I'm building some routing functionality between services. The original service and the service that does the routing have an identical configuration; both are using netTcpBinding with the following binding configuration:
netTcpBinding
security mode="Message"
message clientCredentialType="UserName"
The service behavior uses a AspNet Membership Provider and a client certificate we've installed on the machine.
When I switch off the message security it relays just fine but when it's switched on I get the following exception:
"The message could not be processed. This is most likely because the action 'http://foo/Whatever' is incorrect or because the message contains an invalid or expired security context token or because there is a mismatch between bindings*. The security context token would be invalid if the service aborted the channel due to inactivity. To prevent the service from aborting idle sessions prematurely increase the Receive timeout on the service endpoint's binding." (Emphasis mine)
My thinking is that the certificate is operating on the message twice (once on the original call and then on the relay) and this is what corrupts the message's security token.
Questions:
Is my thinking on target?
Is there a way to continue to use message security for routing without having the complexity of a token service?
You mentioned switching between no security and message security. Are you making sure to change both the WCF service endpoints as well as the endpoint on the receiving end? If not, and the two do not match up, you will receive an error. That's what that error seems to be saying to me.
For Question 2, what type of environment are you running in? A closed system where you could use encrypt and sign, or a public environment, where you might need to be using a special key?
Related
I am using the Wcf Routing Service with the netTcpBinding
I have a WCF Service named ServiceTwo exposing just only one netTcpBinding endpoint
I have a client application consuming the ServiceTwo
Then I have a routingService between them, the routing service has two endpoints, a basicHttpBinding and a netTcpBinding. The routing always use netTcpBinding to communicate with the ServerTwo.
I am using the full IIS 8.5, enabled Http Activation and Non Http Activation, already setup protocol "http, net.tcp" for the ServiceTwo and the routing service as well.
for these below scenarios, it works
if the client application client consumes the ServiceTwo directly, not go through the routing, using netTcpBinding -> it works fine
or the client application call the ServiceTwo through the routing using basicHttpBinding (the routing always use netTcpBinding to communicate with the ServerTwo) -> it also works fine.
But for the case client app using the netTcpBinding to connect to the routing (the routing always use netTcpBinding to communicate with the ServerTwo)
I just got an exception as below:
An unhandled exception of type
System.ServiceModel.CommunicationException' occurred in mscorlib.dll
Additional information: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:59.9659874'.
Could you please advise something I might miss and cause the error
Thank you very much.
Regards
This error occured for me, when my client was using SecurityMode.None, but not my Service. But I think the exception is rather general.
So I would advice you to re-check all values that set up your ServiceChannel incl. your Binding on Service & Client.
btw: this error occurs for me only in case the client sets a SecurityMode and the service does not! If it is vice-versa a more meaningful exception occurs. Namely: (ProtocolException - This could be due to mismatched bindings (for example security enabled on the client and not on the server))
I have a WinForm app which uses WCF to call a WCF service. I am trying to troubleshoot an issue and need to look at the wcf trace file without any encryption. So I have WCF endpoint set to use BasicHttpBinding and my service contract is set for SessionMode = SessionMode.NotAllowed.
However I keep getting an error "Contract requires Session, but Binding 'BasicHttpBinding' doesn't support it or isn't configured properly to support it".
I don't want to use sessions. Why does it think I want to use sessions?
OR how do I get the messages to go on the wire where I can see objects and their properties in clear text in the trace file?
BasicHttpBinding never uses session. There is something incorrectly configured in your code (or you didn't correctly update service reference). To see messages even if security is enabled use Message logging.
I have a WCF self-hosted as a Windows Service.
When I start the service (under the NETWORK_SERVICE account), I can consume the service from my ASP.NET application on a different server.
However, the business rules have changed. Now I need to run the service under my own account. I am able to stop the service, and start it again under my account. No problem there.
Until I try to consume the service from my ASP.NET application on the other service. I get:
A call to SSPI failed, see inner exception
I'm relatively certain there's something I need to do security wise to eliminate this error, being new to all this I just don't know what.
Any help is greatly appreciated.
Thanks,
Jason
Usually this is a sign of a missing or misconfigured SPN, which gets in the way when you're using windows authentication (at the transport or message level) and Kerberos is being negotiated.
Notice that how/when the error manifests itself might depend on the way the hostname (or IP address) of the service host is used in the URL used by the client, since WCF will try, by default, to deduce the right SPN to use based on the URL information, unless you explicitly override it by setting the endpoint identity.
So likely all you need to do is register an SPN (using setspn.exe) for your new service and make sure your client uses an appropriate identity.
There's some more extra information on how WCF uses service identities here, here and here.
I'm trying to set up security on a WCF web service, using the ProtectionLevel attribute:
[ServiceContract(ProtectionLevel= ProtectionLevel.EncryptAndSign)]
This compiles, but Visual Studio throws exceptions when I try to update the service reference in another project (same solution).
System.InvalidOperationException: The
request message must be protected.
This is required by an operation of
the contract
('IStorageService','tempuri.org/';).
The protection must be provided by the
binding
('WSHttpBinding','tempuri.org/';).
What else do I need to set up to get this to work?
Your ServiceContract attribute is specifying that the service requires a secure channel for all operations, with both message signing (the message contains a digital signature which can prove that it hasn't been tampered with) and message encryption (the bytes of the message are encrypted when transmitted over the network).
Your client code (i.e. in the project which calls the service) must satisfy these requirements. If this project is using BasicHttpBinding with default settings, then the requirements of the service will not be satisfied (security is disabled by default for the BasicHttpBinding). If you configure the client project to use WsHttpBinding instead, with its default settings, the exception should go away (this binding has EncryptAndSign enabled by default).
The ProtectionLevel is a way for the developer to set the minimum level that a binding must comply with. When a service is deployed, the actual binding specified in configuration may or may not support the minimum level. For example, by default, the BasicHttpBinding class does not supply security (although it can be enabled). Therefore, using it with a contract that has any setting other than None will cause an exception to be thrown. see here
I'm building a WCF Service that uses Custom Username/Password validation on netTcpBinding with message level security. I've been researching MaxReceivedMessageSize settings and I've got a query of a rather technical nature. I've noticed that when you specify a custom username validator that it gets called deep inside the plumbing of WCF (during handshaking I suppose).
If I have a relatively large MaxReceivedMessageSize of 1MB, will WCF read the entire message off the line and then do authentication, or will it first do the authentication and somehow discard the rest of the message?
The reason for my query is DoS attacks. I am hoping that due to the authentication the service would be immune to large message DoS attacks.
I believe that full message is loaded. The message is first processed by transport channel which doesn't have any information about message security. So the channel reads the whole message with using selected encoder and creates Message instance. This instance is passed to futher processing including message security checking. The only exception is when you use Streamed transfer mode. In that case only message headers are read in receiving channel and placed to buffer.
To prove this you can also turn message logging which is able to log messages on transport level and at service level. Transport level is message received from transport, service level is message received at service (after all security processing). So the message is already read at transport level.