netTcpBinding metadata exchange error with SvcUtil.exe
-
Tuesday, May 31, 2011 8:34 AM
Hi
1. Anyone had this problem - I'm trying to add a Primary Service endpoint (using stocktrader old ver 2.4) and want the service endpoint binding to be netTcpBinding with Transport security and Windows clientcredentials i.e. Host_TcpBinding_T_Security. I'm able to set things up in config-web, but when I try to generate the client configuration using Svcutil pointing to the net.tcp mex endpoint 'net.tcp://localhost:9000/membershipservicewcf/service/mex', it gives me an error as below
Metadata contains a reference that cannot be resolved: 'net.tcp://localhost:9000/membershipservicewcf/service/mex'.
The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:04:58.5960000'.
An existing connection was forcibly closed by the remote host
If the service is defined in the current solution, try building the solution and adding the service reference again.I have checked in the service's console, the net.tcp://localhost:9000/membershipservicewcf/service/mex is added correctly.
The same netTcpBinding, but with binding Host_TcpBinding, i.e. security mode = "none" i'm able to generate the client config.
2. And why does it ask for a service certificate while adding netTcpBinding with Transport security windows clientcredentials? i.e. suppose i have selected SimpleServiceBehaviors for the VHOST, and then while adding a tcp endpoint i select from the drop-down Host_TcpBinding_T_Security, i see my wcf console service erroring saying Error opening Service Host. Exception: System.InvalidOperationException: The Service Certificate is not provided. Anyway, on the other hand even if i do select a service behavior with certificate, the endpoint adds ok as mentioned in 1, but when i try to add a internal client config, i use svcutil to generate the config for the net.tcp ep, then it fails to get the metadata. Even if i do add a internal client endpoint and client-binding directly into the config and try establishing a connection from a client-app, the added connection shows with a failure icon. The clients are not able to establish connection.
The same work straight forward outside config-svcs, i.e. when hosted without config-svcs.
I guess it must be faily simple to setup a service with netTcpBinding and Transport security and windows clientcredentials. Kindly let me know what i'm missing.
RGDS
SKBG
All Replies
-
Wednesday, June 01, 2011 5:48 AM
Ok, I have resolved the issue, it was very simple: You just have to add the endpoint identity userPrincipalName for the Client endpoint. And it's not always needed to have a certificate for transport security as msdn says, you choose btw certificate or windows as follows
<
binding name="Host_myTcpBinding"
>
<
security mode="Transport"
>
<
transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"
/>
<
message clientCredentialType="Windows"
/>
</
security
>
</
binding
>
For this you can simply use the SimpleServiceBehaviors already provided.
-
Wednesday, June 01, 2011 6:46 AMModerator
Cool. I just tested this myself in Config Service 5.0. It seems to work fine in that:
a) No server certificate required, host starts fine (also no special behavior needed)
b) Client definition for internal binding seems fine as well, no exceptions.
c) However, svcutil does not run against the net.tcp endpoint directly (I think you need to configure svcutil itself in some way to handle the extra security on the tcp endpoint.) But, you can always get svcutil to work against 'tricky' bindings by simply also defining (temporarily) a simple basicHttp binding on the endpoint. Run svcutil aginst the http endpoint, and it will generate bindings and client definitions against all endpoints that have mex on them. Here is what I get from svcutil:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_HelloService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
<netTcpBinding>
<binding name="NetTcpBinding_HelloService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10"
maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
maxReceivedMessageSize="65536">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="http://lglwin2008-lab.corp.dotnettrade.com:7004/Hello/HelloSvc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_HelloService"
contract="HelloService" name="BasicHttpBinding_HelloService" />
<endpoint address="net.tcp://lglwin2008-lab.corp.dotnettrade.com:7005/hello/hellosvc"
binding="netTcpBinding" bindingConfiguration="NetTcpBinding_HelloService"
contract="HelloService" name="NetTcpBinding_HelloService">
<identity>
<userPrincipalName value="administrator@corp.dotnettrade.com" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
Greg Leake, Microsoft- Marked As Answer by SKBG Wednesday, June 01, 2011 8:07 AM
-
Wednesday, June 01, 2011 8:22 AM
Nice trick. We need to do this since once you've configured the primary svc to a ne.tcp ep, with <security mode="Transport">, even with config svc adding the mex ep to the net.tcp ep, Svcutil cannot access the metadata, and will throw the error
[Metadata contains a reference that cannot be resolved: 'net.tcp://localhost:9000/membershipservicewcf/service/mex'.
The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:04:58.5023808'.
An existing connection was forcibly closed by the remote host
If the service is defined in the current solution, try building the solution and adding the service reference again.]Ofcourse you can always edit the service's BasicHttpBinding ep and de-activate it when not required.
- skbg
-
Wednesday, June 01, 2011 12:53 PMModerator
It should behave exactly the same whether using config service or not (its just a WCF service). The issue I think is that svcutil itself cannot access a secure mex endpoint without some config for svcutil itself. There is an MSDN post here:
http://msdn.microsoft.com/en-us/library/aa395212.aspx
this is for a secure https endpoint; but apparently the same steps would work for a net.tcp binding. Basically you create a .config file for svcutil with binding information for a compatible mex binding, which it then picks up. My trick works also, but if you want svcutil to workdirectly over a secure net.tcp binding, perhaps the above information will get it going.
-Greg
Greg Leake, Microsoft
