I have a self-hosted WCF service with netTcpBinding bindings. Both my servers and clients will all be in the same domain, so I'd like to use windows authentication, but I'd also like the clients to verify server credentials (to avoid an internal man-in-the-middle/dns tampering attack). I've read that the way to do this is to use an SPN, but I can't seem to get that to work; no matter what the spn is set to the client works (i.e. the server and client don't match, but the client connects anyway). Obviously I've got some kind of configuration error, but I'm not sure where. Here is the service config for the server:
<system.serviceModel>
<services>
<service name="AaaAuthService.AaaAuthService" behaviorConfiguration="AaaAuthServiceBehavior">
<endpoint address="" binding="netTcpBinding" bindingConfiguration="NetTcpBinding_IAaaAuth" contract="AAA.IAaaAuthService">
<!--
<identity>
<servicePrincipalName value="AaaShlkjhlkjjjjhhhhjjpn/justink-pc.sgasdf1.allamericanasphaltasdf.casdfom"/>
</identity>
-->
</endpoint>
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:9000/IAaaAuthService"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="AaaAuthServiceBehavior">
<serviceThrottling maxConcurrentCalls="2147483647" maxConcurrentInstances="2147483647" maxConcurrentSessions="2147483647"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_IAaaAuth" closeTimeout="00:00:20" openTimeout="00:00:10" receiveTimeout="00:00:10" sendTimeout="00:00:10" hostNameComparisonMode="StrongWildcard" maxConnections="2147483647">
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/>
<message clientCredentialType="Windows"/>
</security>
</binding>
</netTcpBinding>
</bindings>
The windows credentials do seem to get passed in - OperationContext.Current.ServerSecurityContext.WindowsIdentity is populated with the account information.
What am I missing here?
Related
I have this configuration for my WCF service which runs on IIS Express port number 50187. The service is hosted on IIS Express of Visual Studio 2017:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="QCConsumerBinding" closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="50000000" maxBufferPoolSize="5242880" maxReceivedMessageSize="50000000" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="QCWCFService.QCService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="QCConsumerBinding" contract="QCWCFService.IQCService" />
</service>
<service name="QCWCFService.QCFinalService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="QCConsumerBinding" contract="QCWCFService.IQCFinalService" />
</service>
<service name="QCWCFService.CalibrationService">
<endpoint address="service" binding="netTcpBinding" contract="QCWCFService.ICalibrationService" />
<endpoint address="" binding="wsDualHttpBinding" contract="QCWCFService.ICalibrationService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:8080/CalibrationService" />
<add baseAddress="http://localhost:8081/CalibrationService" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the values below to false before deployment -->
<serviceMetadata httpGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
</behavior>
</serviceBehaviors>
</behaviors>
<protocolMapping>
<add scheme="http" binding="wsDualHttpBinding" />
</protocolMapping>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
But when I try to run the service it gives this exception:
System.InvalidOperationException: Could not find a base address that matches scheme net.tcp for the endpoint with binding NetTcpBinding. Registered base address schemes are [http].
While I have another application with the same configuration for Dual Http Binding which works perfectly
By default, The IIS express doesn’t support Net.tcp protocol.
The service endpoint with Nettcpbinding requires a base address based on NetTcp protocol.
<endpoint address="service" binding="netTcpBinding" contract="QCWCFService.ICalibrationService" />
Although we provide a Nettcp base address by using the Host Section, It won’t work. This is due to the fact IIS express use self-configuration to provide a base address to run the current project. The configuration of IIS express usually located in the .vs folder of the current Solution, called applicationhost.config
If we run this project in a console application with this configuration, it will work. Thereby we should provide one base address with Nettcp protocol. This can be completed in IIS.
1. Enable windows feature for net.tcp protocol.
2. Add Net.tcp support on the website.
3. Add net.tcp protocol in site binding module.
Please refer to the below for details of adding net.tcp protocol to a website.
WCF ContractFilter Mismatch when enabling Reliable Session
Feel free to let me know if the problem still exists.
I am trying to add transport security layer to my WCF service. But after following all the instructions i still get error "Could not find a base address that matches scheme https for the endpoint with binding BasicHttpBinding. Registered base address schemes are [http]."
Already did all needed configurations in IIS Manager and add need code in web.config but i still have a feeling i am missing something
web.config:
<system.serviceModel>
<services>
<service name="MyNameSpace.MyService" behaviorConfiguration="secureBehavior">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="MyNameSpace.IMyService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="secureBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
There is no problem with your present configuration, configure an https endpoint and it uses Transport security mode. One more thing we need to do is configuring an https binding address in IIS binding module. Like below.
It locates in the IIS site binding module.
Then we could use the above https service address to access it.
https://IP:4431/Service1.svc (service base address)
Feel free to let me know if the problem still exists.
I am trying to host existing WCF service and a WCF REST service as a Azure App Services. I have used the Publish option from Visual studio like in the post Here
I am able to browse to the hosted URL for the WCF SOAP site and the WCF REST site, but when i add a service reference for the WCF SOAP site and call a method on it i get below error
Same with the WCF rest service when i call a REST method, i get 404 now found error.
