I have developed a .NET WCF service which uses basicHttp binding. This service is going to be hosted in IIS in an intranet and consumed by a non-Windows SAP PO client.
This service doesn't expose any sensitive information So I do not want to invest time on signing or encrypting messages. However, I also do not want the service to be accessed by anyone who knows the URL. so some form of authentication is required.
Can anyone please advise what would be the simplest way to authenticate my service?
UPDATE :
Thanks Keyur PATEL. I managed to host the service in IIS as per the link provided with security mode being set to "TransportCredentialOnly"
I enabled Basic Authentication in IIS
My windows client is able to subscribe the service however It receives below error when an operation is executed.
"The HTTP request is unauthorized with client authentication scheme 'Basic'. The authentication header received from the server was 'Basic realm="MY SERVER NAME"'.
Server Config
<?xml version="1.0"?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="CustomAuthentication">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic" proxyCredentialType="Basic"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="SecurityBehavior">
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="SimpleService.UserNamePasswordAuthentification, App_Code/UserNameValidator"/>
</serviceCredentials>
<serviceMetadata httpGetEnabled="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="SecurityBehavior" name="SimpleService.SimpleService">
<endpoint address="SimpleService" binding="basicHttpBinding" bindingConfiguration="CustomAuthentication" contract="SimpleService.ISimpleService"/>
<host>
<baseAddresses>
<add baseAddress="http://localhost:8080"/>
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>
<system.web>
<compilation debug="true"/>
</system.web>
</configuration>
Client Config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_ISimpleService">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://MYSERVERNAME:PORT/SimpleService.svc/SimpleService"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_ISimpleService"
contract="SimpleServiceDEV.ISimpleService" name="BasicHttpBinding_ISimpleService" />
</client>
</system.serviceModel>
</configuration>
Related
I have developed WCF windows service using net tcp binding. Its working fine when wcf client and wcf service both are in domain (in two different system)
Getting error when both system are in work group not in domain.
Throwing an exception. Source: System.ServiceModel 4.0.0.0. Exception details: System.ServiceModel.CommunicationException: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '04:59:59.7955781'. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
Things I tried:
Turned off Firewalls
Checked port
Increased the timeouts
First, you need to add windows credentials when requesting because nettcpbinding defaults to windows authentication:
ServiceReference1.CalculatorClient calculatorClient = new ServiceReference1.CalculatorClient();
calculatorClient.ClientCredentials.Windows.ClientCredential.UserName = "Administrator";
calculatorClient.ClientCredentials.Windows.ClientCredential.Password = "Password";
If you still have problems after adding credentials, you also need to add a mex endpoint:
<endpoint address="mex"
binding="mexTcpBinding"
contract="IMetadataExchange"></endpoint>
This is my App.config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
</startup>
<system.serviceModel>
<services>
<service name="ConsoleApp5.CalculatorService" behaviorConfiguration="ServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:10234/GettingStarted/"/>
</baseAddresses>
</host>
<endpoint address="Test"
binding="netTcpBinding"
contract="ConsoleApp5.ICalculator"/>
<endpoint address="mex"
binding="mexTcpBinding"
contract="IMetadataExchange"></endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceMetadata/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
UPDATE
Set the Mode value to Message:
<binding name="Binding">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
This is my App.config:
<?xml version="1.0"?>
<configuration>
<system.serviceModel>
<services>
<service name="Microsoft.Samples.X509CertificateValidator.CalculatorService" behaviorConfiguration="CalculatorServiceBehavior">
<!-- use host/baseAddresses to configure base address provided by host -->
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:8001/servicemodelsamples/service"/>
</baseAddresses>
</host>
<!-- use base address specified above, provide one endpoint -->
<endpoint address="certificate" binding="netTcpBinding" bindingConfiguration="Binding" contract="Microsoft.Samples.X509CertificateValidator.ICalculator"/>
</service>
</services>
<bindings>
<netTcpBinding>
<!-- X509 certificate binding -->
<binding name="Binding">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</netTcpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="CalculatorServiceBehavior">
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceMetadata/>
<serviceCredentials>
<!--
The serviceCredentials behavior allows one to specify authentication constraints on client certificates.
-->
<clientCertificate>
<authentication certificateValidationMode="None" revocationMode="NoCheck"/>
</clientCertificate>
<!--
The serviceCredentials behavior allows one to define a service certificate.
