WCF Http Bindings, Require SSL - wcf

I have the following binding I'm using with my wsHttpBinding webservice.
<binding name="wsHttpConfig">
<security>
<transport clientCredentialType="None"/>
</security>
</binding>
The issue is that it allows for the client to connect using either Http or Https. I would like to require them to use SSL. I tried adding the following:
<system.web.extensions>
<scripting>
<webServices>
<authenticationService enabled="true"
requireSSL = "true"/>
</webServices>
</scripting>
</system.web.extensions>
But it had no effect; client could still connect with Http. I then tried checking the "Require SSL" in the IIS7 SSL Settings and had client certificates radio set to Accept. Now, when I try to view the service I am getting the error "Could not find a base address that matches scheme http for the endpoint with binding WSHttpBinding. Registered base address schemes are [https]."
Anyone know exactly how to fix this error? I have been googling for the last 3 hours trying 500 different combinations (not 500, but too many to list) and could not get anything to run.

For anyone stumbling across this one from Google, Bing (Bingle, Yangle?) then take a look at a blog post a put together to help others trying to run a secure AuthenticationService in a test environment.
http://www.lukepuplett.com/2010/07/setting-up-wcf-over-ssl-on-iis-7x.html
And good luck!

Have you read this msdn post?
You must either change
binding="mexHttpBinding"
to
binding="mexHttpsBinding"
or else add an http base address in addition to the https base address. (Right now the metadata endpoint is trying to get hosted on http, rather than https, and there's no base address for that.)
Have you correctly configured your endpoint?
Have you tried dynamically configuring the base address?

Related

Few basic query regarding entries in config file for WCF service end as a wcf starter

