I'm writing a C# WCF service that publishes an endpoint using a WSHttpFederationBinding. We have our own security token server providing tokens, for which callers need to use a custom binding.
This is all working fine for a C# client I've written: this has a custom binding in its app.config like so:
<bindings>
<customBinding>
<binding name="CustBind">
<security authenticationMode="UserNameForCertificate" requireDerivedKeys="true"
messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
requireSecurityContextCancellation="false"
requireSignatureConfirmation="false">
<secureConversationBootstrap/>
</security>
<httpTransport/>
</binding>
</customBinding>
<wsFederationHttpBinding>
<binding name="FedBind">
<security>
<message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
negotiateServiceCredential="false">
<issuer address="http://STSHost/MySTS" binding="customBinding"
bindingConfiguration="CustBind">
<identity>
<certificateReference x509FindType="FindBySubjectName" findValue="localhost"/>
</identity>
</issuer>
</message>
</security>
</binding>
</wsFederationHttpBinding>
</bindings>
However, what I want is for users to be able to generate their own clients in whatever language they want, just given the WSDL that the WCF service publishes. The problem with this is that when I try such a thing with Developer Studio's "Add Service Reference" functionality, the resulting client doesn't work.
The reason it doesn't work is because the generated client's app.config is clearly wrong: while the STS is there in the "issuer" element, there's no sign of the custom binding. Looking at the WSDL this isn't too surprising, as there's no mention of anything there other than the issuer address.
Is there any way to get WCF to add something to the WSDL to describe this situation? My server's app.config bindings look okay to me: the "issuer" element is exactly the same as for the working client, including the address and details of the custom binding. Does anyone know why WCF seems to be ignoring this when generating the WSDL?
Related
I'm a new member in this fantastic website and this is my first question here ..
I wish I can find the solution..
I'm building a website and I need to secure the communications between clients and the server.
I should Use WCF in the implementation.
My project's requirements :
use WCF
binding: ws2007HttpBinding
security: HTTPS
client: Sign
I should use HTTPS for securing the communications and I should make the client sign the message (it's important).
I install certificates in both server and Client But I don't knoe how to make the clients sign the message.
I can't use message security in the wcf because I need HTTPS. Anyone can help me to know what is the TransportWithMessageCredential do for signing and how to implement such a thing??
Here is part of the app.config of the server:
<bindings>
<ws2007HttpBinding>
<binding name="ServiceWS2007HttpBindingConfg">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="Certificate" negotiateServiceCredential="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<services>
<service name="Service">
<endpoint address="https://MAHER-PC/EBPP/Service.svc" binding="ws2007HttpBinding"
bindingConfiguration="ServiceWS2007HttpBindingConfg" contract="IService" />
</service>
</services>
thanks....
Depends on what you're planning to sign.
A good place to start would be to have a look at setting the ProtectionLevel for your service in the service contract.
Information:
http://msdn.microsoft.com/en-gb/library/aa347692.aspx
How to:
http://msdn.microsoft.com/en-gb/library/aa347791.aspx
I am creating a web service that will be consumed by a single client in another part of the world. I don't have any knowledge or control over the technology they are using but have been asked to
"use SSL to encrypt the message during transport and use UsernameToken
for client authentication"
I'm planning to use WCF4 to create the service and know generally how to set this all up. However I'm struggling to find the correct configuration for bindings etc. Google gives me lots of results around WSE 3.0 but I'm pretty sure (please correct me if I'm wrong) that I shouldn't be using WSE for a WCF service.
This article initially seems to suggest I should be using a custom binding but then also says I should "consider using the WCF system-defined bindings with appropriate security settings instead of creating a custom binding". However I can't see any examples of what this should be.
I would be grateful if anyone can point me in the right direction.
tl;dr: What are the WCF4 config settings to support SSL and UsernameToken?
Take a look at the WsHttpBinding. You can use a security mode of TransportWithMessageCredential to use SSL and a message credential of UserName. If you are hosting in IIS set up SSL there.
You can set up the binding in config as follows.
<bindings>
<wsHttpBinding>
<binding name="secureBinding">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
You can then use this binding config as follows
<services>
<service name="ServiceName">
<endpoint address="" binding="wsHttpBinding" contract="ContractType" bindingConfiguration="secureBinding" />
</service>
</services>
Both these elements are children of the system.serviceModel element in config.
