I have a simple WCF service that uses WSHttpBinding and Windows authentication. I'm trying to force the server to impersonate the client's identity upon every method call for this service.
I tried the advice given at WCF Service Impersonation, but am not exactly getting happy results. When I try to navigate to the landing page for the WCF service, I see the error:
The contract operation 'GetAdvice'
requires Windows identity for
automatic impersonation. A Windows
identity that represents the caller is
not provided by binding
('WSHttpBinding','http://tempuri.org/')
for contract
('IMagicEightBallService','http://tempuri.org/'.
Any ideas on what this error's trying to tell me?
The entire solution can be browsed at ftp://petio.org/2011/07/01/MagicEightBall/ (or downloaded at http://petio.org/2011/07/01/MagicEightBall.zip). I'm just publishing the project to a local IIS folder and accessing the service at http://localhost/MagicEightBall/MagicEightBallService.svc.
Thanks!
UPDATE:
My service's Web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<services>
<service name="Petio.MagicEightBall.MagicEightBallService" behaviorConfiguration="MagicEightBallServiceBehavior">
<endpoint name="WSHttpBinding_WindowsSecurity_IMagicEightBallService"
address="http://localhost/MagicEightBall/MagicEightBallService.svc"
binding="wsHttpBinding"
contract="Petio.MagicEightBall.IMagicEightBallService" />
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="MagicEightBallServiceBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceAuthorization impersonateCallerForAllOperations="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
My service code:
public class MagicEightBallService : IMagicEightBallService
{
[OperationBehavior(Impersonation=ImpersonationOption.Required)]
public string GetAdvice()
{
MagicEightBall ball = new MagicEightBall();
return ball.GetAdvice();
}
}
What about minimizing the whole problem to simplest reproducible code which you can simply show here? Nobody is interested in downloading and reviewing whole your project. Moreover for later reference the related code should be still here.
I checked your just configurations of your project and your client code and I see two blocking issues:
If you want to enforce impersonation from configuration you must use only bindings with windows authentication - your endpoint exposed over HTTPS is without authentication.
Impersonation in WCF also requires client to allow service to impersonate his identity so setting the configuration on the service is not enough.
Here you have some article about impersonation and all necessary / possible settings.
Related
I have been assigned a old project that currently uses a WCF service.
The point is to update (more like starting fresh) the project to use ASP.NET MVC5 and Web API. The problem is that a 3rd party uses the WCF service, and they are probably not willing to make changes to their end of the communication.
The main function of the project is two basic, one is receive data, save it and just show the last status of several subjects and history graphs, and the other is to send data (turn on/off subjects).
My idea was to maintain the WCF Service (receive/send/save data) as is, just add it to new solution which consists of MVC and Web API (read data). They need (I think) to be in the same project, because the final objective is to implement SignalR on the WCF Service, if possible.
The main problem, is that the MVC and WebAPI are going to stay behind Authentication, but the WCF won't. At the moment when I try to test the WCF on the same project, it fails because it asks for a "Log in."
Error: Cannot obtain Metadata from
http://localhost:50598/ServiceTest.svc If this is a Windows (R)
Communication Foundation service to which you have access, please
check that you have enabled metadata publishing at the specified
address. For help enabling metadata publishing, please refer to the
MSDN documentation at
http://go.microsoft.com/fwlink/?LinkId=65455.WS-Metadata Exchange
Error URI: http://localhost:50598/ServiceTest.svc Metadata contains a
reference that cannot be resolved:
'http://localhost:50598/ServiceTest.svc'. The content type text/html;
charset=utf-8 of the response message does not match the content type
of the binding (application/soap+xml; charset=utf-8). If using a
custom encoder, be sure that the IsContentTypeSupported method is
implemented properly. The first 1024 bytes of the response were: '?
Log in.
Usernamehttp://localhost:50598/ServiceTest.svc The HTML document does not
contain Web service discovery information.
