We Keep Coding

How to authenticate wsdl get with TransportWithMessageCredential security mode for the endpoint?

I have a WCF endpoint that exposes a API with a basicHttpBinding. This biding is set to use security mode TransportWithMessageCredentialand UserName for clientCredentialType.
Because security is implemented at message level, at the WCF, the IIS needs to allow anonymous access. And so, wsdl can be obtain without providing any credentials.
How to force authentication to get the service metadata?
Here the current service configuration looks like (from web.config)
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="secure">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="secure" name="someProject.MyService">
<endpoint binding="basicHttpBinding" contract="someProject.IService" bindingConfiguration="secure" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="secure">
<serviceMetadata httpsGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
I try the obvious, to set a specific binding for the metatada, by using service behavior configuration:
<behavior name="secure">
<serviceMetadata httpsGetEnabled="true" httpsGetBinding="basicHttpBinding" httpsGetBindingConfiguration="transportSecure" />
</behavior>
//and add the new binding
<basicHttpBinding>
<binding name="transportSecure">
<security mode="Transport">
<message clientCredentialType="UserName" />
</security>
</binding>
</basicHttpBinding>
But it is not supported. It throws this:
MessageVersion 'Soap11 (http://schemas.xmlsoap.org/soap/envelope/)
AddressingNone
(http://schemas.microsoft.com/ws/2005/05/addressing/none)' is not
supported in this scenario. Only MessageVersion 'EnvelopeNone
(http://schemas.microsoft.com/ws/2005/05/envelope/none) AddressingNone
(http://schemas.microsoft.com/ws/2005/05/addressing/none)' is
supported.
I don't understand this error or how to get around it.

Normally we will not disclose our metadata in the production environment,But if you want to enable metadata, we can use https binding to protect the metadata.
1.Configure a port with an appropriate X.509 certificate. The certificate must come from a trusted authority, and it must have an intended use of "Service Authorization." You must use the HttpCfg.exe tool to attach the certificate to the port.
2.Create a new instance of the ServiceMetadataBehavior class.
3.Set the HttpsGetEnabled property of the ServiceMetadataBehavior class to true.
4.Set the HttpsGetUrl property to an appropriate URL. Note that if you specify an absolute address, the URL must begin with the scheme https://. If you specify a relative address, you must supply an HTTPS base address for your service host. If this property is not set, the default address is "", or directly at the HTTPS base address for the service.
5.Add the instance to the behaviors collection that the Behaviors property of the ServiceDescription class returns, as shown in the following code.
ServiceMetadataBehavior sb = new ServiceMetadataBehavior();
sb.HttpsGetEnabled = true;
sb.HttpsGetUrl = new Uri("https://myMachineName:8036/myEndpoint");
myServiceHost.Description.Behaviors.Add(sb);
myServiceHost.Open();
This is authentication enabled on WCF, you can also enable windows authentication on IIS, both methods can protect metadata.
But in the production environment, I do not recommend that you enable metadata, because this will lead to the risk of metadata leakage.The call of WCF service can also be called through the channel factory. In this case, we can call WCF service without knowing the metadata of the server.
For more information on how to protect metadata, you can refer to this link:
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-secure-metadata-endpoints?redirectedfrom=MSDN

Mutual SSL security mode binding configurations

I have two questions regarding the security mode regarding mutual ssl.
I have look through a few sites such as:
1.https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication%20
2.https://www.codeproject.com/Articles/348595/Use-Mutual-SSL-Authentication-in-WCF
In all the binding configurations. I realized that all security mode is set as 'Transport'.
<bindings>
<wsHttpBinding>
<!-- configure wsHttp binding with Transport security mode and clientCredentialType as Certificate -->
<binding>
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
In regards to this, what I want to know is if its possible to use other kind of security mode such as
'Message' or 'TransportWithMessageCredential'. If so why?
Furthermore if its possible, does the client side have to change their security mode to the same as the server side?

The Microsoft official document also offers an example of authenticating the client with message security mode with mutual certificates.
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/message-security-with-mutual-certificates
What we need to do is configuring a service certificate on the server-side, a certificate on the client-side, also establishing the certificate trust relationship between the client-side and server-side.
Here is a standard configuration.
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="serviceCredentialBehavior">
<serviceCredentials>
<serviceCertificate findValue="Contoso.com"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="serviceCredentialBehavior"
name="ServiceModel.Calculator">
<endpoint address="http://localhost/Calculator"
binding="wsHttpBinding"
bindingConfiguration="InteropCertificateBinding"
name="WSHttpBinding_ICalculator"
contract="ServiceModel.ICalculator" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="InteropCertificateBinding">
<security mode="Message">
<message clientCredentialType="Certificate"
negotiateServiceCredential="false"
establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
This is also applicable to the TransportWithMessageCredential security mode. As long as the security mode is Transport security mode, we need to bind a certificate to the particular port.
Besides, the binding configuration should be coherent between the client-side and the server-side. Just like the service contract is shared between the client-side and the server-side.
Feel free to let me know if there is anything I can help with.

