We are wanting to implement Two-Way SSL security from WCF to OSB Services. We have successfully deployed the certificates so that when you browse to the service with IE you get the appropriate prompt for certificate and then it takes you immediately to the WSDL.
But, when you attempt to generate a proxy using svcutil as defined in steps 8 and 9 in this MSDN article.
http://msdn.microsoft.com/en-us/library/cc949005.aspx
I get the error:
A reply message was received for
operation 'Get' with action
'http://schemas.xmlsoap.org/ws/2004/09/transfer/Get'.
However, your client code requires
action
'http://schemas.xmlsoap.org/ws/2004/09/transfer/GetResponse'.
The OSB services are set to use Soap 1.2 and the svcutil.exe.config we use is identicle to the article except for the findValue and x509FindType. Instead we used the FindByThumbprint pointing to the "My" store name and "CurrentUser" store location. The cert is there and is the same cert we select from the IE prompt.
You can save WSDL from IE on your computer and generate proxies from wsdl
Related
How does WCF client generates target Service's SPN dynamically to get the kerberos ticket in Spnego Use case?
For example, if the target service is running under domain machine account, SPN associated with the Service would be in the form 'host/machinename'.
If we try to call the service using wcf client, wcf client is able to get the ticket for host/machinename. I initially thought that wcf client might be using hardcoded string host/+domainname by default.
But If I change the target service to run under domain user and associate SPN named "http/machinename" with the domain user, wcf client is still able to generate the ticket for this service successfully.
How does WCF client decides whether to use prefix 'host/' or 'http/' in these scenarios.
I know that there is a way to add custom spn on the client side under endpoint element but I'm interested to know how it works by default.
The default is host/myhostname for Windows credential type. This is also the expected SPN while running the WCF service with a machine account.
Note that the WSDL will include the Identity (e.g. SPN), so the WCF client can use that information while connecting. Check the WCF Test Client Config file to see what is actually generated.
What I would like to do is have a wcf service be anonymous accessible using a https url.
I have created a WCF in a .net 4.0. Deployed the wcf on a server that is set up to use HTTPS. The server's IIS is set to allow anonymous calls. I can access the WCF's Service.svc's website url and the Service.svc page comes up with no issues. When I click on the wsdl url link on the Service.svc, I get back either a HTTP 404 error or HTTP 401 error. The wcf's wsdl virtual directory, (I am guessing), won't allow me to get to the wsdl file.
I have set the serviceMetadata's property httpsGetEnabled to true.
wsHttpBinding's security to transport and the clientCredentialType is set to none.
basicHttpBinding's security to transport and the clientCredentialType is set to none.
Is it absolutely certain, I need to create a certificate? Because when I use VS2010 in another project and add the WCF as a Service Reference, a pop-up certificate dialog box appears and I click okay and it continues onward. But it stops when the project can't grab the wsdl flie.
How can I get to the service.svc's wsdl?
Thanks.
If you browse to the deployed service endpoint, you'll see a screen that has a link to generating the WSDL. You do need a certificate for SSL -- just create a self-signed one (it's pretty easy). Don't forget to set up your https bindings too for your site in IIS.
i have a wcf rest service hosted on iis which is ssl enabled. i have both a console application and a browser as client. Is it possible to implement ssl on the console app? is possible, any idea or links to related resources will be greatly helpful.
If you want to use mutual SSL with a REST service from your console application, you can use the WebChannelFactory class.
http://msdn.microsoft.com/en-us/library/bb908674.aspx
The client certificate is set using the WebChannelFactory.Credentials property. The advantage of this approach is that you can set the certificate in connnnfiguration so you can change it later without recompiling.
Alternatively, you can use the HttpWebRequest class and its ClientCertificates property.
