I have followed numerous msdn articles and the codeplex guidance but cannot get WCF to work with Kerberos authentication and delegation and would appreciate a little help.
Setup
I have the WCF service in an IIS website on a remote machine
IIS 6.0 on Windows 2003 R2 - SP 2
The SPN for the machine has been added (http/myserver && http/myserver:8080)
An AD account has been created for the IIS app pool
The AD account has the setting, allow delegation (for Kerberos), set to true
I am using Brian Booth's debug site on 8080 and the site passes all requirements for Kerberos delegation. The debug IIS site has anonymous authentication off, and Integrated Windows authentication on.
I have mirrored these settings to the site hosting the WCF service.
Web Service - Web Config (Original)
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WsHttpBindingConfig">
<security>
<message negotiateServiceCredential="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ServiceBehavior" name="Service">
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="WsHttpBindingConfig"
contract="IService">
<identity>
<servicePrincipalName value="http/myserver" />
<dns value="" />
</identity>
</endpoint>
<endpoint address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceAuthorization
impersonateCallerForAllOperations="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
Web Service - Web Method
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public string GetCurrentUserName()
{
string name = WindowsIdentity.GetCurrent().Name;
return name;
}
Client App - App Config
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService"
... />
...
<security mode="Message">
<transport clientCredentialType="Windows"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://myserver/Service.svc"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IService"
contract="KerberosService.IService"
name="WSHttpBinding_IService">
<identity>
<servicePrincipalName value="http/myserver" />
</identity>
</endpoint>
</client>
</system.serviceModel>
Application Error
The following error occurs when my test application, a WinForms app, tries to call the web method:
"The HTTP request is unauthorized with
client authentication scheme
'Anonymous'. The authentication header
received from the server was
'Negotiate,NTLM'."
Event Log
The following error is in the event log:
Exception:
System.ServiceModel.ServiceActivationException:
The service '/Service.svc' cannot be
activated due to an exception during
compilation. The exception message
is: Security settings for this service
require 'Anonymous' Authentication but
it is not enabled for the IIS
application that hosts this service.
Which I don't understand. The whole point of this service is to not allow anonymous authentication, every user/request must be authenticated using Kerberos tickets, then passing them through to other machines.
How should I configure this WCF service for Kerberos authentication and delegation?
Revision 1
After reading this SO question I removed the metadata endpoint. This has not resolved the issue.
Revision 2
After more researching I found a few posts suggesting to change wsHttpBinding to basicHttpBinding. The modification to that portion of the web.config has been included below, and the service endpoint has been updated to refer to that binding.
Web Service - Web Config (Revised)
<basicHttpBinding>
<binding name="basicBindingConfig">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"
proxyCredentialType="Windows"
realm="" />
</security>
</binding>
</basicHttpBinding>
Client App - App Config (Revised)
<!-- ... -->
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"
proxyCredentialType="Windows"
realm="" />
<message clientCredentialType="UserName"
algorithmSuite="Default" />
</security>
<!-- ... -->
Error (Revised)
The current error looks like it contains a Kerberos authentication header.
The HTTP request is unauthorized with
client authentication scheme
'Negotiate'. The authentication header
received from the server was
'Negotiate SOMEHUGESCARYKEYHERE
For me the current setup does work:
On the Server:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpBindingConf" useDefaultWebProxy="true"/>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="returnFaults" name="Epze.BusinessLayer.ZeitManager">
<endpoint binding="wsHttpBinding" bindingConfiguration="wsHttpBindingConf" contract="Epze.Contract.IZeitManager"/>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="returnFaults">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceAuthorization impersonateCallerForAllOperations="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
Set the following attribute on all methods for the WCF:
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
On the Client:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IZeitManager" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false"/>
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>
<message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="Delegation">
<clientCredentials>
<windows allowedImpersonationLevel="Delegation" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="http://server.mydomain.net/ePZEsvc/ZeitManager.svc" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IZeitManager"
contract="External.Epze.IZeitManager" name="WSHttpBinding_IZeitManager" behaviorConfiguration="Delegation">
<identity>
<servicePrincipalName value="HOST/localhost"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
HTH, Sven
Something that I notice: the client and server config don't seem to agree on security mode.
In the original section, you have <security>..... in the web.config (omitted the mode="message"), and <security mode="Message"> on the client side.
After your edit, it seems that the client side is unchanged, but the server (web.config) now contains <security mode="TransportCredentialOnly">.