WCF Exception - The client certificate is not provided

WCF Exception - The client certificate is not provided. Specify a client certificate in ClientCredentials.
After reading most of what I have been able to find on this subject, and attempting many different options, I find I don’t have any more hair to pull, and hence this post.
I wish to use SSL with a self-hosted WCF service, having security mode as TransportWithMessageCredential with HTTP transport. I am using 2 dev machines and testing over a LAN.
As mentioned above, I have read and meticulously followed just about every example which demonstrates this, yet somehow still have issues with the certificates.
As far as the certificates are concerned, I have tried a number of things.
The main jist of what I did was to follow what is given in
http://msdn.microsoft.com/en-us/library/ff647171.aspx
I also used “How to: Use Certificate Authentication and Message Security in WCF Calling from Windows Forms” in
http://msdn.microsoft.com/en-us/library/ff648360.aspx
as a basic guide.
I first tested the service and client using basicHttpBinding over Http in order to verify things.
I then made changes for wsHttpBinding, SSL, and Certificates.
When I “Add Service Reference” on the client dev PC, I receive an error as follows:
Window Titled -
Security Alert
Visual Studio has detected a problem with the site's security certificate.
Issued By: RootCATest
Issued to: TempCert
Certificate is valid from---
The security certificate issued by a company is not in the untrust list. It might be trustable.
The security certificate date is valid.
The security certificate for host 'TempCert' does not match the name of the page you are trying to view.
Do you want to proceed? -
If I click “Yes” to proceed, and run the client code, an InvalidOperationException occurs with the following message.
“The client certificate is not provided. Specify a client certificate in ClientCredentials.”
The Service config is as follows:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate findValue="CN=TempCert"
storeLocation="LocalMachine"
storeName="My" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="SBSWCFServiceHost.Operations"
behaviorConfiguration="ServiceBehavior">
<endpoint name="wsHttpEndpoint"
address=""
binding="wsHttpBinding"
bindingConfiguration="wsHttpEndpointBinding"
contract="SBSWCFServiceHost.IOperations" >
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint name="mexHttpEndpoint"
address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" >
</endpoint>
<host>
<baseAddresses>
<add baseAddress="https://10.0.0.103:8003/SBSWCFServiceHost/Operations/" />
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>
</configuration>
The client config is as follows:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="EndpointBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine"
storeName="My"
x509FindType="FindByThumbprint"
findValue="e4c87a961f796be6b6cab59c3760e43ffb6e941d"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpoint" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://10.0.0.103:8003/SBSWCFServiceHost/Operations/"
binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint"
contract="SBSWCFService.IOperations" name="wsHttpEndpoint">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
The following is a Summary of the tasks I performed, based on the contents of numerous posts and documents.
Created a self-signed CA certificate (named RootCATest) on the server, and placed it in the Trusted Root Certification Authorities Certificates folder of the Local Computer.
Created a certificate which is signed by the RootCATest certificate (named TempCert), on the server, and placed it in the Personal Certificates folder of the Local Computer.
Exported the TempCert certificate and private key.
Copied the TempCert .cer and .pvk files to the client machine, and imported the TempCert Certificate into the Personal Certificates folder of the Local Computer.
Executed ICalcs.exe [private key path] /grant "NT AUTHORITY\NETWORK SERVICE":R on the server machine, using the path to the private key for the TempCert certificate.
Executed netsh http add sslcert ipport=o.o.o.o:8003 certhash=[TempCert thumbprint] appid=[{application id}] on the server machine
I believe I am close to getting this working.
It seems pretty obvious that the app is not happy with the TempCert certificate, yet I have not been able to resolve this, and am pretty much stuck.
Any assistance with respect to any problems in the given configurations, the steps I have followed in order to put the correct certificates in place, and those used to add access permissions and the sslcert entry, will be greatly appreciated.
Many thanks.
After some further experimentation, I have noticed additional behavior.
Steps taken are as follows:
I deleted both client and server certificates, and recreated them in accordance with
....codeproject.com/Articles/36683/9-simple-steps-to-enable-x-509-certificates-on-wcf
I added the new sslcert using netsh. I then exported the client certificate from the server and
imported it into the client store.
I modified the service app.config with the new certificates info, and started the service.
I modified the client app.config as follows:
<endpointBehaviors>
<behavior name="EndpointBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="WCFClient" />
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
I updated the Service Reference. The update procedure once again issued a Security Alert as before.
I then executed the client, and received this error:
"The client certificate is not provided. Specify a client certificate in ClientCredentials."
I then set a breakpoint on "client = new WCFService.Client();" and checked the "client" instance.
The value of client.ClientCredentials.ClientCertificate.Certificate = null.
I then added the following in code after "client = new WCFService.Client();":
X509Store store = new X509Store("My", StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection collection = (X509Certificate2Collection) store.Certificates;
foreach (X509Certificate2 x509 in collection)
{
if (x509.Thumbprint == "236D7D4AD95753B8F22D3781D61AACB45518E1B5")
{
client.ClientCredentials.ClientCertificate.SetCertificate(
x509.SubjectName.Name, store.Location, StoreName.My);
}
}
After execution of this code, client.ClientCredentials.ClientCertificate.Certificate contained the certificate.
When then executing "client.Open();" , an exception is thrown with the following contents.
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.
Could not establish trust relationship for the SSL/TLS secure channel with authority
If anyone with knowledge of what may be happening here could shed some light on this I will be very grateful.