I have a Self-Hosted (Console App) WCF REST service with the following binding:
WebMessageEncodingBindingElement
HttpsTransportBindingElement (ManualAddressing=true, KeepAliveEnabled=true, AllowCookies=false, HostNameComparisonMode=Exact)
This is exposed over an HTTPS URL ("https://mylaptop/myendpoint")
I have a self-signed certificate issued to "mylaptop" that I assign using myServiceHost.Credentials.ServiceCertificate.SetCertificate. The certificate is added successfully, and the ServiceHost opens successfully (no exceptions). If I type "netsh http show servicestate", I can see that there's a successful registration at https://mylaptop/myendpoint with HTTP.SYS
However, when I issue a GET to the endpoint, it doesn't work. It seems like the socket is dropped even before a valid HTTP response is obtained. (FireFox says "connection to the server was reset", IE says "cannot display the webpage", and if I do the request through Fiddler it says "connection was forcibly closed by the remote host").
Everything works fine when I use HTTP instead of HTTPS.
Any idea what could be going wrong in the HTTPS case?
You probably need to use httpcfg.exe to reserve your endpoint with HTTP.SYS correctly with a configured X.509 certificate for SSL. The steps to get it done are documented here.
Or use HttpCfgGui- a much friendlier interface to setting up the server certs w/ HTTP.SYS. This is a must-install on all my servers that do HTTP w/ WCF.
Caution, WCF noobie alert
I need to create a WCF client to query a non-WCF web service.
The web service is not a WCF service. Additionally, the web service requires a client authentication certificate. Now, I have the certificate, and can create a non-WCF client that works perfectly; I was able to 'Add Web Reference' and a certificate dialog box opened up to allow me to select the appropriate certificate, then went on to create the web reference. Trying to create a WCF client via 'Add Service Reference' is another story, it just fails with a 403 Access Denied error.
I have the WSDL for the service, and have run svcutil.exe on it, but am not sure how to proceed from there.
Thanks for any help!
I'm assuming that the service you are using is performing client SSL authentication.
Since add service reference is failing, you can use svcutil to generate the client from the WSDL file that you have. I think the syntax would be something like:
svcutil *.wsdl /l:C# /out:Reference.cs /config /s /ct:System.Collections.Generic.List`1 /ser:Auto /tcv:Version35 /n:*,<NameOfYourNamespaceHere> /edb
This will generate a file, Reference.cs, that contains the proxy classes to the service (you can give this file whatever name you want). Add this file to your project. A config file, output.config, will also be generated. You can add this configuration to your application configuration instead of typing it all in by hand.
Now you can follow this MSDN article on using Transport Security with Certificate Authentication. You can skip down to the client section where it shows how to attach the certificate to the request in code as well as in configuration.
I know this is the old question and it has been already solved but I would like to mention that Add service reference also works for WSDL files stored on disk. Marc has also mentioned it. Add service reference dialog accepts:
URL to WSDL
URL to Metadata exchange endpoint
Service URL where /mex is added internally
Any file path to WSDL file
So if you have WSDL and all need XSD files you can use Add service reference as well. The only tricky part is that Add service reference dialog doesn't have Browse button and that is the reason why this functionality is not well known.
Stupid question (maybe): could you connect to the service endpoint, present it with your credentials stored in the certificate, and then download the WSDL (and possibly XSD) from there? Or could it be the entity offering this service would be able to actually send you these files (or make them available for download)?
Once you have the WSDL (and XSD) file on disk, it should be easy enough to create WCF client for that (using either svcutil.exe or Add Service Reference) based on those files, and then configure the appropriate security for it.
Just a thought.... (worth $0.02?)
Marc
OK, bit of a work-around here (and I've no idea what is going on technically): I noticed that when you add a Web Reference, the certificate you have chosen is cached and automatically used the next time you add the Web Reference (I noticed because I'd chosen the wrong certificate). This caching seems to work across Web Reference and Service Reference so:
Add a Web Reference to the endpoint, choosing the certificate you wish to use
Remove this Web Reference
Add a Service Reference to the same endpoint and Visual Studio will use the same certificate you chose for the Web Reference
Worked on Visual Studio Community 2019, v16.7.7