The question really is: can you guarantee that there's only ever going to be one network leg between the client and the server being called? I.e. is this behind a corporate firewall? In that case, I would recommend netTcp binding with <security mode="Transport"> on both ends.
If that's not the case, then you're ok with either wsHttpBinding (which supports more security and reliability features, but is slower and "heavier") or basicHttpBinding. In that case, you would have to use <security mode="Message"> on both ends, and authenticate the service with a certificate (so that the service and client have a common "secret" which to use for encryption).
I would try to leave out the impersonation parts out for the beginning and just get the basic communication and mutual authentication between service and client up and running first - once that's in place, you can start adding the impersonation bits to it, and you can always fall back on a known configuration which works.
David Sackstein has a great series of blog posts explaining the five security scenarios that industry guru Juval Lowy has identified (in his Programming WCF book - the WCF Bible) as the most common and most useful - in order to limit the number of possible combinations of parameters you might want to tweak. One of them is a "Internet" scenario which would probably apply here, if your service is outward facing.
Marc
You need to specify a behaviorConfiguration in your client config. SVCUtil does not auto generate. This resolved my issue and I am now successfully using Kerberos. It was a mission though!
<client>
<endpoint address="..."
binding="customBinding" bindingConfiguration="..."
contract="..." name="..." behaviorConfiguration="ImpersonationBehavior" />
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ImpersonationBehavior">
<clientCredentials>
<windows allowedImpersonationLevel="Impersonation"/> </clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
You should try your initial configuration and make sure to set the IIS to be anonymous and windows authentication at the same time.The reason is when you are using wsHttpBinding default security is message security and there is no transport security defined unless you want to do https. SO Clr states that it needs anonymous authentication turned-on on the IIS.
Related
I created a WCF service with WsHttpBinding, with 2 binding configurations (this is the requirement for 2 different client). One client wanted the service to have Message security mode with clientCredential as "Windows" and the other client wanted the service to have Transport security mode with ClientCredentialType as "Certificate". I am able to browse my Client2 service but unable to browse my client1.
Here is my web.config with 2 bindings:
<system.serviceModel>
<services>
<service name="TestService.TestService" behaviorConfiguration="mexBehavior">
<endpoint address="Client1" binding="wsHttpBinding" contract="TestService.ITestService" bindingConfiguration="TestService_Client1_ITestService" >
<identity>
<dns value="" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
<endpoint address="Client2" binding="wsHttpBinding" contract="TestService.ITestService" bindingConfiguration="TestService_Client2_ITestService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="mexBehavior">
<useRequestHeadersForMetadataAddress />
<serviceMetadata httpsGetEnabled="true" httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="TestService_Client1_ITestService">
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows" negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
<binding name="TestService_Client2_ITestService">
<security mode="Transport">
<!--<transport clientCredentialType="None" />-->
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
Below are the settings I did in IIS:
1) Created a new website "TestService"
2) In Bindings:
a) added https with port: 444 and selected the appropriate certificate
b) added http with port: 90
3) In IIS TestService Feature View-->SSL Settings-->Require SSL (enabled), Accept and apply
4) Authentications-->Forms Authentication, Windows, Anonymous Enabled
Please suggest me what changes should I make to the config or IIS so that I have both the end points working...
Also, I named by endpoints as Client1 and Client2 assuming I should be able to browse them as
a) http://localhost:90/TestService.svc/Client1
b) https://localhost:444/TestService.svc/Client2
Currently, I am able to browse my service (client2) with
https://localhost:444/TestService.svc/
If I add Client2 at the end, it is not working. I am not sure if my endpoint address names are even working or not.
Thanks
After doing some research, I got both the end points to work.. In the IIS steps,
3) In IIS TestService Feature View-->SSL Settings-->Uncheck Require SSL (UnCheck this), but check (Accept) and Select Apply
This did the trick for me and I was able to get it work for both the end points.
Also, in my question I had a misunderstanding of being able to browse both the endpoints:
a) http://localhost:90/TestService.svc/Client1
b) https://localhost:444/TestService.svc/Client2
In reality, we will not be able to browse, this notation is useful while creating the client, which can instantiated either with the Endpoint Name or based on Endpoint configuration
Background info:
I have some WCF services that are hosted on an internal server on a specific port. A hole was "punched" in the firewall to make the services on this port accessible from the DMZ. The consuming web app is hosted in the DMZ.
The internal server DOES NOT have an SSL cert.
The DMZ server DOES have an SSL cert.
The problem:
From all that I have read about WCF, my understanding is that I need an SSL cert on the server that hosts the WCF services. Is this correct?