The last error message indicates that your server is requesting a client certificate from the client (the server has to ask), and the client is providing a certificate, but the server is not able to determine whether the client certificate is valid based on information available on the server machine.
Since you are using self-signed certificates (not CA issued certificates), you need to tell the server how to validate the client certificates. You may need to install the client certificates in the server's My/LocalMachine/Trusted People cert store so that WCF's default certificate validation can find them, or implement your own custom client certificate validator on the server. (See WebHttpBinding.Credentials.ClientCertificate.Authentication.CertificateValidationMode and WebHttpBinding.Credentials.ClientCertificate.Authentication.CustomCertificateValidator)

I did notice that in your endpoint definition, you did not refer to the behavior that you defined. It looks as if you are doing the equivalent, by-hand via some code. It might be simpler to just wire-it-up in the config.
I would expect your endpoint to look (more) like this:
<endpoint address="https://10.0.0.103:8003/SBSWCFServiceHost/Operations/"
binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint"
contract="SBSWCFService.IOperations" name="wsHttpEndpoint"
behaviorConfiguration="EndpointBehavior">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
This was the solution, when I was getting the error "The client certificate is not provided. Specify a client certificate in ClientCredentials".

Adding a service reference to a WCF service with webHttpBinding and security mode Transport results in an incorrect config file

I have searched and searched and I cannot find a solution. It seems like it would be relatively common to run into this... WCF REST service over https. When I add the service reference all of the proxy classes are correct and I can create the objects defined in the service, call the services, etc. However, I can't create a configured client with the proxy's client classes. I have to explicity create the bindings, behaviors, and endpoints and add them to the client. FOr example, what I should be able to do, based on all of my research is:
ServiceClient = new ServiceClient();
And be off and running. However, what I have to do is:
WebHttpBinding serviceBinding = new WebHttpBinding(WebHttpSecurityMode.Transport);
serviceBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
EndpointAddress endPointAddress
= new EndpointAddress(<endpointaddress>);
// Create Service Client
ServiceClient = new ServiceClient(serviceBinding, endPointAddress);
// Add Web Behavior to the EndPoint
WebHttpBehavior webHttpBehavior = new WebHttpBehavior();
ServiceClient.Endpoint.Behaviors.Add(webHttpBehavior);
// Set up the request to POST with a wrapped request
WebInvokeAttribute postAttribute = new WebInvokeAttribute();
postAttribute.Method = "POST";
postAttribute.BodyStyle = WebMessageBodyStyle.WrappedRequest;
ServiceClient.Endpoint.Contract.Operations.Find(<operationname>).Behaviors.Add(postAttribute);
In order to mimic the service configuration:
<behaviors>
<endpointBehaviors>
<behavior name="AspNetAjaxBehaviorXml">
<webHttp />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="AuthenticationServicesBehavior">
<serviceMetadata httpsGetEnabled="true" policyVersion="Policy15" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="LoggingServicesBehavior">
<serviceMetadata httpsGetEnabled="true" policyVersion="Policy15" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="True" />
<bindings>
<webHttpBinding>
<binding name="WebSslBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</webHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="AuthenticationServicesBehavior"
name="AuthenticationServices">
<endpoint address="authenticate" behaviorConfiguration="AspNetAjaxBehaviorXml"
binding="webHttpBinding" bindingConfiguration="WebSslBinding"
name="AuthenticationEndPoint" bindingNamespace="<mynamespace>"
contract="IService" />
</service>
The "Add Service Reference" is giving me this:
<bindings>
<customBinding>
<binding name="AuthenticationEndPoint">
<!-- WsdlImporter encountered unrecognized policy assertions in ServiceDescription 'EchoAppsServices': -->
<!-- <wsdl:binding name='AuthenticationEndPoint'> -->
<!-- <sp:HttpsToken xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">..</sp:HttpsToken> -->
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Soap12" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
</binding>
</customBinding>
</bindings>
<client>
<endpoint binding="customBinding" bindingConfiguration="AuthenticationEndPoint"
contract="AuthenticationService"
name="AuthenticationEndPoint" />
</client>
I believe my inability to create a default client that works out of the box is related to the problem with WsdlImporter. I get a similar error when I use svcutil:
Warning: The following Policy Assertions were not Imported:
XPath://wsdl:definitions[#targetNamespace='<mynamespace>']/wsdl:binding[#na
me='AuthenticationEndPoint']
Assertions:
<sp:HttpsToken xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolic
y'>..</sp:HttpsToken>
I'm sure it has something to do with my self signed cert, but I can't get makecert to give me a functioning cert with a CA that doesn't cause my IIS to crash.
Environment details:
VS2008
XP 64bit
.NET 3.5
IIS6
Thanks in advance for any help...

