SSL WCFs with custom binding - wcf

Has anyone ever tried to use custom binding with SSL in a WCF web service? I've seen a number of examples on how to do this with basicHttpBinding and wsHttpBinding but the equivalent always fails for customBinding. Specifically what I'm currently working with (the most successful configuration yet) looks something like this:
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true">
</serviceHostingEnvironment>
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceBehavior">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="binaryHttps">
<binaryMessageEncoding />
<httpsTransport />
</binding>
</customBinding>
</bindings>
<services>
<service behaviorConfiguration="MyServiceBehavior" name="MyService">
<host>
<baseAddresses>
<add baseAddress="https://(myserver)/"/>
</baseAddresses>
</host>
<endpoint address=""
binding="customBinding" bindingConfiguration="binaryHttps"
contract="MyService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
This actually allows us to access the service from the web, get it's WSDL and add a service reference inside visual studio alright, but when we actually try and use it live in our silverlight-3 application, it just sits there indefinitely waiting for a response and never times out. It actually ends up giving me low memory problems after a while on my machine (with 6GB of memory). The odd thing is that all this worked (and still does) perfectly in the development environment (using strictly the VS application hosts), it wasn't until we tried to deploy it to an actual server with a real SSL certificate that all these issues popped up.
I've searched fairly exhaustively for a solution to this problem but have so far not found anything and have tried just about everything - Is there anyone out there that's encountered this before and got around it?

So it turns out the problem wasn't with our web.config at all, it had to do with an issue with IIS 7 and Wildcard SSL certificates.
Namely, IIS 7 doesn't allow you to specify the hostname when binding an IP to an SSL connection and certificate. I'd guess that this is because it expects a non-wildcard SSL certificate that it can extract the explicit hostname from. What we ended up having to do was to go into the applicationHost.config file in {WindowsDir}\{System32}\{Inetsrv}\{config} and find the entry with our web service's bound IP address and change it explicitly to (ip):(hostname). It was then even displayed properly in the IIS config GUI.
After doing this we were to completely turn off all but SSL channels on all our servers and everything worked beautifully.
Thank god that's over!

AFAIK, using SSL has performance problem. We are using WCF behiovr to do the authentication. The way that we are using is that Silverlight => ASP.NET => WCF. We configured the Endpoint behivor in both Silverlight and WCF. Whenever we call the service, we passed the token for authentication.
Are you saying that you can use custom binding in ClientConfig of Silverlight?

Related

How to Resolve EndpointNotFound exception in WCF

I have been trying to resolve a problem that I am having with a WCF service hosted on our cloud platform. Service is written targeting .NET 4.0. I can access the service using both wsHttpBinding and basicHttpBinding over just plain http. However, when I try and access the service over a https end point it consistently gives me an endpoint not found exception which is odd because on the client I add a service reference pointing at the https end point and this should be sufficient to build a compatible proxy?
The web site has a SSL certificate setup which is valid, and the site hosting the service has a binding in IIS that uses this certificate. I can browse to the https URL from within the IIS snap-in and it finds the service with no problems, and I can use the same url from my desktop and get the normal "you have created a service page". IIS has anonymous authentication enabled only.
Here is where I get a bit hazy on what I have to do in terms of the WCF configuration.
In the server web.config I have security mode of Transport and
client credentials of None (Think I need this because of the
anonymous authentication on the host service)
Also in the server web.config I have set up mex end points for each
of the server's end points that are defined.
Is there anything else I need to do here?
On the client side
I have created a basic console app, and create a service
reference pointing at the https url and this is found
In the code I instantiate the proxy and call a method that invokes
the service.
When I run the code I get the end point not found exception.
I have created a really basic ASP.NET web site on my local IIS that hosts a really simple service. I have added a self-signed certificate and in the mmc snap-in I have imported this as a trusted certificate. I have set up a wsHttp end point for both secure and non-secure and when I create a simple client that references the service I get the same problem when using a https end point.So I can replicate the problem I am seeing in the live environment.
The event viewer doesn't shed any light on anything untoward happening.On my various searches I found references to re-registering asp.net and the WCF runtime components. Tried all this to no avail. Getting really stuck. I've included the config from my local asp.net web site, and the client config so people can scan what I have. Any suggestions on what else I could try would be great. I'm hoping I have overlooked something obvious that another pair of eyes with more experience with WCF can spot.
Thanks in advance.
Server config:
<system.serviceModel>
<diagnostics>
<messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" maxMessagesToLog="500" />
</diagnostics>
<services>
<service name="NorthwindServices.ProductService">
<host>
<baseAddresses>
<add baseAddress="http://localhost:8732/Design_Time_Addresses/NorthwindServices/ProductService/" />
</baseAddresses>
</host>
<endpoint address="" binding="wsHttpBinding" contract="NorthwindServices.IProducts">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex" binding="wsHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="Secure">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Basic">
</transport>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
</
==================================================================================
Client config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IProducts">
<security mode="Transport"></security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost/Northwind.svc" binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IProducts" contract="ProductProxy.IProducts"
name="WSHttpBinding_IProducts">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
BindingConfiguration is optional since an endpoint is primarily composed of address, binding and contract. If no wsHttpBinding is defined under bindings, the default configuration will be used; if there's one under wsHttpBinding without name or with empty name, the binding configuration will be used if the endpoint does not declare a named one. And you may have multiple named binding configuration under wsHttpBinding, and each endpoint may pick one accordingly. The problems so far according to your config files listed has nothing to do with bindingConfiguration as they all look fine. However, the baseAddress in service side and the client endpoint address do not seem to match, and I presume you are using svc files for service activation. Then you need to make sure the svc files are located in the right place through proper routing. Alternatively you may use config activation without using svc files.

