Tuesday, March 01, 2011 2:59 PM
I have hosted a new WCF Service within IIS 7.5 that appears to work except when I:
Turn the IIS "Required SSL (client certificates - ignore)" option on for the web site.
That results in the "The HTTP Request was forbidden..." request failures.
The WCF Service appears to work with SSL, but I wish a block any "non-SSL" http requests
Some Important configurations:
1. Supports Dual security with a production (signed) certificate:
<message clientCredentialType="UserName" />
2. XSD Validation
extensions><behaviorExtensions><add name="SchemaValidator" type="SigmaSchemaValidations.ProspectCustomBehaviorSection, SigmaSchemaValidations, Version=220.127.116.11, Culture=neutral, PublicKeyToken=null" /></behaviorExtensions></extensions>
3. Important service configurations:
serviceBehaviors><behavior name="CustomValidator"><serviceDebug includeExceptionDetailInFaults="false" /><serviceMetadata httpsGetEnabled="true" /><serviceCredentials><serviceCertificate findValue="xxxxxx.xxxxx.com" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /><userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="SigmaProspectValidator.UserNamePasswordValidator,SigmaProspectService" /></serviceCredentials></behavior></serviceBehaviors>
service behaviorConfiguration="CustomValidator" name="SigmaProspectService.ProspectService"><endpoint address="https://localhost/services/V5/prospect.svc" listenUri="" behaviorConfiguration="XSDValidatorBehavior"binding="wsHttpBinding" bindingConfiguration="wsHttpUNmMsg"name="SigmaProspectUNm" contract="SigmaProspectService.IProspect" /><endpoint address="mex" binding="mexHttpsBinding" name="mex" contract="IMetadataExchange" /><host><baseAddresses><add baseAddress="https://localhost/services/V5"/></baseAddresses></host></service>
Tuesday, March 01, 2011 3:56 PM
Also; The Anonymous User Account is active & I've found some suggestions that the mex endpoint may need to be re-configure for SSL:
<endpoint address="mex" binding="wsHttpsBinding"
name="MetadataBinding" contract="IMetadataExchange" bindingConfiguration="CertificateWithTransport"/>
For more info see:
(Custom Secure Metadata Endpoint)
Ok, It appears that my issue relates to using an unsecured mex endpoint with a secured service endpoint.
However; to secure the mex endpoint & still allow the client to consume the service metadata; it appears the client needs to do additional work & may require a client-side certificate.
Is there a way to expose a secure mex endpoint without requiring extra work from the client? My consumers may object to any additional work.
I quess; I could:
1. Leave the Mex endpoint unsecure.
2. Allow the client to consume the service's metadata.
3. Disable the Mex endpoint.
4. Turn the IIS "Required SSL (client certificates - ignore)" option on
I assume the service will still work but the metadata will not be "re-consumable" until the Mex endpoint is re-enable.
- Marked As Answer by Biker Keith Tuesday, March 15, 2011 5:00 PM
Wednesday, March 02, 2011 3:11 AMModeratorHello, in most cases you can leave the mex endpoint unsecured. The client won't be able to invoke your actual service if they're not authenticated. They can only generate a proxy.
Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
Windows Azure Technical Forum Support Team Blog
- Marked As Answer by Yi-Lun LuoModerator Monday, March 07, 2011 9:09 AM