I have a WCF service hosted in a Windows service. The application is an intranet app, and I have programmatically set the bindings on both the service and the client as:
NetTcpBinding aBinding = new NetTcpBinding(SecurityMode.Transport);
aBinding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Windows;
aBinding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;
Both the service and client have endpoints configured with SPNs:
EndpointAddress = new EndpointAddress(uri, EndpointIdentity.CreateSpnIdentity("Service1"));
As far as I know, I have setup the bindings correctly-- and I am usually able to connect to the service just fine. I did however run into a case where on a server running Windows Server 2003 R2, x64, SP2 I get the following exception immediately when the client tries to connect:
INNEREXCEPTION -- Exception Message:
InvalidCredentialException: Either the target name is incorrect or the server has rejected the client credentials.
Stack Trace:
at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
I get the exception when I try to connect to the service from another machine in the domain, but if I connect to the service on the same machine running the service it works fine.
The hosting service itself is running as a domain user account-- but I have tried running the service as a Local System and Network Service to no avail. I have checked the Local Security Policies for the server and didn't see anything amiss (i.e. 'Access this computer from the network' includes 'Everyone').
Anyone have an idea of what could resolve this?
I am wondering if I need to do something in Active Directory with respect to the service's SPN? I have read some about using setspn.exe to register or refresh SPNs, but I haven't needed to do this before. Why would this be working with other configurations but not the one above?
Try and run the service as an account that has local administrator access - if you can't run the service with this much permisison, then I belive you'll need to use setspn.exe as you have alluded to.
Related
We have a WPF application which connects to WCF services using netTcpBinding using TransportWithMessageCredential security with clientCredentialType set to Windows for message and transport security. IIS app pool is running under identity of a domain user.
The above setup works locally just fine (meaning that WCF services and WPF app are running from on same box). When WPF app is on a different box then the communication fails with the following error:
System.ServiceModel.Security.SecurityNegotiationException: SOAP
security negotiation with
'net.tcp://serv01.domain.local:30128/UsersService.svc' for target
'net.tcp://serv01.domain.local:30128/UsersService.svc' failed. See
inner exception for more details. --->
System.ComponentModel.Win32Exception: Security Support Provider
Interface (SSPI) authentication failed. The server may not be running
in an account with identity 'host/serv01.domain.local'. If the
server is running in a service account (Network Service for example),
specify the account's ServicePrincipalName as the identity in the
EndpointAddress for the server. If the server is running in a user
account, specify the account's UserPrincipalName as the identity in
the EndpointAddress for the server. at
System.ServiceModel.Security.WindowsSspiNegotiation.GetOutgoingBlob(Byte[]
incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy
protectionPolicy) at
System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message
incomingMessage, SspiNegotiationTokenProviderState sspiState) at
System.ServiceModel.Security.IssuanceTokenProviderBase1.GetNextOutgoingMessage(Message
incomingMessage, T negotiationState) at
System.ServiceModel.Security.IssuanceTokenProviderBase1.DoNegotiation(TimeSpan
timeout) --- End of inner exception stack trace ---
There is no firewall between the boxes. Also, when IIS on the web server is using LocalService identity then communication between the applications works fine.
What may be causing the issues and how can I identify the root cause? I don't see any additional error messages in event logs which could shed some light.
It was very hard to find the answer, but in my case I needed to register my IIS identity service account with host's ServicePrincipalName. The answer is available on this page: http://www.getshifting.com/wiki/setupn
What you need to do is:
1) run command setspn -l domain\identity_user where "domain\identity_user" is the user account under which IIS is running. When everything is setup correctly then this command must return you SPNs from the error message. In my case - after the fix - it returns:
HOST/SERV01
HOST/SERV01.DOMAIN.LOCAL
2) if the list is empty then you need to add those SPNs. Run:
setspn -A HOST/SERV01 domain\identity_user
setspn -A HOST/SERV01.DOMAIN.LOCAL domain\identity_user
That was it.
I have a service, hosted in a windows service. When I installed the windows service in the local machine, I can get data from the service, but when I installed the windows service in the remote computer (in the server), I don't get data.
I have tried in a internet browser to use the address of the endpoint in the server, and I get response, so I get the page that says how to use svcutil to create the proxy.
Although I get this page, I have tried to disabled the firewall in the server and in the client, but the problem persists, how I expected.
If I get response in the internet browser, wouldn't I get access to the methods of the service?
On server side add trace listener so as to find out what error occures. Do you make use of any certification which service may not possess?
I have added http://ws.hipcricket.com/api/EndUser.svc as a service reference in a my web service. I am able to consume the methods from the IDE but while hosting the same in IIS I'm getting the following errors:
Error 1:
Could not connect to the (please refer the above url). TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 69.20.116.221:80.
Error 2:
There was no endpoint listening at (please refer the above url) that could accept the message. This is often caused by an incorrect address or SOAP action. See Inner Exception, if present, for more details
Maybe you have a firewall blocking communication from your webserver? When developing on your local machine communications through the proxy may most likely be using your credentials, while the user that the application pool that your application is running under on your IIS server most probably does not have the correct rights.
I'm trying to debug my Metro application on a tablet from my desktop, however when it boots up and tries to get data from my wcf service i get this error:
An exception of type 'System.ServiceModel.EndpointNotFoundException' occurred in mscorlib.dll but was not handled in user code
Additional information: There was no endpoint listening at http://localhost:39855/MyService.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
I'd assume that this is because the service is hosted on my desktop in iis express, and the tablet app is trying to look for the service at localhost which wouldn't be where the service is hosted, it would have to be the ip of my desktop or something. But how would i change my service in Visual studio to be hosted at my ip instead of localhost? I have disabled both firewalls so there should be nothing causing problems in that regard.
My experience with WCF is pretty limited :(
Or do i have to set up IIS, deploy my service on my local machine, and point the tablet to that address?
Hosting the service in iis express should be fine, but you have to modify the client (the tablet app) to point to your host machine explicitly (using the IP or the network host name of the machine). You can do that either by modifying the configuration file for the app or by creating the client binding in code, specifying the host.
On 1st server, there is wcf service hosted in windows managed service. On the 2nd server, there is another wcf service, hosted in their own windows managed service. I try to connect to 1st service from the inside of the 2nd service, but I become a exception "The socket connection was aborted". With same configuration and same code I successfully connect from console application and winform application, but not from this windows managed service.
Configure your WCF services on both servers to perform diagnostic logging. Follow the instructions in http://msdn.microsoft.com/en-us/library/ms730064.aspx to achieve that.
Make sure the account your service on server 2 is running under is capable of connecting to server 1. This is a typical difference between the client test you did (and worked) and a service running on that system. For a test, make the service on server 2 run under your personal login credentials.