i am very new in WCF world. i just download a code and saw the wcf service config file but confusion is occuring in my mind regarding entries in config file for WCF service due to my lack of knowledge.i go through some online article but still i have confusion.
here are my question
1) <service name="WCFService.Service"
when service name is required? can i omit the service name and if yes then what kind of problem may occur?
2) can i set any name to service name like abc.xyz or is there is some rule for assigning service name?
3) what is the use of base address? if one omit the base address then what can be problem.
when base address is required.according to below config entries there are two base addresses...why two base address is required. when people give more base addresses? just see the below 2 base address and tell me why people give two base address why not one...is there any specific reason?
4) there are two endpoints one is tcp and another is mex.
if i omit mex base address then service will not be discoverable? if yes that means no one can create proxy from VS IDE or svcutil....am i right.
5) if mex endpoint will be remove then how one can interact with the service....there must be some other way out. if so then tell me how one can interact with service as a client end.
6)
just see the above mex endpoint and tell me can we write mex endpoint url anything like
**net.tcp://localhost:1645/MyServer/mex** instead of ChatServer ??
actually wcf service hosted in win form project whose name is ChatServer. is this the reason that url becomes net.tcp://localhost:1645/ChatServer/mex?
i have seen many time people write mex end point like and here no url assign to address tag of mex endpoint....why?
when i should write the mex endpoint like above...please explain with example.
7) what is the meaning of /mex....net.tcp://localhost:1645/ChatServer/mex
/mex is mandatory and mex is fixed word?
8) now see tcp endpoint
tcp endpoint address has no url rather tcp the word has been assign to address property...why?
can't we assign any valid url to address filed of tcp endpoint??
9) the address field of tcp endpoint will always have the fixed word called "tcp" is it rule or convention.
10) if i need to add another endpoint called wsdualhttp binding then what i need to write in config file
11) suppose some one developing service which will be hosted in IIS but client can be another asp.net web apps and win apps then what he/she need to do?
then what url client should use to create proxy from VS ide? can anyone come with sample config entries.
12) how to write config file if i want that people can create proxy of my service using two url like....one is as sample net.tcp://localhost:1645/ChatServer/mex and another one
is http://localhost:1645/ChatServer/message.svc
i know my question are very basic but still i am not being able to sort these question.
also guide me how could i have strong knowledge for creating config file entries boldly.
is there any tool which will create right config entries for my service....i am is there any automated apps which will do it on behalf developer. thanks
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<services>
<service name="WCFService.Service" behaviorConfiguration="behaviorConfig">
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:1645/ChatServer/"/>
<add baseAddress="http://localhost:1648/ChatServer/"/>
</baseAddresses>
</host>
<endpoint address="tcp"
binding="netTcpBinding"
bindingConfiguration="tcpBinding"
contract="ChatService.IChat"/>
<endpoint address="net.tcp://localhost:1645/ChatServer/mex"
binding="mexTcpBinding"
contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="behaviorConfig">
<serviceMetadata httpGetEnabled="true" httpGetUrl=""/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceThrottling maxConcurrentCalls="100" maxConcurrentSessions="100"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="tcpBinding"
maxBufferSize="67108864"
maxReceivedMessageSize="67108864"
maxBufferPoolSize="67108864"
transferMode="Buffered"
closeTimeout="00:00:10"
openTimeout="00:00:10"
receiveTimeout="00:20:00"
sendTimeout="00:01:00"
maxConnections="100">
<security mode="None">
</security>
<readerQuotas maxArrayLength="67108864"
maxBytesPerRead="67108864"
maxStringContentLength="67108864"/>
<reliableSession enabled="true" inactivityTimeout="00:20:00"/>
</binding>
</netTcpBinding>
</bindings>
</system.serviceModel>
</configuration>
MY Edited part start here
3) what common part you are talking about. what common part u have seen in my complete config file...please explain with example.
you said....If you omit base address, you need to specify common part multiple times every time. Multiple base address are required if endpoints are specified for multiple transport protocol
can u please make me understand with example what u have said for omit base address becoz the things not clear to me after reading ur answer for points 3
4) if i disable mex endpoints then how can i create wsdl with svcutil? if i give my service dll then client can decode the code and get my full source code.can u tell me more elaborately what u trying to say for the points 4
12) if i expose two url for consuming my service then asp.net client can create service proxy using tcp url like net.tcp://localhost:1645/ChatServer/mex ??
is there will be any problem for web client for using tcp binding. because tcp is state full but web is stateless...that is why i am asking is there will be any problem for web client for using tcp binding url net.tcp://localhost:1645/ChatServer/mex
13) in my example the mex endpoint look like
but many people create mex end point like
so tell me what is the difference between two mex end point....also tell me when one should go for 1ts mex endpoint and when people go for second mex endpoint
14) in my case if i would write mex end like
and tcp endpoint like
then what would be the result. my service would be discoverable or not.
what address i shoudl use to create service proxy in that case.
if possible please answer my question with mini sample for easy understanding because i am very new in WCF....thanks
Your answers one by one
Service name is always required. If you omit it in the configuration file, runtime error will occur related to malformed configuration file (with error indicating invalid service name). If you omit it from the code, it will form compile time error.
No. Service name should be corresponding to the type that is implementing the service (along with namespace). Check this answer for detail.
If multiple end points are defined (like service endpoint, and mex endpoint) with some common part, then common part can be specified in base address tag. Only differential part is then required in endpoint address attribute (usually "" for service endpoint and "mex" for mex endpoint) If you omit base address, you need to specify common part multiple times every time. Multiple base address are required if endpoints are specified for multiple transport protocol (ie different base address for http and net.tcp).
Example is here with and without baseaddress.
Common part is "net.tcp://localhost:1645/ChatServer"
If you omit mex endpoint, you need to provide the contract information offline to client. As you have mentioned service will not be discoverable. Thus you need to supply the service/data contract information (as WSDL/ library/ source file ) somehow to client application.
To create client, all you need is contracts and configuration. If mex is available, this information is gathered from mex endpoint. If mex is not available, this information must be made available offline. Example (sending contracts library and configuration by email).
Way out is to provide contract information offline (as mentioned in step 4)
Yes, but not recommended to avoid ambiguity.
No, "mex" is not fixed. It can be anything (as long as URL is valid). "mex" is just unsaid protocol/standard.
Endpoint address = baseAddress + address attribute.
In this case address (of tcp endpoint) = "net.tcp://localhost:1645/ChatServer/" + "tcp"
It is no convention. It could be anyting (as long as URL is valid).
Refer to the link for wsdualhttpbinding configuration. However not that since transport protocol is http, you need to provide full address. baseAddress will not be picked up. This is due to protocol mapping.
Client app (be it ASP.NET/console/win app/WPF/ any other) need to add WCF client configuration and proxy.
If is upto client to decide, which URL they want to use (provided they have access and they are aware). If you want to do it on server side, you may use Routing service feature (available in WCF 4.0 onwards).
I am not sure how web client uses tcp clients (Does security policy allows this?). What ever is the case, exposing two endpoints from server side has no issues on how client will access the endpoints.
13/14 code snippet not visible due to formatting issue.

