I am very new to WCF and I have created a service to be consumed via a windows mobile app using the basicHttpBinding. I am now looking at how to implement encrpytion and authenticaion and I am not getting very far.
I have added the following to my server side service configuration (which I believe is correct):
<basicHttpBinding>
<binding name="SecurityByTransport">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
<transport clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
Now after installing a temporary certificate on my IIS instance I can navigate to my service via https.
At this point I used visual studios built in tool for running svcutil.exe and generated my proxy, which connects just fine.
The issue I have is in the client config, in that the endpoint reference is using http and not https. If I change this I get the following error:
The provided URI scheme 'https' is invalid; expected 'http'.
Which obviously I do not want.
Also in my client config the security specified seems to be "None", is this right?
Related
I have a SSL secured (https) restful WCF service hosted in IIS (7.5). This service has 2 endpoints. One endpoint is expects a client certificate and other do not expect a client certificate.
Client certificate setting in IIS is
Now, when i run my test case from Visual studio, everything works fine. No problems.
Problem is when the actual client (which is a website hosted in IIS), tries to communicate with the WCF service over the endpoint which do NOT expect client certificate.
When the website make such call, the browser (IE, Chrome), pops up a dialog box to select the client certificate.
If the endpoint is not expecting client certificate then why the browser is popping up this dialog box to select a client certificate?
Endpoint bindings look like this
<webHttpBinding>
<binding name="webBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
<binding name="webSecureBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</webHttpBinding>
I'm having some issue with authentication on a third party's WCF service. I don't know how it's configured, it's like a black box for me. The only thing that I know, that those webservice should use Basic authentication, but may not.
I've added fiddler, and even wireshark to analyze what's happening inside of those requests, and found out that requests with authorization header do get authenticated. So basically, using a SoapUI I was able to authenticate on those WCF service.
I've generated a test client using svcutil and specified config file like this:
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_1" useDefaultWebProxy="false" >
<security mode="Message" >
<message clientCredentialType="UserName" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://theurl.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_1"
contract="CA_TestMediaSaturn.IDCIntegration" name="BasicHttpBinding_2" />
</client>
Also I've added authorization information to client in code file:
client.ClientCredentials.UserName.UserName = "one";
client.ClientCredentials.UserName.Password = "two";
But I wasn't able to get those Authorization header encoded in base64.
I wonder how can I configure my client to obtain those header in order to get authorized on webservice side. I did found an article describing how to make it on your own. But maybe there is a way to make it a lot easier?
UPDATE 1:
I've just receiver service configuration settings from 3rd party vendor. Mb it can somehow help in finding out the reason of error.
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_1" >
<security mode="TransportCredentialOnly">
<message clientCredentialType="UserName"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
you should set mode="Transport" instead of "Message". This will generate Authorization header. current setting is message security so authentication is inside SOAP.
EDIT: seems like you need pre-authenitcate.
in general wcf will first not send authorization header, and if the service returns a challenge to do it then it will send the message again with the header. some servers do not support this challenge mechanism and will require to send authorization header already at first shot. this is called pre authentication in .net 2. unfortunetely wcf does not support it. but you could do it yourself: first set security mode to None so WCF will not send security at all. then see example here how to add this header yourself to the wcf call.
A few months ago I asked about UsernameToken and SSL in WCF 4 web service and received a good answer using wsHttpBinding.
However now we have had to revert to using basicHttpBinding due to incompatibilities with a Java client. I've tried switching the configuration as follows....
<bindings>
<basicHttpBinding>
<binding name="secureBinding">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None"/>
<message clientCredentialType="UserName"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
And then using this config in the service...
<service name="ServiceName">
<endpoint binding="basicHttpBinding" bindingConfiguration="secureBinding" contract="ContractType" />
</service>
However when I try to make a call to this service I am getting back an error...
The provided URI scheme 'https' is invalid; expected 'http'.
Parameter name: via
Is there something else I need to configure to make this work with basicHttpBinding?
(Please note: My original requirements are still the same - SSL, usernametoken)
As per my comments (below the original question) this was actually a problem when using WCFStorm as the client.
The solution to this was found as one of the answers on this question The provided URI scheme 'https' is invalid; expected 'http'. Parameter name: via
This was to click on the "Config" settings option (NOT THE "Client Config") in WCFStorm. After clicking on that, click on the "Security" tab on the dialog that pops up. Make sure "Authentication Type" is set to "None" (The default is "Windows Authentication").
This answer explains that when calling a .asmx web service there's no need to specify which authentication type to use:
WebServiceProxy proxy = new WebServiceProxy(); // Derived from SoapHttpClientProtocol
proxy.Credentials = CredentialCache.DefaultCredentials;
This method works for both NTLM and Kerberos authentication. It will pass the credentials of the windows account under which the code is running.
What is the equivalent in WCF, that works in both NTLM and Kerberos environments?
In WCF you need to specify authentication in the bindings of your WCF services. Make sure the client and server use the same authentication scheme.
web.config:
<binding name="WindowsClientOverTcp">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
I want to use SSL using security mode = transport.
Can I use it with following settings in my web config
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
I am installing root certificate on server side and temp ceritficate on the client side. Should this work by current web settings??
Yes, if that's what you want to do:
you'll have SSL-enabled HTTPS transport
you're using the wsHttp binding
your users will be authenticated against the Windows domain (Active Directory)
This requires that your client and server are in the same common Windows domain, or at least in two Windows domains that are in a mutual trust relationship with one another (so that the service can authenticate the calling user against Active Directory).
This will not support anonymous callers, or callers from outside your Windows domain.
The question is: if it's really within your Windows domain and thus behind your corporate firewall, why are you using wsHttpBinding? NetTcpBinding would be much faster and more efficient in this scenario....
Marc