I'm new to WCF and its security so was looking for some help on a problem I'm having.
I have a WCF service that to be deployed to every machine in a small domain. The WCF service is to be hosted in a Windows Service since it has methods in it that need to be invoked elevated. The service is very draft at the moment (it exposes meta-data - but I believe this is to be turned off later - is this possible?). It uses the net.tcp binding - The App.Config of the service is shown below:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<services>
<service behaviorConfiguration="SvcBehavior" name="Microsoft.ServiceModel.Samples.Svc">
<endpoint address="" binding="netTcpBinding"
contract="Microsoft.ServiceModel.Samples.ISvc" />
<endpoint address="mex" binding="mexTcpBinding" bindingConfiguration=""
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="net.tcp://*:8100/ServiceModelSamples/service" />
</baseAddresses>
<timeouts closeTimeout="00:10:00" openTimeout="00:10:00" />
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="SvcBehavior">
<serviceMetadata httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
For a client, I have a Winforms C# application. The application serves 2 functions, it pulls static information from the service and then gives the user an option to authenticate and call the administrative methods. Therefore, the authentication is done at client level.
I am using Channelfactory to connect to the service since the hostname is variable (user is prompted for it on client start-up) and the app.config file for the client is shown below - its virtually empty:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
</bindings>
<client />
</system.serviceModel>
</configuration>
The channelfactory code is:
[System.CodeDom.Compiler.GeneratedCodeAttribute("System.ServiceModel", "4.0.0.0")]
[System.ServiceModel.ServiceContractAttribute(Namespace = "http://Microsoft.ServiceModel.Samples", ConfigurationName = "ISvc")]
ChannelFactory<ISvc> myChannelFactory = new ChannelFactory<ISvc>(new NetTcpBinding(), "net.tcp://" + HostName + ":8100/ServiceModelSamples/service");
public static ISvc client = null;
I have an interface that descrives the methods in the service as well.
The main problem I am having is this. Say there is Machine1 and Machine2 running on domainA. Lets assume that Machine1 hosts the service and Machine2 runs the client.
When I connect to the service using a domain account domainA\User, the service works fine but say I have a local user on Machine2 and want to connect to the service as Machine2\LocalUser, I get the following error message:
The server has rejected the client credentials.
I have tried experimenting with setting the security mode to none (not something im keen on doing) but then I get an error saying the client and service have a configuration mismatch.
Is there something I can do to fix this? Also, what would happen if the service running on domainA\Machine1 was called by a user from another domain - say domainB\User2 ?
Thanks in advance - Id appreciate some insight into this!
Chada
If you turn off security on the service you must turn in off on the client as well. If you configure client in code you must set the same configuration for new instance of NetTcpBinding as you do on the service in configuration file.
When Windows security is used (default for NetTcpBinding) MachineB cannot authenticate local accounts from MachineA (there were some tricks with duplicate local users but I don't know if they work with WCF as well). That is why you have a domain. Cross domain windows authentication requires trust between domains.
If you need to authenticate cross domain users or local users you cannot use Windows authentication. There are other authentication mechanism but they require configuring certificate (at least on the service) and use either client certificate or user name and password for client authentication.
Related
IIS 7.0 on Windows 2008
WCF Web Service, .NET 4 from VS 2010
Web service is installed via publishing and I have full admin rights on the server. There are several complicated methods, but there is a simple one that returns the build version. If we can get this one working, I can fix them all - here is my interface:
namespace MyNameSpace
{
[ServiceContract]
public interface WebInterface
{
[OperationContract]
[WebGet]
string GetVersion();
Attempt to connect via HTTP:// and everything works fine!
Attempt to conenct via HTTPS:// I get a 404 file not found.
I can reach the generic "You have created a web service..." page, including full web service path and the C# generic sample code when browsing to the exact same URL's both on HTTP and HTTPS.
In C#, I have read that the certificate can cause trouble, and I have already implemented the delegate overload to approve our server certificate.
I suspect missing one or more entries in the Web.config file, but I don't have a clue where to start. I have tried Google searching and Stack Overflow searching, but I haven't found the correct combination of search terms to help with this particular issue.
Web Config:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="HttpGetMetadata">
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceMetadata httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="LinkService" behaviorConfiguration="HttpGetMetadata">
<endpoint address="" contract="WebInterface" binding="basicHttpBinding" />
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
Help Please.
You're using the defaults for basicHttpBinding, and the default security mode for that binding is None. You need to define the binding and set the security mode to Transport in your config. Add a Bindings section to your ServiceModel section, like this:
<serviceModel>
<Bindings>
<basicHttpBinding name="secureBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</basicHttpBinding>
</Bindings>
</serviceModel>
Then you need to assign this binding to your endpoint via the bindingConfiguration attribute, like this:
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="secureBinding"
contract="WebInterface" />
You'll probably want to enable httpsGetEnabled as well:
<serviceMetadata httpGetEnabled="true"
httpsGetEnabled="true" />
See BasicBinding with Transport Security (which is what the sample code is based on).