HTTP could not register URL ... because TCP port ... is being used by another application

First, I am not good in WCF.
I have a WCF service hosted in WindowsService.
Since sometime the service stoped to run because of the exception:
HTTP could not register URL http://+:8092/MyService/ because TCP port 8092 is being used by another application.
Nothing uses this port, it says the same about any port I tried.
SSL certificate is configured.
There are many machines that can start this service, but the most required (customer's) machine cannot.
I saw many posts in this site or anywhere else, but cannot find a solution.
I never see the post like "It helped me".
I am stuck several days already, help please.
Below the data from config file:
<system.serviceModel>
<services>
<service name="MyCompany.MyApp.MyAppService" behaviorConfiguration="MetadataSupport">
<host>
<baseAddresses>
<add baseAddress="http://localhost:8092/MyAppService" />
<add baseAddress="net.tcp://localhost:8093/MyAppService" />
<add baseAddress="net.pipe://localhost/" />
</baseAddresses>
</host>
<endpoint binding="wsDualHttpBinding" contract="MyCompany.MyApp.IMyAppService" />
<endpoint binding="netTcpBinding" contract="MyCompany.MyApp.IMyAppService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<endpoint address="tcpmex" binding="mexTcpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="MetadataSupport">
<!-- To avoid disclosing metadata information,
set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="True" httpGetUrl="" />
<!-- To receive exception details in faults for debugging purposes,
set the value below to true. Set to false before deployment
to avoid disclosing exception information -->
<serviceDebug httpHelpPageEnabled="True" includeExceptionDetailInFaults="True" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
You are using WCF duplex communication with wsDualHttpBinding. In this case, WCF creates a HTTP socket on port 8092 to service client callbacks. Clearly the client was conflicting with IIS 5.X. (I guess you have XP and IIS 5.x)
To resolve this problem you have to provide a clientBaseAddress in the binding configuration on the client and specify a different port.
Sample client configuration:
I hope that this is really the problem in your machine, please notify me about the results of this solution.
Good luck :-)
Try running the windows service as someone with admin privileges. Certain versions of Windows (2008/Vista and up) are picky about who can open ports. If that helps, then you certainly don't want to actually run the service as an admin, but it at least points you in the permissions direction.
Also, you mention an SSL cert, but it is an 'http' url, not 'https'. That seems unusual.
I suggest to do the following diagnostics steps:
Try hosting the WCF Service in a Self-Host manner (Console Application):
use the class HttpServiceHost
use this binding: var binding = new HttpBinding(HttpBindingSecurityMode.Transport);
AddServiceEndpoint(typeof(YourServiceClass),binding,"https://url...");
If it works for you it seems that you have problems in configuring the WCF service to work under Managed-Windows Service.
Lets me know your results :-)

Metadata request requires authentication in WCF even though service description page doesn't

I've set up a WCF service to require NTLM authentication using the following configuration:
<system.serviceModel>
<bindings>
<customBinding>
<binding name="BinarySecurityBinding">
<binaryMessageEncoding/>
<httpTransport authenticationScheme="Ntlm"/>
</binding>
</customBinding>
</bindings>
<services>
<service name="Services.LogisticsServices" behaviorConfiguration="ServiceBehavior">
<endpoint address="" binding="customBinding" bindingConfiguration="BinarySecurityBinding" contract="Services.ILogisticsServices" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
I did this so that the applications that consume the web service are forced to log in because all my service's operations use impersonation ([OperationBehavior(Impersonation = ImpersonationOption.Required)]).
In IIS 7 I've enabled anonymous and Windows authentication.
When I visit http://test.server/LogisticsServices.svc, which hosts the service described above, I can see the default service description page anonymously. However, when Visual Studio tries to access http://test.server/LogisticsServices.svc/$metadata to generate a client proxy, the server is responding with HTTP code 401 and expecting authentication. Not only would I've expected the metadata to be available anonymously, but additionally, the server is not accepting the credentials I am giving it (even though, I know for a fact that they are correct).
Testing different configuration, I tried removing the authenticationScheme from my binding's transport, just to be able to generate the client proxy, but that results in an exception because the service's operations require impersonation ([OperationBehavior(Impersonation = ImpersonationOption.Required)]).
What am I missing in my service's configuration that would make the service's metadata available anonymously? I'm also open to suggestions if I'm approaching the whole thing wrong.
here is a similar discussion:
Getting an Security setting exception while accessing a WCF service
One way around this is not to use the autogenerated proxies.
In cases where we have control over both the server and the client we have found that it is much more productive to avoid using the autgenerated proxies.
A screencast of how to do this can be found here: http://www.dnrtv.com/default.aspx?showNum=122
You could try imperative instead of declarative model, see: http://msdn.microsoft.com/en-us/library/ms730088.aspx