I tried everything that I could find on the web. But couldn't find anything that would work.
My last consisted on fiddling with the web.config:
<system.serviceModel>
<bindings>
<webHttpBinding>
<binding name="UnsecuredBinding">
<security mode="None">
<transport clientCredentialType="None"/>
</security>
</binding>
</webHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="serviceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="Management.ServiceAspNetAjaxBehavior">
<webHttp />
</behavior>
</endpointBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
<services>
<service name="Management.ServiceTest" behaviorConfiguration="serviceBehavior">
<endpoint address="" behaviorConfiguration="Management.ServiceAspNetAjaxBehavior" binding="webHttpBinding" contract="ServiceLibrary.IService" bindingConfiguration="UnsecuredBinding"/>
</service>
</services>
</system.serviceModel>
I also added routes.IgnoreRoute to RouteConfig.cs
routes.IgnoreRoute("{resource}.svc/{*pathInfo}");
routes.IgnoreRoute("{resource}.svc");
and tried to add this to Global.asax
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
HttpApplication context = (HttpApplication)sender;
if (context.Request.Url.ToString().Contains(".svc"))
{
context.Response.SuppressFormsAuthenticationRedirect = true;
}
}
My questions:
If I migrate the WCF methods to WebAPI, will the client need to do any modifications on their end?
If yes, how can I integrate WCF on my MVC/WebAPI project, without being affected by Log In barrier.
In answer to question 1, yes your clients would have to make modifications. WCF is SOAP/XML where as WebApi is REST/JSON(usually) for starters.
As for 2, if the WCF service is working fine, just leave it as it is. You don't need to include it in the project directly, simply use the "Add Service Reference" wizard in Visual Studio to make a client for interacting with it.
As a side note, the error you where experiancing was probably due to using the inbuilt IIS express instance with Visual Studio, which doesn't support running anonymous and authenticated applications at the same time, so your WCF service ended up with authentication enabled.
IIS 7.0 on Windows 2008
WCF Web Service, .NET 4 from VS 2010
Web service is installed via publishing and I have full admin rights on the server. There are several complicated methods, but there is a simple one that returns the build version. If we can get this one working, I can fix them all - here is my interface:
namespace MyNameSpace
{
[ServiceContract]
public interface WebInterface
{
[OperationContract]
[WebGet]
string GetVersion();
Attempt to connect via HTTP:// and everything works fine!
Attempt to conenct via HTTPS:// I get a 404 file not found.
I can reach the generic "You have created a web service..." page, including full web service path and the C# generic sample code when browsing to the exact same URL's both on HTTP and HTTPS.
In C#, I have read that the certificate can cause trouble, and I have already implemented the delegate overload to approve our server certificate.
I suspect missing one or more entries in the Web.config file, but I don't have a clue where to start. I have tried Google searching and Stack Overflow searching, but I haven't found the correct combination of search terms to help with this particular issue.
Web Config:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="HttpGetMetadata">
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceMetadata httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="LinkService" behaviorConfiguration="HttpGetMetadata">
<endpoint address="" contract="WebInterface" binding="basicHttpBinding" />
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
Help Please.
You're using the defaults for basicHttpBinding, and the default security mode for that binding is None. You need to define the binding and set the security mode to Transport in your config. Add a Bindings section to your ServiceModel section, like this:
<serviceModel>
<Bindings>
<basicHttpBinding name="secureBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</basicHttpBinding>
</Bindings>
</serviceModel>
Then you need to assign this binding to your endpoint via the bindingConfiguration attribute, like this:
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="secureBinding"
contract="WebInterface" />
You'll probably want to enable httpsGetEnabled as well:
<serviceMetadata httpGetEnabled="true"
httpsGetEnabled="true" />
See BasicBinding with Transport Security (which is what the sample code is based on).
You can also google with terms like "BasicHttpBinding WCF SSL" and stuff like that - lots of examples and information on the web, it's just a matter of using the right words :)
Also, I'm not 100% confident that the transportClientCredential setting is correct for your scenario (it might need to be Certificate), but I've done very little with SSL for WCF.