A service certificate is used by a client to authenticate the service and provide message protection.
This configuration references the "localhost" certificate installed during the setup instructions.
-->
<serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup></configuration>
Feel free to let me know if the problem persists.
I'm trying to connect to a SOAP service using the WCF Client generator tool in Visual Studio 2017. However, when I make a request, I get this error:
"The http request is unauthorized with client authentication scheme 'Anonymous'".
I'm trying to use certificate authentication. This is my App.config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
</startup>
<system.serviceModel>
<diagnostics performanceCounters="Default" />
<behaviors>
<endpointBehaviors>
<behavior name="NewBehavior0">
<clientCredentials useIdentityConfiguration="true">
<clientCertificate findValue="portalservicos.jucemg.mg.gov.br"
storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindByIssuerName" />
<serviceCertificate>
<authentication certificateValidationMode="PeerOrChainTrust"
trustedStoreLocation="LocalMachine" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="NewBinding2">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://newsrm.jucemg.mg.gov.br:443/empreendimento/service/ViabilidadePrefeituraWS"
behaviorConfiguration="NewBehavior0" binding="basicHttpBinding"
bindingConfiguration="NewBinding2" contract="ViabilidadePrefeituraWS.ViabilidadePrefeituraWS"
name="ViabilidadePrefeituraWSPort">
</endpoint>
</client>
</system.serviceModel>
</configuration>
This is my code:
class Program
{
static void Main(string[] args)
{
var ws = new ViabilidadePrefeituraWSClient();
ws.callService("");
}
}
When I set a breakpoint there, I see that the certificate is indeed being loaded (ws.ClientCredentials.ClientCertificate shows the correct certificate). Somehow though, it seems that the certificate is not being sent, or the configuration is somehow not being used, since the error mentions Authentication Scheme "Anonymous".
I saw this question (WCFTestClient The HTTP request is unauthorized with client authentication scheme 'Anonymous') and other similar questions, however none of them were about using certificates to authenticate.
I am learning WCF and i need to create a simple WCF service with a https binding. Need to have it as secure as possible.
So far i succeeded in creating a self-hosting wcf by using this guide:
Codeproject enable certificates on WCF
Managed to consume it, everything looks great. But the real problems appear when i try to host this in IIS 8. Local IIS, not IIS express.
I created a new wcf application in visual studio 2012, and in project's properties -> Web -> servers, i selected Local IIS, project URL: https://localhost/AdminService , Create virtual directory.
This added an application under Default Web Site in IIS Manager. The thing is, using the same web-config as my self-hosted app, roughly modified, did not work.
After altering it a bit, i got to this:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate"/>
<transport clientCredentialType="None"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="WCFServiceCertificate.SecureServiceBehavior"
name="AdminService.AdminService">
<!--<host>
<baseAddresses>
<add baseAddress="https://localhost:1234/AdminService" />
</baseAddresses>
</host>-->
<endpoint address="https://localhost/AdminService" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding"
contract="AdminServiceContract.IAdminService">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
<!--<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />-->
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="WCFServiceCertificate.SecureServiceBehavior">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
<serviceCertificate findValue="CertAdminService" storeLocation="LocalMachine"
storeName="My" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<protocolMapping>
<add binding="basicHttpsBinding" scheme="https" />
</protocolMapping>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
That CertAdminService certificate was not created with makecert, like i did in the self-hosted wcf, but i created it with iis manager's "create self-signed certificate".
Then, on Default Web Site -> bindings, i added a new binding, https, and selected this certificate.
The problem is, even if i choose browse (*:443) on default web site, or my application, i get the following error:
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR
I have no idea what am i doing wrong. Also, having the mexHttpsBinding enabled, if i try to add service reference to another project, i can discover the service, but i get the following error:
"There was an error downloading 'https://localhost/AdminService/AdminService.svc/_vti_bin/ListData.svc/$metadata'.
The underlying connection was closed: An unexpected error occurred on a send.
The handshake failed due to an unexpected packet format.
Metadata contains a reference that cannot be resolved: 'https://localhost/AdminService/AdminService.svc'.
An error occurred while making the HTTP request to https://localhost/AdminService/AdminService.svc.
This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.
The underlying connection was closed: An unexpected error occurred on a send.
The handshake failed due to an unexpected packet format.
