I am trying to connect to wcf server. My code works when both server and client on the same computer. However, when the client is set on a different machine it's not working.
I found a few answers that didn't help.
The problem I'm getting is: wcf server rejected client credentials
Here is part of the server config:
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/>
<message clientCredentialType="Windows"/>
</security>
the client config:
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
</security>
client code:
_wcfClient = new wcfServiceClient(context, new NetTcpBinding(SecurityMode.Transport),
new EndpointAddress(#"net.tcp://" + host +
#":7919/wcfControl/name/"));
_wcfClient .Open();
I tried to change the server security to None, but then the server couldn't run.
The only solution did help is to insert on the client side server windows username and password. but I want to find a better solution.
Thanks ahead for the help
Related
The issue I'm having with the non-WCF client occurs after the secure connection is established, and the requested URL string is passed to the server. Instead of getting a 401 challenge, I get a 403 forbidden error. I have a WCF client that works with both the WsHTTPBinding and BasicHTTPBinding. After testing the WCF client, I can make it fail basic authentication by replacing CertificateName with an empty string in the following line of code prior to calling serviceProxy.CheckIn():
PermissiveCertificatePolicy.Enact(string.Format("CN={0}", CertificateName));
I'm guessing this is either an override forcing the client to accept the server certificate, or it somehow passes it's name to the server for identity validation.
So my question is does a WCF client pass the certificate name to the server during the request? And if so, where in the request string should I place it? And what would it look like?
web.config file bindings:
<wsHttpBinding>
<binding name="HIBridge_SSLBinding" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate" proxyCredentialType="None" realm=""/>
<message clientCredentialType="UserName" negotiateServiceCredential="True" establishSecurityContext="True"/>
</security>
</binding>
</wsHttpBinding>
<basicHttpBinding>
<binding name="HIBridge_BasicBinding" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Basic" proxyCredentialType="None" realm=""/>
</security>
<readerQuotas maxStringContentLength="2147483647"/>
</binding>
</basicHttpBinding>
I am currently using WCF to connect to our Java web services via the following configuration:
<bindings>
<basicHttpBinding>
<binding name="WebServicePortBindingHttp" maxReceivedMessageSize="500000">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic" proxyCredentialType="None" realm="" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://host:port/url" binding="basicHttpBinding" bindingConfiguration="WebServicePortBindingHttp" contract="Namespace.WSPort" name="WebServicePort" />
</client>
This is using normal HTTP. Even so, the server wouldn't authorize me until I manually added the WSSE headers using the method suggested in this answer. Once I started doing that, I was able to consume the web services without trouble.
On some of our environments, however, the server that my C# client must connect to uses HTTPS instead of HTTP. For this, the configuration given above does not work. To begin with, I had to change the security mode from TransportCredentialOnly to Transport, like so:
<binding name="WebServicePortBindingHttp" maxReceivedMessageSize="500000">
<security mode="Transport">
<transport clientCredentialType="Basic" proxyCredentialType="None" realm="" />
</security>
</binding>
I have tried numerous variations on these settings, however all that happens is the request times out. When I use Wireshark to trace the communication, I can see that the server is actually responding, but I can't interpret its response as the text appears garbled (I guess because it is encrypted).
This is what the binding configuration looks like that is automatically created by Visual Studio when I import the WSDL:
<customBinding>
<binding name="HTTPSoapBinding">
<textMessageEncoding messageVersion="Soap11" />
<httpsTransport />
</binding>
</customBinding>
But this still does not change the behaviour. It would appear that Microsoft and Oracle technologies do not simply interoperate.
Please advise.
I'm an idiot. There was something else causing the timeout! This configuration actually works:
<binding name="WebServicePortBindingHttp" maxReceivedMessageSize="500000">
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
</security>
</binding>
Strangely enough, now that I have identified the cause of my timeout, the webservice seems to accept just about any value for clientCredentialType (so far I have tried None, Basic and Windows, and all of them work). Could anyone explain this?
I apologize if I wasted anyone's time with this question.
I have an ASP.NET web application which uses a WCF IIS-based backend service.
I can use Active Directory Authentication for the web application, but I would like to use it also on the WCF service (which is on another IIS server).
Is it possible to do this via configurations only?
Solved it.
In web app config set:
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
<message clientCredentialType="UserName" algorithmSuite="Default"/>
</security>
In WCF-part:
<bindings>
<basicHttpBinding>
<binding>
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
Thing is i need to sleep more.
Okay so scenario goes like this :
I have multiple web applications, which consume a wcf service. and now i am making a change to wcf service to consume Sharepoint 2010 Web Service i.e. UserprofileService.asmx
Web Application - > WCF Service - > Sharepoint WebService
And the problem is if i use the below code in wcf service, it works fine with the Sharepoint Service, and i am able to access the methods available in sharepoint userprofile service, when i test the wcf service from my machine.
C#
service.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
service.ChannelFactory.Credentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;
Web.config
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
But i am no longer able to call the WCF Service from my web application as the web application uses the below.
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm="">
<extendedProtectionPolicy policyEnforcement="Never"/>
</transport>
<message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true"/>
</security>
I need a way to configure WCF Service in such a way, that it still be able to talk with all the existing applications, and be able to talk to Sharepoint Service at the same time.
Most Importantly i want to use the service account(Ex: b2\deltaUser) under which WCF service runs to access the profiles of different users in share point userprofile service. Do i need to use impersonation ? If yes, how can i use it here.
The solution was easy. To create two separate bindings and that did the trick. :)
right now I have the security node defined like this:
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
Im getting the following error:
The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'NTLM'.
Change your clientCredentialType to "Ntlm".