There was no endpoint listening at https://wcfservice.azurewebsites.net/WebService.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
The remote server returned an error: (404) Not Found.
From the failed request log i.e w3svcxxxx log, it says the request https://WcfService:80/Webservice.svc 404 not found status.
For the WCF Rest Service
https://WcfService:80/RESTservice.svc/GetData 404 not found status.
Why is the service internally calling a https://WcfService:80, would this require an configuration to setup. Tried to search around to see if i could find any help around this but could not find much.
Also, i have another WCF site that i had deployed to the App Services, which is setup with a basicHttpBinding and this site worked fine and i was able to get data using it.
Below is the web.config setting on the web site, i am using wsHttpBinging for the WCF SOAP service
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="WebServiceOnline">
<!-- To avoid disclosing metadata information, set the values below to false before deployment -->
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="AjaxBehavior">
<webHttp />
</behavior>
</endpointBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
<services>
<service name="WcfService.WebServiceOnline" behaviorConfiguration="WebServiceOnline">
<endpoint binding="wsHttpBinding" bindingName="wsSecurityByTransport" contract="WcfService.IWebServiceForOnline" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
<service name="WcfService.RESTService" behaviorConfiguration="WebServiceOnline">
<endpoint address="" binding="webHttpBinding" contract="WcfService.IRESTService" name="RunningBarbus.Services.RunningBarbusService" behaviorConfiguration="AjaxBehavior">
<identity>
<dns value="locahost" />
</identity>
</endpoint>
<endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="wsSecurityByTransport">
<security mode="Transport">
<transport clientCredentialType="None" />
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services> <service name="WcfService.WebServiceOnline" behaviorConfiguration="WebServiceOnline">
<endpoint binding="wsHttpBinding" bindingName="wsSecurityByTransport" contract="WcfService.IWebServiceForOnline" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> </service> <service name="WcfService.RESTService" behaviorConfiguration="WebServiceOnline">
<endpoint address="" binding="webHttpBinding" contract="WcfService.IRESTService" name="RunningBarbus.Services.RunningBarbusService" behaviorConfiguration="AjaxBehavior">
<identity>
<dns value="locahost" />
</identity>
</endpoint>
<endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" /> </service> </services>
There may be an issue in the configuration file. We could expose the additional service endpoint for wshttpbinding.
Here is my configuration, and it works properly over Azure.
<system.serviceModel>
<services>
<service behaviorConfiguration="mybehavior" name="WcfService1.Service1">
<!--http, https are all configurated-->
<endpoint address="" binding="webHttpBinding" contract="WcfService1.IService1" behaviorConfiguration="webbev" bindingConfiguration="mybinding"></endpoint>
<endpoint address="" binding="webHttpBinding" contract="WcfService1.IService1" behaviorConfiguration="webbev" bindingConfiguration="com"></endpoint>
<endpoint address="myservice" binding="wsHttpBinding" contract="WcfService1.IService1"></endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"></endpoint>
</service>
</services>
<bindings>
<webHttpBinding>
<binding name="mybinding" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" sendTimeout="00:10:00" receiveTimeout="00:10:00">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" />
<security mode="Transport">
<transport clientCredentialType="None"></transport>
</security>
</binding>
<binding name="com">
<security mode="None"></security>
</binding>
</webHttpBinding>
</bindings>
Result
Feel free to let me know if there is anything I can help with.
I had developed a windows service that hosts a WCF service. The service is installed on a server and the idea is to process some files on the local network (domain). Also, the service is executing as my domain user.
the configuration of the service is this:
<system.serviceModel>
<services>
<service name="Zeus.My.Upload.Service.MyHostedService">
<host>
<baseAddresses>
<add baseAddress="http://localhost:1089/Domain/Service"/>
</baseAddresses>
</host>
<endpoint address="http://localhost:1089/Domain/Service/Uploader" binding="basicHttpBinding" contract="Zeus.My.Upload.Contract.IHostedService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding maxReceivedMessageSize="4294967296" transferMode="Streamed" sendTimeout="01:00:00" messageEncoding="Mtom">
<security mode="None">
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
The issue with this configuration is that only my user is able to access and use this service. Other users of domain cannot even access to the URL.
How can I solve this issue?
I am creating a WCF service and exposing couple of end point. One is basicHttpBinding and another is wsHttpBinding. Once I publish this to ISS basicHttpBinding end point is working fine but wsHttpEndPoint is throwing error 400.
There are so many posts about 400 error with WCF like this but I cant resolve my issue.
Here is my configuration:
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehaviour">
<serviceMetadata httpsGetEnabled="true" httpGetEnabled="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding">
<security mode="Transport" />
</binding>
</basicHttpBinding>
<wsHttpBinding>
<binding name="WsPlainBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ServiceBehaviour" name="WcfService.Service1">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding"
contract="WcfService.IService" />
<endpoint address="wshttp"
binding="wsHttpBinding" bindingConfiguration="WsPlainBinding"
contract="WcfService.IService" />
</service>
</services>
I am using the address from the wsdl generated from the service which is hosted in IIS. Still I cannot reach the end point from Visual Studio using Add Service Reference or from browser.
In IIS go to manage Website->Advance settings and edit enable protocol. Add ,https.
Hope this helps