If you want to create client proxy classes, why would you use webHttpBinding. Why not just use wsHttpBinding?
The whole point of webHttpBinding was so that you could use standard Http toolkits like HttpWebRequest and Microsoft.Http.HttpClient on the client to access the service.

Not sure if that's just a typo - but your code and config don't match.
See in your code:
serviceBinding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Windows;
but in your config:
<webHttpBinding>
<binding name="WebSslBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</webHttpBinding>
In code, you set your HttpClientCredentialType to Windows (integrated Windows authentication), but in config, you set it to None.
Try changing your config to use Windows as well:
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
and try again.
If you don't get any better results : why not just update the client config manually, after the import? The WSDL importer is known to have hiccups here and there, and most often, just using your brain and manual config adaption can solve the problem. You basically just need to copy the <endpointBehaviors> and the <bindings> sections into your client side config and define a <client> section which references the appropriate endpoint - that's pretty much all.

You bring up a good point, but I started down this road to make a RESTful web service that can be called either from the client or the server. I can call it from both right now just the way it is but I have to explicitly configure the server side. This is unacceptable because this application will be deployed to multiple end users and it's easier to change a configuration file than it is to patch. I know that I could create multiple endpoints, but I would much rather only have to maintain one per service.
Thank you for your reply.

WCF Metadata on separate port and not SSL

Pretty new to complex WCF configs and have looked around, but couldn't clearly answer this.
I'm looking for a yes this is possible and ideally a sample or no, this is not possible.
Question:
Can you separate out the Metadata (WSDL) from a secure transport (SSL) service and make it plain old HTTP?
We have a WCF service that is using Transport security (SSL) for the service.
At this stage, during development we're using our own Certificates for the SSL, so we're a CA.
So the WSDL is exposed using
<serviceMetadata httpsGetEnabled="true" />
Under the service behaviours.
When you browse to the WSDL https://devserver:8010/MyService/?wsdl you get the usual, don't know the CA warning and just click IGNORE to continue on.
One of the problems I've got is that a proxy generation tool like JAX-WS just bails with a HTTP.403 Forbidden warning, even though I've put the CA certificate into the JDK/JRE keystore for cacerts.
So I was thinking, if I could separate out the Metadata then you could expose that on HTTP on a separate port and then there's no certificate issues for generating proxies.
So I tried marking the service metadata as follows:
<serviceMetadata httpGetEnabled="true" httpGetUrl="http://devserver:8011/MyService/" />
But this doesn't work as it's now mixing up the behaviour.
Perhaps I've missed something?
Perhaps this isn't possible?
And yes, to some extent it is moot, as a production machine WOULD have a trusted CA and therefore you won't get the certificate trust warnings.
However, it's now become a question of is this possible?
All help appreciated, thanks
Hadley

You also need to specify your MEX endpoint
http://bloggingabout.net/blogs/dennis/archive/2006/11/09/WCF-Part-4-3A00-Make-your-service-visible-through-metadata.aspx
Note it will need a different binding configuration with security = None instead of transport.

Did some more trial and error and the end result which works is like this. This is shortened for brevity.
<behaviors>
<serviceBehaviors>
<behavior name="serviceBehaviour">
<serviceMetadata httpGetEnabled="true" httpGetUrl="http://devserver:8022/MyService/" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="basicHttp" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<readerQuotas maxStringContentLength="2147483647" maxArrayLength="2147483647" />
<security mode="Transport">
</security>
</binding>
</basicHttpBinding>
<webHttpBinding>
<binding name="webHttp">
<security mode="None">
</security>
</binding>
</webHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="serviceBehaviour" name="MyService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttp"
name="httpsEndpoint" contract="IMyService" />
<host>
<baseAddresses>
<add baseAddress="https://devserver:8020/MyService/" />
</baseAddresses>
</host>
</service>