At this time I have been told that we don't know when the internal server will have an SSL cert installed and that I need to come up with a Plan B.
I started looking into going back to ASMX/WSE and it looks like that is going to be a problem since WSE is no longer supported, it does not integrate with VS2008 and it is not compatible with x64 machines.
[rock]Me[hardplace]
The data will contain PII, so I'm quite considered about security...even if others are less concerned.
Are there any options I've overlooked? Have I misunderstood WCF security?
Advice?
This post seems somewhat similar.
UPDATE
Thanks to mikey's answer and comments I made some changes to my configuration. It took some trial and error and additional Googling...but it seems to be working now (I haven't performed any extensive testing yet). However, I don't know if this is sufficiently secure...
Adding my solution to the original post so I can mark mikey's answer as the answer.
My changes
Services:
<behaviors>
<serviceBehaviors>
<behavior name="serviceBehavior">
<dataContractSerializer maxItemsInObjectGraph="6553600" />
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpsGetEnabled="false" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="customBinding">
<reliableSession enabled="true" />
<security mode="None" />
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="serviceBehavior" name="MyApp.WcfServices.MyService">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="customBinding" contract="MyApp.WcfServices.IMyService">
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
Web App:
<bindings>
<wsHttpBinding>
<binding name="customBinding" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="1048576" maxReceivedMessageSize="1048576"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="true" />
<security mode="None">
<transport clientCredentialType="None" />
<message clientCredentialType="None" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://[Ip Address]:8943/MyAppWcfServices/Hosts/MyService.svc"
binding="wsHttpBinding" bindingConfiguration="customBinding"
contract="MyService.IMyService" name="customBinding" behaviorConfiguration="clientBehavior">
</endpoint>
</client>
Here are some options:
You don't need SSL for WCF. You can set security to "None" http://msdn.microsoft.com/en-us/library/ms731172.aspx or http://social.msdn.microsoft.com/forums/en-US/wcf/thread/271b1816-173c-4c76-a4c4-fd9fda4b5e91/ -- then you won't need an SSL cert. Since the traffic is only going between your web server and your app/wcf server the only folks who will be able to sniff it should be internal folks... At some point you have to trust your network is working as intended. I often use only HTTP (not SSL) for web services between app and web servers on the same network especially when speed is an issue.
use a self-signed certificate on the app server. Ensure that the web server in the DMZ is configured to trust the certificate (and/or its CA) and you should be good to go.
I have a WCF service with two endpoints defined by the configuration file below:
<system.serviceModel>
<services>
<service name="SyncService" behaviorConfiguration="SyncServiceBehavior">
<endpoint name="Data" address="Data" binding="basicHttpBinding" bindingConfiguration="windowsAuthentication" contract="ISyncService"/>
<endpoint name="File" address="File" binding="basicHttpBinding" bindingConfiguration="httpLargeMessageStream" contract="ISyncService"/>
<endpoint address="mex" binding="webHttpBinding" bindingConfiguration="windowsAuthentication" contract="IMetadataExchange"/>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="httpLargeMessageStream" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647" transferMode="Streamed" messageEncoding="Mtom" />
<binding name="windowsAuthentication" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm=""></transport>
<message algorithmSuite="Default" clientCredentialType="UserName"/>
</security>
</binding>
</basicHttpBinding>
<webHttpBinding>
<binding name="windowsAuthentication">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"></transport>
</security>
</binding>
</webHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="SyncServiceBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<dataContractSerializer maxItemsInObjectGraph="2147483647"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true"></serviceHostingEnvironment>
</system.serviceModel>
I want to use windows authentication for the Data endpoint, but have recently discovered that you cannot use windows authentication for streaming over HTTP. I removed the security element for the File endpoint, but still get the following error:
HTTP request streaming cannot be used in conjunction with HTTP
authentication. Either disable request streaming or specify anonymous
HTTP authentication. Parameter name: bindingElement
Is it possible to have two endpoints on the same service use different authentication methods like this? Why can't I use windows authentication for streaming?
I have also tried what was suggested in this thread, but to no avail:
Which authentication mode of basichhtpbinding can be used to secure a WCF Service using Streaming?
Unfortunately this is not supported.