If the service is defined in the current solution, try building the solution and adding the service reference again."
Any help will be much appreciated, i kind of ran out of ideas. According to other posts on stackoverflow that i've read, this should've work. Maybe i'm doing something wrong and i don't know what.
Thank you, and sorry for the long post.
Edit:
Here is the consuming client's web.config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
</startup>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IAdminService">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate" />
<transport clientCredentialType="None"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost/AdminService"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IAdminService"
contract="AdminServiceContract.IAdminService" name="WSHttpBinding_IAdminService" behaviorConfiguration="CustomBehavior">
<identity>
<dns value="WCfServer" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="CustomBehavior">
<clientCredentials>
<clientCertificate findValue="CertAdminService" x509FindType="FindBySubjectName"
storeLocation="LocalMachine" storeName="My" />
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
I made a WCF Service: HelloWorldService follow tips in Implement HelloWorld Service then hosted in IIS 8.5 (Windows 8.1) with Basic Authentication
and my web.config
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
<system.serviceModel>
<serviceHostingEnvironment >
<serviceActivations>
<add factory="System.ServiceModel.Activation.ServiceHostFactory"
relativeAddress="./HelloWorldService.svc"
service="MyWCFServices.HelloWorldService"/>
</serviceActivations>
</serviceHostingEnvironment>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpsGetEnabled="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="MyWCFServices.HelloWorldService">
<endpoint address="" binding="basicHttpBinding"
contract="MyWCFServices.IHelloWorldService"
bindingConfiguration="secureHttpBinding">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name ="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Basic" />
</security>
</binding>
</basicHttpBinding>
</bindings>
</system.serviceModel>
</configuration>
I publish successful in try in Browser and Login with my username and password. It worked
But Error when I add service refercence, I cann't this with same my username and password on VS2013.
I try many times with username and password but I return dialog again
and I must click No.
This is Details:
There was an error downloading
https://localho.st/HelloWorldSecure/HelloWorldService.svc/_vti_bin/ListData.svc/$metadata
The request failed with HTTP status 400: Bad Request. Metadata
contains a reference that cannot be resolved:
https://localho.st/HelloWorldSecure/HelloWorldService.svc The
HTTP request is unauthorized with client authentication scheme
'Anonymous'. The authentication header received from the server was
'Basic realm=mylocalhost'. The remote server returned an error: (401)
Unauthorized. If the service is defined in the current solution, try
building the solution and adding the service reference again.
Somebody help me make it correctly. Many thanks!
I'm developing a WCF service using transport security settings. When testing client proxy and calling service method I get following EndpointNotFoundException:
There was no endpoint listening at https://MyPC/AMTA.WebService/BroadcastInfoService.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
Inner exception:
The remote server returned an error: (404) Not Found.
I'm hosting my service through visual studio.
web.config for service:
<system.serviceModel>
<services>
<service name="AMTA.WebService.Broadcasts.BroadcastInfoService">
<endpoint address="/BroadcastInfoService.svc" binding="wsHttpBinding" contract="AMTA.WebService.Interface.Broadcasts.IBroadcastInfoService"/>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="TransportSecurity">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
Config for client:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IBroadcastInfoService">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://MyPC/AMTA.WebService/BroadcastInfoService.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IBroadcastInfoService"
contract="BroadcastInfoService.IBroadcastInfoService" name="WSHttpBinding_IBroadcastInfoService">
</endpoint>
</client>
</system.serviceModel>
I'm deploying using Web property page of the project to local IIS using this virtual directory:
https://MyPC:443/AMTA.WebService/
I can browse https://MyPC:443/AMTA.WebService/BroadcastInfoService.svc after hitting F5, which shows page with wsdl info. Though when I try to call methods on client proxy, endpoint not found exception is being thrown with following log details
System.ServiceModel.EndpointNotFoundException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The service '/AMTA.WebService/BroadcastInfoService.svc/' does not exist.
StackTrace
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath, EventTraceActivity eventTraceActivity)
Https and Http host headers are enabled for IIS and Https is tied to self-signed certificate.
The culprit was missing
bindingConfiguration="TransportSecurity"
from endpoint element in web.config.
By the way you can meet security requirements by just using basicHttpsBinding, which is new to .Net 4.5. This will lead to a more concise xml configs. Which are from the devil anyways.