WCF Message Security Problem


Q

quortex

Hi all,

I am having a strange problem when enabling WCF message security with
username password authentication via a custom asp.net provider. To
start with here is the service configuration I am using:

------------------
-- SERVER
------------------
<system.serviceModel>
<services>
<service behaviorConfiguration="ServiceBehavior"
name="My.Framework.Core.Services.RoleService">
<endpoint address="" bindingConfiguration="ServiceBinding"
binding="wsHttpBinding"
contract="My.Framework.Core.Services.IRoleService">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>

<bindings>
<wsHttpBinding>
<binding name="ServiceBinding">
<security mode ="None">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>

<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceAuthorization principalPermissionMode
="UseAspNetRoles"
roleProviderName ="MyRoleProvider" />
<serviceCredentials>
<!-- Configure user name authentication to use the
Membership Provider -->
<userNameAuthentication userNamePasswordValidationMode
="MembershipProvider"
membershipProviderName
="MyMembershipProvider"/>

<!-- Configure the service certificate -->
<serviceCertificate storeLocation ="LocalMachine"
storeName ="My"
x509FindType="FindBySubjectName"
findValue ="MyServerCert" />

</serviceCredentials>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>

------------------
-- CLIENT
------------------
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IRoleService">
<security mode="None">
<message clientCredentialType ="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>

<behaviors>
<endpointBehaviors>
<behavior name="ClientBehavior">
<clientCredentials>
<serviceCertificate>
<authentication
certificateValidationMode="PeerOrChainTrust" /> <!-- Not for
production-->
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>

<client>
<endpoint address="http://localhost:50161/TestServerA/
RoleService.svc"
behaviorConfiguration="ClientBehavior" binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IRoleService"
contract="RoleService.IRoleService"
name="WSHttpBinding_IRoleService">
<identity>
<dns value="MyServerCert" />
</identity>
</endpoint>
</client>
</system.serviceModel>

The settings above work fine but as I understand the username and
password authentication mode requires transport or message security to
be enabled. When I set the security mode to Message the proxy puts
itself into a faulted state as soon as I make a call to the server,
and no method is being invoked by the server and no server side errors
are being reported.

using (RoleServiceClient client = new RoleServiceClient())
{
client.ClientCredentials.UserName.UserName = "Test";
client.ClientCredentials.UserName.Password = "Password1$";

client.Exists("TestRole");
}

When I try and make the call a CommunicationException is thrown thus
putting the service into a faulted state.

I would initially assume that this is due to a problem with the X509
certificate. I created the certificate with makecert following
instructions from the web and it has installed itself correctly into
the personal certificate store. The certificate is configured for data
protection and key exchange as required.

Initially I setup an invalid certificate and when I accessed the .svc
file from a web browser an exception was thrown. Now the certificate
is setup correctly this works as expected so this leads me to believe
that the certificate is fine.

I am currently using the VS2008 file web server rather than IIS. My
next move is to try hosting in IIS and use transport layer security so
I can continue development until this is resolved.

For the meantime any ideas would be appreciated I am sure I am doing
something stupid.

Regards,
Mark
 
Ad

Advertisements

Q

quortex

Hi again,

Ok with a LOT of fiddling around with certificates and security
permissions the problem appears to have been resolved. Kind of ;) I
have message security working but it will only work if I set the
clients certificate validation mode to None:

<authentication certificateValidationMode="None" />

Any thoughts would be appreciated if I set the mode to
PeerOrChainTrust I experience the same faulting channel as before.

Another question....

If the username and password authentication fails the clients channel
simply faults. Security exceptions appear to be thrown very early on
in the pipeline before and thus my custom error handlers don't get
installed in time (IErrorHandler). I find it slightly annoying that I
can't determine the cause of this on the client but I can understand
that lack of information here makes the service more secure.
Determining on the client whether it is an authentication problem or a
communications error is a bit of a pain but I can work around this by
having a separate authentication service to handle login verification
etc.

Regards,
Mark
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top