I'm trying to develop a Windows Phone application that uses a WCF Service. I'm doing it as decribed here:
http://www.c-sharpcorner.com/UploadFile/raj1979/5280/
(of course I use my own tables from the DB). The problem is:
I'm debugging the Class Library project containing the WCF service (to see if some of its methods are invoked properly)
after the method returns an entity I see the error: There was no endpoint listening at http://localhost:1708/Service1.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. The InnerException is The remote server returned an error: NotFound.
the ServiceReferences.ClientConfig in the Windows Phone application:
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IService1" maxBufferSize="2147483647"
maxReceivedMessageSize="2147483647">
<security mode="None" />
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:1708/Service1.svc" binding="basicHttpBinding"
bindingConfiguration="BasicHttpBinding_IService1" contract="ServiceReference1.IService1"
name="BasicHttpBinding_IService1" />
</client>
</system.serviceModel>
</configuration>
I don't know how to solve it. Any ideas ? I tried many answers from that site but none worked
What about Silverlight-enabled WCF service on the server side? It it based on CustomBinding instead of basicHttpBinding.
You must change in ServiceReferences.ClientConfig in your Windows Phone Emulator endpoint address from localhost to
yourComputerName. Thats all:) It works
We have a system where the users access a web server, the web server then calls a WCF service.
We would like the call to the WCF service to be made in the security context of the windows identity of the application pool on the web server.
What is the best way to do this? Can it be done purely through configuration in the web.config file.
Thanks
Shiraz
Yes, you should be able to do this, all in config:
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="WinAuth" mode="Transport">
<transport clientCredentialType="Windows" />
<bindings>
</netTcpBinding>
</bindings>
</system.serviceModel>
Of course, depending on your binding, you'd have to use a different tag under the <bindings> parent node - and of course, not all bindings support all security modes.....
In your endpoint, use the appropriate binding and then just reference this config:
<endpoint name="WCFService" address="......."
binding="netTcpBinding"
bindingConfiguration="WinAuth"
contract="......" />
That should do it! And of course, if you need message security instead of transport security, you can do that, too.
In your WCF service method, you can check to see whether or not the Windows credentials have been sent over, and what they are, by checking:
ServiceSecurityContext.Current.WindowsIdentity
This will be NULL if you don't have a Windows caller, otherwise it will show who called you.
Marc
We have a windows service that we are trying to use as WCF host for a WPF application. It works fine in development but when we have tried to move to our production environment we have had nothing but problems. From reading posts from others, we figured out how to turn on WCF logging and this was a big help. It turned out that our security bindings on the service and the client did not match. We set them both to use windows security but still no luck now we are trying to set the security mode to 'None' but it still is not working. Here is the bindings section of our service config file:
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="netTcp">
<security mode='None'>
</security>
</binding>
</netTcpBinding >
</bindings>
<services>
<service name="CompanyService">
<endpoint
address= "our.url.com/CompanyService"
binding="netTcpBinding"
contract="CompanyServices.ICompanyService" />
</service>
</services>
</system.serviceModel>
Here is the serviceModel section of our client app config:
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_Config" >
<security mode="None">
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="our.url.com/CompanyService" binding="netTcpBinding" bindingConfiguration="NetTcpBinding_Config" contract="CompanyServiceProxy.ICompanyService" name="NetTcpBinding_ICompanyService" />
</client>
</system.serviceModel>
If I need to supply additional infor please tell me what I need to supply.
Thanks
Standard net.tcp binding uses Windows credentials by default, and those really require client and service to be in the same Windows domain. Is this the case here??
OK, sorry, you mentioned security=None (your listings weren't properly formatted so I only saw a fraction of the actual config).
I guess your problem really lies in the addresses used:
address= "our.url.com/CompanyService"
When using net.tcp binding, you have to specify that before the address, so change this on both the client and the server to:
address= "net.tcp://our.url.com/CompanyService"
Also, what I don't quite understand is your title: it mentions "streaming" - have you specified streaming mode anywhere? In your config or your service contracts?
Marc