WCF SOAP over HTTPS, WCF Test Client calls the http address and the server responds with 404

TL;DR version is at the bottom.
I have constructed three WCF web services -- one that's using .NET 4 and two that's using .NET 3.5 -- that is consumed by an Android client. The Android client performs the calls using ksoap2-android. When the services were complete and the client could make all the calls and get all the data from the services, we decided to activate HTTPS communication for the web services. They are hosted on a server running IIS.
I'm not alone on this task. I work full-time with it, mainly the Android client. I have two coworkers, both of which have a lot of other responsibilities. The first is mostly involved in the services and the second is mostly involved in the server.
I've read a lot of guides, blogs and articles on the Internet on how to enable HTTPS for a WCF web service, but still I haven't been able to completely resolve this. For the Android client to be able to consume the client, we are limited to using the basicHttpBinding, since the wsHttpBinding contains some security details that are not supported by Android, or something. I'm not sure, but I read it some forum somewhere. If I'm wrong, I'd happily be corrected!
Okay, so I'll give a short account of what I've done so far:
I've enabled transport security, this is how the binding(s) looks:
<bindings>
<basicHttpBinding>
<binding name="basicHttp" closeTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
I've enabled meta data publishing over HTTPS using this line of code:
<serviceMetadata httpsGetEnabled="true" />
and this:
<endpoint address="" binding="mexHttpsBinding" contract="IMetadataExchange" />
Also, my second coworker has installed a trusted certificate (a real certificate from a CA) on the IIS server and added a https binding on the server.
Okay, so far, so good. Now we could connect to the services in the browser.
When we had done this it was possible to visit the service in the browser in a secure, encrypted, manner.
The problem is that it isn't possible to make a call to the service, neither in Android nor WCF Test Client. If I call the service on the https address, I get a 404 in response. WCF Test Client returns this:
There was no endpoint listening at https://[my service address] that could accept the message. This is often caused by an incorrect address or SOAP action.
To be able to debug this, I'm using Wireshark to intercept the messages and see what really happens. I've found out that after the set up procedures (handshake, establishing trust etc.) the client sends the header and get a 101 Continue in response, after which it POSTs the body. This should be normal behavior. But then the service returns 404 Not Found. Wireshark says that the full request URI is the http address. I've configured the server to use the https address, so why does it make a call to the http address?
I've tried setting the address and listenUri attribute of the endpoint to https and http respectively and the other way around. If I do that, the server answers the request with 405 Method Not Allowed.
Is there any way to solve this? What am I missing?
What am I missing?
TL;DR version below
I'm hosting three WCF SOAP web services with IIS, one using .NET 4 and the others using .NET 3.5. I'm trying to make a call from the WCF Test Client over HTTPS. I've enabled transport security, meta data publishing over HTTPS, installed a trusted certificate and added a https binding on the server.
When I try to make a call from WCF Test Client it says that there was no endpoint listening at the address. Wireshark tells me it makes the call to the http version of the service (i.e. "http://[my address]" instead of "https://[my address]"), although it is configured to call the https address. The service returns 404 Not Found. If I set the address of the service to https and listenUri to http, I get 405 Method Not Allowed. If I do it the other way around it says that it cannot be activated. What am I missing?
I solved this by removing the endpoint and using the <protocolMapping> tag, like this:
<protocolMapping>
<add scheme="https" binding="basicHttpBinding" bindingConfiguration="basicHttps" />
</protocolMapping>