You can also google with terms like "BasicHttpBinding WCF SSL" and stuff like that - lots of examples and information on the web, it's just a matter of using the right words :)
Also, I'm not 100% confident that the transportClientCredential setting is correct for your scenario (it might need to be Certificate), but I've done very little with SSL for WCF.
There may be other issues as well (like how IIS is set up on your machine), but the above is what's needed for the config.
basically ive followed this tutorial here
and have everything up and running and working fine off my local machine. I have deployed it in IIS and allowed necessary Firewall ports so off i go to my client PC which resides on a different domain.
I fired up the WCF Test client on this machine and typed in the URL for the WSDL and i was able to view the service calls no problem. Only thing is when i actually try to use the method and send off my values i get the following response
"The Caller Was Not Authenticated By The Service"
Weird - even though it still works locally it wont work on another machine. Is there a specific way to configure the client based on what im doing??
here is my web.config
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<services>
<service name="WCF33.Service1">
<endpoint address ="" binding="wsHttpBinding" contract="WCF33.IService1" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost:8080/WCF33/Service1/" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<!--
To browse web app root directory during debugging, set the value below to true.
Set to false before deployment to avoid disclosing web app folder information.
-->
<directoryBrowse enabled="true"/>
</system.webServer>
</configuration>
The tutorial i followed passes a key in the message header and authenticates based on that but thats not the issue. I think its something to do with the wshttp binding but i do need this type of encryption.
can anyone give me any info/advice on how to resolve this please :)
The tutorial i followed passes a key in the message header and authenticates based on that but thats not the issue.
Are you passing the key in your call? If the code you have running is expecting something in the authentication header and it's not there that could cause that error to return.
Ok i now have this sorted, i had two main issues with this, this question actually ended up being my first hurdle.
With wshttpbinding i had to configure a client programatically, creating a wshttpbinding and attaching it to an instance of the service. I also had to pass windows credentials. Once i did this, the caller was authenticated message disappeared.
The next stage of the error was a application/xml error where the expected response didnt match soap 1.2 formatting. This was a strange one because for some reason even though the binding server side was wshttp, it was defaulting to basichttp on deployment. To get around this there is a mapping section in the wcf config editor where you can map protocols to a binding. In this, http is set to basichttp, simply change this to wshttp an you are good to go :)
hope this helps someone because these two errors seem to be everywhere with no answers at all!!
So here's my App.config:
<?xml version="1.0"?>
<configuration>
<runtime>
</runtime>
<system.serviceModel>
<diagnostics performanceCounters="Default" />
<bindings />
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
<behaviors>
<endpointBehaviors>
<behavior name="CrossDomainServiceBehavior">
<webHttp />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="AService.AServBehavior">
<serviceMetadata httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="MyService.MyServiceBehavior" name="MyService.MyServ">
<endpoint address="MyService" behaviorConfiguration="" binding="netTcpBinding" contract="AService.IAServ" isSystemEndpoint="false" />
<endpoint address="mex" binding="mexTcpBinding" contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup></configuration>
As you can see there's nothing special. I just want to create simple service with tcp binding and ability to transmit metadata information. I had success with same one using basicHttpBinding and everything was going OK.
Here's the code that creates service instance with baseaddress:
Console.WriteLine("net.tcp://" + _bindAddress + "/");
ServiceHost myserviceHost = new ServiceHost(typeof(MyService), new Uri(String.Concat("net.tcp://", _bindAddress, "/")));
myserviceHost.Open();
_bindAddress is a string that comes from custom service configuration XML file. I'm trying to bind service to internal network interface at IP address 172.19.0.102:8733. Then I'm trying to get service metadata using WcfTestClient from address 127.0.0.1:8733 on service's machine and everyting is fine. But then I trying to obtain service's metadata on target remote machine over Internet I getting the TCP error with code 10051.
My goal is to get service working and publishing metadata over Internet for any client. There's no issues with firewalls and other network stuff. It seems like I need some configuration edits to allow service share metadata with everyone.
Thanks in advance!
POST EDIT:
Here is my tryings:
1) Service configured to bind at 172.19.0.102:8733.
A. WCF Test Client tryes to obtain metadata on hosted machine from address net.tcp://127.0.0.1:8733/ failed with TCP error code 10061.
B. On the same machine WCF Client tryes to obtain metadata from net.tcp://172.19.0.102:8733 and it's working OK.
C. WCF Test Client tryes to obtain metadata on another machine in LAN from address net.tcp://192.168.1.2:8733/ (it's service's machine IP address) gives an error TCP error code 10061.