There may be other issues as well (like how IIS is set up on your machine), but the above is what's needed for the config.
basically ive followed this tutorial here
and have everything up and running and working fine off my local machine. I have deployed it in IIS and allowed necessary Firewall ports so off i go to my client PC which resides on a different domain.
I fired up the WCF Test client on this machine and typed in the URL for the WSDL and i was able to view the service calls no problem. Only thing is when i actually try to use the method and send off my values i get the following response
"The Caller Was Not Authenticated By The Service"
Weird - even though it still works locally it wont work on another machine. Is there a specific way to configure the client based on what im doing??
here is my web.config
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<services>
<service name="WCF33.Service1">
<endpoint address ="" binding="wsHttpBinding" contract="WCF33.IService1" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost:8080/WCF33/Service1/" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<!--
To browse web app root directory during debugging, set the value below to true.
Set to false before deployment to avoid disclosing web app folder information.
-->
<directoryBrowse enabled="true"/>
</system.webServer>
</configuration>
The tutorial i followed passes a key in the message header and authenticates based on that but thats not the issue. I think its something to do with the wshttp binding but i do need this type of encryption.
can anyone give me any info/advice on how to resolve this please :)
The tutorial i followed passes a key in the message header and authenticates based on that but thats not the issue.
Are you passing the key in your call? If the code you have running is expecting something in the authentication header and it's not there that could cause that error to return.
Ok i now have this sorted, i had two main issues with this, this question actually ended up being my first hurdle.
With wshttpbinding i had to configure a client programatically, creating a wshttpbinding and attaching it to an instance of the service. I also had to pass windows credentials. Once i did this, the caller was authenticated message disappeared.
The next stage of the error was a application/xml error where the expected response didnt match soap 1.2 formatting. This was a strange one because for some reason even though the binding server side was wshttp, it was defaulting to basichttp on deployment. To get around this there is a mapping section in the wcf config editor where you can map protocols to a binding. In this, http is set to basichttp, simply change this to wshttp an you are good to go :)
hope this helps someone because these two errors seem to be everywhere with no answers at all!!
I am implementing a WCF Web Service responsible of publishing data via REST and SOAP by using multiple bindings. The service is to be hosted on an IIS.
I have previously written some WCF services and know a bit about configuring those by using the web.config and setting up routes in the Global.asax files, however I'm confused about how to make the most "clean" configuration or the best practice on configuring a WCF service.
Here's what I have figured so far:
The web.config can be used to setup bindings, endpoints, security etc - is this needed when hosting the service on IIS or can the configuration be done on the IIS?
By using the Global.asax we're able to configure routings (and lots of other stuff). but is it the right place to do this?
void Application_Start(object sender, EventArgs e)
{
RouteTable.Routes.Add(new ServiceRoute("Service", new WebServiceHostFactory(), typeof(Service)));
}
I've spent some time googling this topic and it seems that every link has it's own opinion on how to accomplish the task.
Therefore I would like some input on how to configure/implement a WCF service to support the following:
Publish the data via REST/JSON and
Pubish the data via SOAP/XML and publishing metadata
Provide to different services; http://domain.com/Service and http://domain.com/AuthService
For the record I'm aware of how to publish the data using both SOAP/REST - that's not the problem. I'm just trying to make to most clean/minimal configuration for the service.
Any feedback is greatly appreciated.
Here is how I've done this.
