file on client side and and the app started throwing me this error.
Need help, can't do anything until this is solved!!!!
Thanks.
i think you are using you app on localhost and a dynamic port is getting assigned and this port is not fixed and every run and that causes the refuse problem. if you want to fix this, create a solid url for example,
http://localhost/apps/Services/Authentication/LoginService.svc
Well, last night, just before I went to bed, I noticed something odd. In my "ServiceReferences.ClientConfig" file, the endpoint ports for each one of my services where diferent from the ones the silverlight machine used, so going on a hunch (and because I was reaching my sanity breakpoint) I decided to eliminate all my Service References and re-add them again.
I worked... go figure. Still don't know why this happened and if anyone could shed some light on the subject, I would appreciate it. It's kinda of annoying having to re-add all my services references. Right now I have only 6 of them, but in the near future they may go over 20, and if this happens again... well, it's going to be a real pain...
Thanks
to make long story as short as possible, I made a duplex WCF service, using wsdualhttpbinding, tested it on my local machine using Visual Stuido and using IIS7, thigs are working fine (i had to use windows authentication on IIS7 to make it work thu). Any way, I published the duplex service on my company network (LAN network, windows domain, IIS 6) which i used to for many WCF services (basic and ws http bindings and worked fine) and the problem is I can not get the service to work, I tried all possible configurations to the app.config and to the web.config files, still i can not make it work.. The problem is when the client start calling the duplex service It hangs and no error message or whatsoever, and after few minutes it gives me a timeout error.. there is no error at server side ( i have checked the even viewer). There is not error about port 80 or access privileges. Is there anything i am missing? anything i should take care of and i forgot? i have been awake for 20 hours trying to find a solution because i have a time line to follow or my boss will Dispose() Me..
i have tried the following:
1- I set the IsOneWay = true..
2- I run the program as admin.
3- I i set the base address to another port.. same result..
4- I used windows auth, none... same result..
5- i have tried another machine to test the client.. same result.. it hangs with no reponse.
6- I also tried running the client on windows vista, 7 and xp... same result..
7- I have played with all kind of configurations in config files and i made sure its the same on both files (app.config and web.config)..
8- I have added a static constructor in the service side to see if the service was ever reached by the client, i added few lines to add a value in the db.. and nothing was written to db.. so it was never reached..
9- Yes, when i access the service SVC page i see the page and it worked fine.. I could access the metadata as well..
10- restarting the server, restarting IIS server, Recycling AppPool...etc..
I tried all of that and many other solutions and tricks.. same result when the app is on IIS.. the strange thing is, there is no error at server side.. and i only get TimeOut error (if i get it).. While If i tried the service on the IIS installed locally it works fine.. change the config file to point to the company IIS server,,, no luck!
Is there anything i am missing??? could be something simple but i just missed it..
I have a website running 2 WCF services. Working awesome until I needed to move them from the "Default Web Site" in IIS7 to a dedicated website with a new IP address. Now I get the error message:
"...could not be loaded because more than one endpoint configuration for that contract was found. Please indicate the preferred endpoint configuration section by name"
ALL I did was change:
net.tcp://localhost/...
TO:
net.tcp://10.1.2.204/...
I have changed every spot in my configs which once used localhost to specified IP address. The new website is setup exactly the same with the proper net.tcp bindings and it is bound to the single IP address of 10.1.2.204.
I cannot seem to figure out what is going on. I am looking at the svc trace logs and all I get is a bunch of the same.
My new website is called "core" whereas previously I was hosting on "Default Web Site". I added a new FQDN/public IP to route to this new site (backwards to the mentioned private IP address). Now my services are busted.
I know baseAddress is ignored when using IIS/WAS hosting, so I am not sure what else to check. I changed absolutely nothing else in the configs.
What else can I provide to help troubleshoot this?
--
I am also seeing this in the service trace viewer:
Activity Name Receive bytes on connection 'Listen at 'net.tcp://hole.myserver.com/...'.'.
...but the WCF services are actually hosted on that new "core" website which translates to my new private IP address. I have change FQDN names for the example. To make it clear:
I used to have 1 FQDN on this server using Default Web Site.
I now added a 2nd FQDN to this server, new website, second IP. It seems to me that the listening should be directed towards: net.tcp://core.myserver.com instead of net.tcp://hole.myserver.com. Let's pretend the server name is hole.myserver.com and my new website is core.myserver.com on the same server.
Hopefully this is not confusing and you can make sense of it.
I'm using the default net.tcp port of 808 and binding of 808:*
--
This is the first exception thrown that I can tell:
The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:10'.
--
None of these combos will activate the service and all produce the same exception:
net.tcp://localhost
net.tcp://localhost:808
net.tcp://10.1.2.204
net.tcp://10.1.2.204:808
even using a different port which I have done before without issue:
net.tcp://localhost:75
net.tcp://10.1.2.204:75
none of these work. :(
Thanks so much!
Its rights issue. Right click on your new website --> then Edit Permissions. On properties window click security tab and Edit button. Then Add IIS_IUSRS and give Read & Execute, List folder contents, Read permissions. Now iisreset and start to host and connect net tcp on new website.