Wcf Http and Https

Help please!!
I had the following set up working perfectly:-
WCF Service Library hosted in web site on local IIS 7
Silverlight Application on a web site on local IIS 7 using above services
The solution I am writing is for intranet and not internet use, however I have been told by my bosses that it needs to be over Https. I am using Windows Authentication.
Below is a chunk of the config file for one of the service endpoints (changed to remove company info etc):-
<services>
<service behaviorConfiguration="stdHttpBehavior" name="WcfServiceLibrary.StaticDataService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="windowsHttpBinding"
name="StaticDataService" contract="WcfServiceLibrary.ServiceContracts.IStaticDataService" />
<endpoint address="mex" binding="mexHttpBinding" name="" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost/WcfServiceLibrary/StaticDataService/" />
</baseAddresses>
</host>
</service>
<behaviors>
<serviceBehaviors>
<behavior name="stdHttpBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
</behavior>
</serviceBehaviors>
</behaviors>
To experiment with Https I created a 'Self-Signed Certificate'. I then added https to the Default Web Site bindings and changed the two web sites to require SSL and also changed the relvant URIs in the config files. I managed to get this to work but now I want to go back to standard Http and finish the project in that mode as it was easier to work with. I changed all the settings back (and I have checked these extremely carefully).
Now I get this error if I try to downoad the Service definition in the Silverlight project: -
'Could not find a base address that matches scheme https for the endpoint with binding BasicHttpBinding. Registered base address schemes are [http].'
If I put back the certificate and binding in IIS. The Service definition appears to download OK, however it references an https URI and therefore none of the actual service calls work as they are http adresses!
I tried adding a new web site to host the service but got the same errors.
I have been trying to solve this for the last couple of days but cannot find an answer. It seems as though there is a hidden reference somewhere and not in my project as it continued with a new web site added to IIS.
To use SSL over HTTP under Basic HTTP binding, you need to switch your endpoint to use Transport-level security. In your case you will also want to indicate the client credential type:
<bindings>
<basicHttpBinding>
<binding name="windowsHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
<message />
</security>
</binding>
</basicHttpBinding>
</bindings>
It may seem obvious, but did you change the security mode on the windowsHttpBinding binding configuration to BasicHttpSecurityMode.None?
<bindings>
<basicHttpBinding>
<binding name="windowsHttpBinding">
<security mode="None" />
</binding>
</basicHttpBinding>
</bindings>
Related resources:
Transport Security Overview
BasicHttpSecurityMode Enumeration

WCF Error - Could not find a base address that matches scheme

I'm trying to get a WCF web service to work with SSL, as you can imagine it works on my machine, however when I run it on the production environments I get this instead:
Could not find a base address that matches scheme http for the endpoint with binding BasicHttpBinding. Registered base address schemes are [https].
Despite many hours of wrestling with this problem I still have very little idea what this error message actually means - googling for this error message finds loads of people saying that I should either specify an address in my endpoint configuration or add a base address to my service, however:
My service worked perfectly fine without specifying either with SSL disabled
In fact, my service works perfectly fine with SSL with the exact same configuration on another machine
Besides, I've found a post which reliably informs me that when hosting under IIS the base address is ignored anyway.
As you can probably tell, I'm currently feeling a very fustrated at my utter failure to achieve what I believed to be a relatively simple task, so:
What does this error message actually mean?
How are base addresses determined when hosting under IIS?
Where can I find reliable, understandable documentation about what all of my copy-pasted configuration actually means?
What do I need to do to get my service to actually work?
The interesting bits of my web.config are:
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
<services>
<service name="MyService" behaviorConfiguration="MyBehavior">
<endpoint binding="basicHttpBinding" bindingConfiguration="SecureTransport"
bindingNamespace="http://MyNamespace/Service" name="Basic"
contract="MyContract" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="MyBehavior">
<serviceMetadata httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="SecureTransport">
<security mode="Transport" />
</binding>
</basicHttpBinding>
</bindings>
</system.serviceModel>
One thing that is off field but can cause this message is if the SSL certificate on the server is expired or not set up correctly.