WCF no SVC file and no Config: Could not find a base address that matches scheme http for the endpoint with binding WebHttpBinding

Am using the new VS2010 template for Rest Web Services, which sets up the service without an SVC file and with minimum config, and you set up the route in the global.asax.cs file.
On deploying my WCF Rest Service to test environment where its accessed by https, I get an exception: Could not find a base address that matches scheme http for the endpoint with binding WebHttpBinding. Registered base address schemes are [https].
Have found solutions to this on Scott's Blog and Taciturn Discourse
However these solutions are based on having the WCF being configured via the more traditional config route with full specification of endpoint address, binding, contracts.
In the simplified template approach, as we don't setup the endpoint ABC explicitly in config, then how can we fix this issue of the missing base address?
Sorted this out, because using https, need to specify that security is being set at the transport layer. So include this in the system.serviceModel config:
<bindings>
<webHttpBinding>
<binding>
<security mode="Transport" />
</binding>
</webHttpBinding>
</bindings>
My thanks to the two posts below that provided the solution, however found I did not need to put in all their recommendations to get it to work
Configuring WCF 4 with routing (global.asax) for both http & https endpoints
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/1dd991a1-e32f-4035-a406-994729858b40
Cheers, Mickey

WCF using Transport always attempts to use HTTPS when I don't want it to

I keep getting the following error "Could not find a base address that matches scheme https for the endpoint with binding WebHttpBinding. Registered base address schemes are [http]." This started because I went to Basic Transport Authentication by adding:
<webHttpBinding>
<binding name="secureBasic">
<security mode="Transport">
<transport clientCredentialType="Basic" />
</security>
</binding>
</webHttpBinding>
After googling the common fix seemed to be the following code, but I had no success with it:
<baseAddressPrefixFilters>
<add prefix="http://mywebsiteurl"/>
</baseAddressPrefixFilters>
Still, nothing works. All I want is to use basic http authentication on a non-https connection. I have configured absolutely nothing and it appears by default WCF wants to force a HTTPS connetion. Anyone run into this?
If you tell WCF to use transport security mode, you must use a transport protocol that supports secure communication. HTTP doesn't support secure communication because it's a plaintext protocol (anyone that intercepts your communication can simply read what is being transmitted). HTTPS does support secure communication so your only option for a webHttpBinding with transport security is to use HTTPS (which you can configure in IIS).
Here is a blog post describing your error and how to solve it using TransportCredentialOnly. It's about basicHttpBinding but the same holds for your webHttpBinding.
If you want only transport level authentication (= Basic authentication) but you don't want transport level secure communication (= HTTPS) you have to set security mode to TransportCredentialOnly.

IIS Rest over HTTPS only

I've asked a similar question here:
How to enforce one method in WCF Rest to be called via https, while others can be called over http
And it doesn't look like it is possible on the code side. Is it possible to set up an entire service to be callable over HTTPS only? I've configured a service using the following binding:
<webHttpBinding>
<binding name="webBinding"
maxBufferSize="152428800" maxReceivedMessageSize="152428800"
receiveTimeout="00:10:00">
<readerQuotas maxStringContentLength="152428800"
maxArrayLength="152428800"
maxBytesPerRead="4096"/>
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</webHttpBinding>
But when I try to call a simple service over http, the service returns the result happily, rather than returning some sort of exception. Do I need to configure IIS to only service https requests? Has anyone tried this?
Thanks!
Did you configure IIS to require SSL on your application's folder? (you can set it to allow ssl or make it mandatory)
You can always add an explicit endpoint to your service entry with a fully-qualified https address. Can't remember if IIS hosting always auto-adds the base addresses when you have an explicit address, but even if it does, you can make a simple extension of ServiceHostFactory to "eat" the default base addresses IIS supplies (reference your custom servicehostfactory in the Factory attribute of your .svc file). Then it'll only answer on the exact addresses you supplied in the config.
It's possible via configuration. This Blog Article is not your exact scenario (it's file transfer over https), but it shows sample config and code for configuring and consuming a https web service that should be useful.