I have two applications that I want to test locally on the same machine. App 1 has a simple WCF service with the folloiwng config entry:
<service behaviorConfiguration="MyNamespace.ContainerManagementServiceBehavior"
name="MyNamespace.ContainerManagementService">
<endpoint address="ContainerManagementService" binding="basicHttpBinding"
name="ContainerManagementbasicHttpEndpoint"
contract="MyNamespace.IContainer" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost:8000/ContainerManagementService" />
</baseAddresses>
</host>
</service>
<behaviors>
<behavior name="MyNamespace.ContainerManagementServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</behaviors>
I start the service by running the web application project where it is hosted. I am able to successfully browse to the url and get web service information page from ie. I copy the same URL and use it for my client.
My other client, App 2, has the following in its config file:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="basicHttp" closeTimeout="00:10:00"
openTimeout="00:10:00" receiveTimeout="00:10:00"
sendTimeout="00:10:00" allowCookies="false"
bypassProxyOnLocal="false"
hostNameComparisonMode="StrongWildcard"
maxBufferSize="5242880" maxBufferPoolSize="524288"
maxReceivedMessageSize="5242880" messageEncoding="Text"
textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="5242880" />
<security mode="None">
<transport clientCredentialType="None"
proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint
address="http://localhost:3227/Services/ContainerManagementService.svc"
binding="basicHttpBinding" bindingConfiguration="basicHttp"
contract="MyService.IService" name="externalService" />
</client>
</system.serviceModel>
However, when I try to execute a WCF call form client to the running service, I get the following error message:
There was no endpoint listening at
http://localhost:3227/Services/ContainerManagementService.svc
that could accept the message. This is often caused by an incorrect
address or SOAP action. See InnerException, if present, for more details.
What could be happening?
It looks likes the issue is due to the fact that both server and client are being run from the Cassini server. I am changing the architecture to host the server endpoint in IIS.
Do you have two applications ?
One which hosts the server endpoint and the other which is the client ? Are both active in IIS (considering the second application is a web app) ?
If you have two projects for those two components in your solution, you can configure VS to start both project at the same time. This way you can put breakpoints on both the client and the server and see if the server really gets called by the client or if the exception happens without the server method being called.
If your web service is on: http://localhost:8000/ContainerManagementService.svc
Your client app2 should point on this same addres:
<client>
<endpoint address="http://localhost:8000/ContainerManagementService.svc"
binding="basicHttpBinding" bindingConfiguration="basicHttp"
contract="MyService.IService" name="externalService" />
</client>
I have a WCF service hosted on a windows service on my Server1. It also has IIS on this machine. I call the service from a web app and it works fine. But within this service, I have to call another WCF sevice (also hosted on a windows service) located on Server2. The security credentials are set to "Message" and "Username". I have an error like "SOAP protcol negociation failed". It's a problem with my server certificate public key that doesn't seem to be recognise. However, if I call the service on the Server2 from Server1 in a console app, it works fine.
I followed this tutorial to set up my certificates : http://www.codeproject.com/KB/WCF/wcf_certificates.aspx
Here's the config file from my service on Server1 that tries to call the second one :
<endpoint address=""
binding="wsHttpBinding"
contract="Microsoft.ServiceModel.Samples.ITraitement" />
<endpoint address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>
<client>
<endpoint address="http://Server2:8000/servicemodelsamples/service"
behaviorConfiguration="myClientBehavior" binding="wsHttpBinding"
bindingConfiguration="MybindingCon" contract="Microsoft.ServiceModel.Samples.ICalculator"
name="">
<identity>
<dns value="ODWCertificatServeur" />
</identity>
</endpoint>
</client>
<bindings>
<wsHttpBinding>
<binding name="MybindingCon">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceTraitementBehavior">
<serviceMetadata httpGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="True" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="myClientBehavior">
<clientCredentials>
<clientCertificate findValue="MachineServiceTraitement" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
<serviceCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
And here's the config file from the web app that calls the service on Server1 :
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ITraitement" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows" negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:8020/ServiceTraitementPC"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ITraitement"
contract="ITraitement" name="WSHttpBinding_ITraitement">
</endpoint>
</client>
Any idea why it works if if I call it in a console app and not from my service ? Maybe it has something to do with the certificateValidationMode="ChainTrust" ?
Well, finally it was just a matter of trusting the issuer of the certificate on the client machine. It was mentioned in the tutorial and I must have missed that step. Still wonder why it worked when calling from a console app, but... anyway, it works fine now.
Thanks !
When you call the service from the console app you are in the security context of the logged in user.
When you call the service from a service running in IIS, with default settings, you are in the security context of a local account NETWORK SERVICE.
The way to fix it is probably to set impersonate=true in the system.web section of your web.config.