Web.config:
<system.serviceModel>
<services>
<service name="Service">
<endpoint address="soap" contract="IService" binding="basicHttpBinding"/>
<endpoint address="rest" contract="IService" binding="webHttpBinding" behaviorConfiguration="restBehavior"/>
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="restBehavior">
<webHttp/>
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
The contract looks like this:
[ServiceContract]
public interface IService
{
[OperationContract]
[WebInvoke(UriTemplate="/Update/{id}", RequestFormat = WebMessageFormat.Json, ResponseFormat = WebMessageFormat.Json)]
void Update(string id, Entity entity);
}
With .net 4.5 you can omit any configuration in .config file at all. [ServiceContract], [OperationContract], [DataContract] would be essential. They do not say that in documentation explicitly, but it works :)
".NET Framework 4.5 makes configuring a WCF service easier by removing the requirement for the service element. If you do not add a service section or add any endpoints in a service section and your service does not programmatically define any endpoints, then a set of default endpoints are automatically added to your service, one for each service base address and for each contract implemented by your service." - from
https://msdn.microsoft.com/en-us/library/ee358768%28v=vs.110%29.aspx?f=255&MSPPError=-2147217396
I'm new to WCF and its security so was looking for some help on a problem I'm having.
I have a WCF service that to be deployed to every machine in a small domain. The WCF service is to be hosted in a Windows Service since it has methods in it that need to be invoked elevated. The service is very draft at the moment (it exposes meta-data - but I believe this is to be turned off later - is this possible?). It uses the net.tcp binding - The App.Config of the service is shown below:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<services>
<service behaviorConfiguration="SvcBehavior" name="Microsoft.ServiceModel.Samples.Svc">
<endpoint address="" binding="netTcpBinding"
contract="Microsoft.ServiceModel.Samples.ISvc" />
<endpoint address="mex" binding="mexTcpBinding" bindingConfiguration=""
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="net.tcp://*:8100/ServiceModelSamples/service" />
</baseAddresses>
<timeouts closeTimeout="00:10:00" openTimeout="00:10:00" />
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="SvcBehavior">
<serviceMetadata httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
For a client, I have a Winforms C# application. The application serves 2 functions, it pulls static information from the service and then gives the user an option to authenticate and call the administrative methods. Therefore, the authentication is done at client level.
I am using Channelfactory to connect to the service since the hostname is variable (user is prompted for it on client start-up) and the app.config file for the client is shown below - its virtually empty:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
</bindings>
<client />
</system.serviceModel>
</configuration>
The channelfactory code is:
[System.CodeDom.Compiler.GeneratedCodeAttribute("System.ServiceModel", "4.0.0.0")]
[System.ServiceModel.ServiceContractAttribute(Namespace = "http://Microsoft.ServiceModel.Samples", ConfigurationName = "ISvc")]
ChannelFactory<ISvc> myChannelFactory = new ChannelFactory<ISvc>(new NetTcpBinding(), "net.tcp://" + HostName + ":8100/ServiceModelSamples/service");
public static ISvc client = null;
I have an interface that descrives the methods in the service as well.
The main problem I am having is this. Say there is Machine1 and Machine2 running on domainA. Lets assume that Machine1 hosts the service and Machine2 runs the client.
When I connect to the service using a domain account domainA\User, the service works fine but say I have a local user on Machine2 and want to connect to the service as Machine2\LocalUser, I get the following error message:
The server has rejected the client credentials.
I have tried experimenting with setting the security mode to none (not something im keen on doing) but then I get an error saying the client and service have a configuration mismatch.
Is there something I can do to fix this? Also, what would happen if the service running on domainA\Machine1 was called by a user from another domain - say domainB\User2 ?
Thanks in advance - Id appreciate some insight into this!
Chada
If you turn off security on the service you must turn in off on the client as well. If you configure client in code you must set the same configuration for new instance of NetTcpBinding as you do on the service in configuration file.
When Windows security is used (default for NetTcpBinding) MachineB cannot authenticate local accounts from MachineA (there were some tricks with duplicate local users but I don't know if they work with WCF as well). That is why you have a domain. Cross domain windows authentication requires trust between domains.
If you need to authenticate cross domain users or local users you cannot use Windows authentication. There are other authentication mechanism but they require configuring certificate (at least on the service) and use either client certificate or user name and password for client authentication.