A new security mode "AllowInsecureTransport"

Question

I am using WCF 3.5 and am experiencing issues with SSL termination by a firewall where my WCF service expects to receive the message credential over SSL.
I read another thread that suggested there is a hotfix that exposes a new security mode for the binding called "AllowInsecureTransport", and that this new setting will be available in .NET 4.0.

I have been reading up the enhancements for 4.0 and have not come across this new security mode. Can any one shed some light on whether this feature is available in the current Beta release so that I can start doing some proof of concept.

Here is the thread
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/87a254c8-e9d1-4d4c-8f62-54eae497423f

Does any one know the hot fix or KB number so that I can try find a download.


Thanks, Jim

Answer 1

Hello Jimmy Q,

The hot fix you are referring to can be found here:

http://support.microsoft.com/kb/971493

You will probably have to contact support for the hotfix until an official service pack ships. There is a link there about how to do that.

More in particular, the secure mode AllowInsecureTransport is not yet available in Beta 1. It will be available in the Beta 2 version of .NET 4.

Thanks.

Answer 2

Thanks Amadeo, I downloaded the hotfix and have applied it to our dev environment.
However, I am not entirely sure this hotfix addresses issue with SSL termination beyond the WCF service.

I am using the TransportWithMessageCredential security mode on the ws2007 binding however the SSL terminates at the perimeter firewall so by the time it reaches my WCF service host it is in plaintext and on the HTTP scheme.

So on the WCF host service I use the same ws2007 binding with the TransportWithMessageCredential security mode. This dictates that the end point be HTTPS which is the issue I was experiencing. With this hotfix, it exposes an attribute named enableUnsecuredResponse which I am lead to believe should solve my issue.

So I create the custom binding that mimics the client side binding and also sets this enableUnsecuredResponse to true,  thinking then I can set my end point listen uri to a HTTP scheme, therefore satisfy the requirement of receiving the credentials over non SSL. However the service host refuses to start up as the binding configuration mandates HTTPS still.

Answer 3

Hello Jimmy Q,

The hot fix you are referring to can be found here:

http://support.microsoft.com/kb/971493

You will probably have to contact support for the hotfix until an official service pack ships. There is a link there about how to do that.

More in particular, the secure mode AllowInsecureTransport is not yet available in Beta 1. It will be available in the Beta 2 version of .NET 4.

Thanks.

Hi again Amadeo

Are you sure KB971493 is the correct hotfix?
Reason I ask is the other thread from the WCF forums suggest the new mode is AllowInsecureTransport where as the hot fix exposes a property called enableUnsecuredResponse ?

Answer 4

Yes, that is the correct fix. If that does not fix your issue, you will most likely have to wait for the Beta 2 version of the framework.

Answer 5

Yes, that is the correct fix. If that does not fix your issue, you will most likely have to wait for the Beta 2 version of the framework.

Then the fix is not addressing the aforementioned issue which is sending credentials over an unsecure channel brought about by SSL terminations.

Thanks for your help anyways Amadeo

Answer 6

In case anyone cares, the correct hotfix is: http://support.microsoft.com/kb/971831

Answer 7

Thanks Paul
Been eagerly awaiting for this, will try it soon and report back

Answer 8

Have you fixed this issue?
I'm setting up a silverlight application with WCF and want to communicate https - http.
I've installed the hotfix (i'm using windows 7)
but i can't find the enableUnsecuredResponse attribute
can you show me some example code? (if you've solved the problem)

kind regards

Answer 9

I'm setting up a silverlight application with WCF and want to communicate https - http.
I've installed the hotfix (i'm using windows 7)
but i can't find the enableUnsecuredResponse attribute
can you show me some example code?

kind regards

Answer 10

This new SecurityBinding attribute (AllowInsecureTransport) worked for me at runtime (i.e. Both client and server allowed UsernameOverTransport security using http). However, the WSDL get fails with this error:

An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is:
System.InvalidOperationException: An exception was thrown in a call to a policy export extension.
Extension: System.ServiceModel.Channels.TransportSecurityBindingElement
Error: Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider. Policy export for such a binding is not supported. Make sure the transport binding element in the binding implements the ITransportTokenAssertionProvider interface. ----> System.InvalidOperationException: Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider. Policy export for such a binding is not supported. Make sure the transport binding element in the binding implements the ITransportTokenAssertionProvider interface.
   at System.ServiceModel.Channels.TransportSecurityBindingElement.System.ServiceModel.Description.IPolicyExportExtension.ExportPolicy(MetadataExporter exporter, PolicyConversionContext policyContext)
   at System.ServiceModel.Description.MetadataExporter.ExportPolicy(ServiceEndpoint endpoint)
   --- End of inner ExceptionDetail stack trace ---
   at System.ServiceModel.Description.MetadataExporter.ExportPolicy(ServiceEndpoint endpoint)
   at System.ServiceModel.Description.WsdlExporter.ExportEndpoint(ServiceEndpoint endpoint, XmlQualifiedName wsdlServiceQName)
   at System.ServiceModel.Description.WsdlExporter.ExportEndpoints(IEnumerable`1 endpoints, XmlQualifiedName wsdlServiceQName)
   at System.ServiceModel.Description.ServiceMetadataBehavior.MetadataExtensionInitializer.GenerateMetadata()
   at System.ServiceModel.Description.ServiceMetadataExtension.EnsureInitialized()
   at System.ServiceModel.Description.ServiceMetadataExtension.HttpGetImpl.InitializationData.InitializeFrom(ServiceMetadataExtension extension)
   at System.ServiceModel.Description.ServiceMetadataExtension.HttpGetImpl.GetInitData()
   at System.ServiceModel.Description.ServiceMetadataExtension.HttpGetImpl.TryHandleMetadataRequest(Message httpGetRequest, String[] queries, Message& replyMessage)
   at System.ServiceModel.Description.ServiceMetadataExtension.HttpGetImpl.ProcessHttpRequest(Message httpGetRequest)
   at SyncInvokeGet(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

I naively expected that this would work...My server's custom binding has this configuration:

<

 

customBinding>
  <binding name="UsernamePasswordOverHttp">
    <textMessageEncoding messageVersion="Soap11" />
    <security
      authenticationMode="UserNameOverTransport"
      messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
      securityHeaderLayout="Lax"
      allowInsecureTransport="true" />
    <httpTransport />
  </binding>
</customBinding>

Is there any expectation that the WSDL would be retrievable with this configuration or am I missing something?

Answer 11

I hear you, been having the same issue... after trolling through pages of code in reflector and trying find appropriate hooks to get around the Wsdl generation with allowInsecureTransport. I have a solution for you:

Host 2 Endpoints, one with a 'working' binding, and one with your custom binding

    <services>

      <service name="GenevaSTS.STSContract" behaviorConfiguration="stsBehaviour">

        <endpoint name="workingSts"

binding="ws2007HttpBinding"

bindingConfiguration="ws2007HttpBinding" address="https://localhost/GenevaSTS/Service.svc"

contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract"/>

        <endpoint name="customSts"

binding="customBinding"

bindingConfiguration="customBinding" address="http://localhost/GenevaSTS/Service1.svc" contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract"/>

      </service>

    </services>

    <bindings>

      <ws2007HttpBinding>

        <binding name="ws2007HttpBinding">

          <security mode="TransportWithMessageCredential">

            <transport clientCredentialType="None"

proxyCredentialType="None"

realm=""/>

            <message clientCredentialType="Certificate"

negotiateServiceCredential="false"

algorithmSuite="Default"

establishSecurityContext="false"/>

          </security>

        </binding>

      </ws2007HttpBinding>

      <customBinding>

        <binding name="customBinding">

          <security

               authenticationMode="CertificateOverTransport"

               allowInsecureTransport="true">

          </security>

          <textMessageEncoding/>

          <httpTransport/>

        </binding>

      </customBinding>

    </bindings>

In Code, you'll have to remove the custom binding, initialize metadata generation, remove the 'working' binding, and put back the custom binding.
Inside your Overidden ServiceHost class (I am using Geneva) override OnOpening and OnOpened methods:

Invoking the Metadata on the ServiceMetadataExtension will initialize wsdl generation while the 'working' binding is in place.

 

ServiceEndpoint ws2007BindingEndpoint;

ServiceEndpoint customBindingEndpoint;

 

protected override void OnOpening()

{

    ws2007BindingEndpoint = this.Description.Endpoints.First(e => e.Binding.GetType() == typeof(WS2007HttpBinding));

    customBindingEndpoint = this.Description.Endpoints.FirstOrDefault(e => e.Binding.GetType() == typeof(CustomBinding));

    if (customBindingEndpoint != null)

    {

        this.Description.Endpoints.Remove(customBindingEndpoint);

    }

 

    base.OnOpening();

}

 

 

protected override void OnOpened()

{

    if (customBindingEndpoint != null)

    {

        ServiceMetadataExtension metadataExtension = base.Extensions.Find<ServiceMetadataExtension>();

        MetadataSet m = metadataExtension.Metadata;

 

        this.Description.Endpoints.Add(customBindingEndpoint);

        this.Description.Endpoints.Remove(ws2007BindingEndpoint);

    }

 

    base.OnOpened();

}