That error means: Network is unreachable an that is most probably what really happens. Your IP address belongs to private network range and these addresses can never be addressed directly from Internet / WAN - they are only for local usage in LAN. To access such address over internet you must configure your publicly exposed router / gateway to accept the connection and forward it to your internal device = NAT / port forwarding, etc.
I have a simple WCF service that uses WSHttpBinding and Windows authentication. I'm trying to force the server to impersonate the client's identity upon every method call for this service.
I tried the advice given at WCF Service Impersonation, but am not exactly getting happy results. When I try to navigate to the landing page for the WCF service, I see the error:
The contract operation 'GetAdvice'
requires Windows identity for
automatic impersonation. A Windows
identity that represents the caller is
not provided by binding
('WSHttpBinding','http://tempuri.org/')
for contract
('IMagicEightBallService','http://tempuri.org/'.
Any ideas on what this error's trying to tell me?
The entire solution can be browsed at ftp://petio.org/2011/07/01/MagicEightBall/ (or downloaded at http://petio.org/2011/07/01/MagicEightBall.zip). I'm just publishing the project to a local IIS folder and accessing the service at http://localhost/MagicEightBall/MagicEightBallService.svc.
Thanks!
UPDATE:
My service's Web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<services>
<service name="Petio.MagicEightBall.MagicEightBallService" behaviorConfiguration="MagicEightBallServiceBehavior">
<endpoint name="WSHttpBinding_WindowsSecurity_IMagicEightBallService"
address="http://localhost/MagicEightBall/MagicEightBallService.svc"
binding="wsHttpBinding"
contract="Petio.MagicEightBall.IMagicEightBallService" />
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="MagicEightBallServiceBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceAuthorization impersonateCallerForAllOperations="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
My service code:
public class MagicEightBallService : IMagicEightBallService
{
[OperationBehavior(Impersonation=ImpersonationOption.Required)]
public string GetAdvice()
{
MagicEightBall ball = new MagicEightBall();
return ball.GetAdvice();
}
}
What about minimizing the whole problem to simplest reproducible code which you can simply show here? Nobody is interested in downloading and reviewing whole your project. Moreover for later reference the related code should be still here.
I checked your just configurations of your project and your client code and I see two blocking issues:
If you want to enforce impersonation from configuration you must use only bindings with windows authentication - your endpoint exposed over HTTPS is without authentication.
Impersonation in WCF also requires client to allow service to impersonate his identity so setting the configuration on the service is not enough.
Here you have some article about impersonation and all necessary / possible settings.
I am developing a WCF service hosted by IIS, using VSTS2008 + C# + .Net 3.5. I find when reference the service from a client by using Add Service Reference..., client has to be able to resolve the machine name to IP address, because WSDL reference some schema file by machine name. Here is an example of a part of WSDL file, in order to parse WSDL file from client side to generate proxy, we have to be able to resolve machine name testmachine1 to related IP address,
<xsd:import schemaLocation="http://testmachine1/service.svc?xsd=xsd1"
namespace="http://schemas.microsoft.com/2003/10/Serialization/"/>
My question is, for some reason machine name cannot be resolved all the time (for non-technical reasons), so I want to bind to IP address of the hosting IIS server. Is it possible? If yes, appreciate if anyone could advise. Here is my current WCF web.config file, I want to know how to modify it to enable it to work with IP address,
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<services>
<service behaviorConfiguration="Foo.WCF.ServiceBehavior"
name="Foo.WCF.CustomerManagement">
<endpoint address="" binding="basicHttpBinding"
contract="Foo.WCF.ICustomerManagement">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="Foo.WCF.ServiceBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
thanks in advance,
George
If your WCF service is hosted in IIS, you cannot set a separate address. You must use the URL of the virtual directory where your SVC file lives - either with a machine name (http://yourserver/virtualdir/myservice.svc) or an IP (http://123.123.123.123/virtualdir/myservice.svc).
If you use the IP to add the service reference, that IP will be used in the WSDL generated by the service import.
If you host the WCF service yourself (Windows service, console app), you can set the service address in config, and use either machine name or IP for the machine.
Marc
I was having this same issue and seen your post while looking for answers to my own problem.
I think I may have found a solution, which was to change the IIS site binding to be that of the ip. I still don't understand why this can't be a setting in the .config file.
Here is the link to the solution that I found (http://blogs.msdn.com/wenlong/archive/2007/08/02/how-to-change-hostname-in-wsdl-of-an-iis-hosted-service.aspx).
Here is a link to my post on my issue (.NET WCF service references use server name rather than IP address causing issues when consuming).
Here is a link to my post about finding the solution (WCF (hosting service in IIS) - machine name automattically being picked up by WCF rather than IP?).