none
UserName Password Authentication. Setting the Client side

    Question

  • Hi

    I have set up a server (wsHttpBinding) that should authenticate the incomming messages using asp.net membership provider.

    In the client proxy I write the username and the password to :

    prox.ClientCredentials.UserName.Password = "XYZ..."

    prox.ClientCredentials.UserName.UserName = "XYZ..."

    Unfortunatly the authentication failed. (of course the user was set in the DB...)
    (Exception I get: "The request for security token has invalid or malformed elements")

    Is there something I forgot to do in the client side?

    What are the steps that should be done in the client to send the cridentials to the server?

    Thanks

    Manu (manu@sela.co.il)

    Thursday, July 27, 2006 4:50 PM

Answers

  • Could be that the binding on the service is also incorrect, so I'll start with the service.

    ****SERVICE*****

    1. Your wsHttpBinding configuration should be set to "UserName"
    2. Your behavior should turn on the ASP.NET membership provider, and also the roles provider, otherwise you will be authenticating against the Windows domain
    3. You will need to secure the username token exchange, so either use SSL certificates in IIS, or use a service certificate (shown here) to secure the exchange. That means you have to have a private key at the service (mine, show here, is RPKey) that is located in the local machine certificate store. Change the name of my key, to your key.

    THe entire service configuration is shown here including metadata support for proxy generation:

    <system.serviceModel>

    <services>

    <service name="HelloIndigo.HelloIndigoService" behaviorConfiguration="serviceBehavior">

    <endpoint binding="wsHttpBinding" bindingConfiguration="wsHttp" contract="HelloIndigo.IHelloIndigoService"/>

    <endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />

    </service>

    </services>

    <bindings>

    <wsHttpBinding>

    <binding name="wsHttp">

    <security mode="Message">

    <message clientCredentialType="UserName"/>

    </security>

    </binding>

    </wsHttpBinding>

    </bindings>

    <behaviors>

    <serviceBehaviors>

    <behavior name="serviceBehavior">

    <serviceMetadata httpGetEnabled="true"/>

    <serviceAuthorization principalPermissionMode="UseAspNetRoles" />

    <serviceCredentials>

    <userNameAuthentication userNamePasswordValidationMode="MembershipProvider"/>

    <serviceCertificate findValue="RPKey" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />

    </serviceCredentials>

    </behavior>

    </serviceBehaviors>

    </behaviors>

    </system.serviceModel>

    ****CLIENT*****

    1. Use svcutil.exe or "Add Service Reference" to generate client side configuration and proxy. THis should add an <identity> element to the client endpoint with the certificate information for security, so that you don't have to install the service public cert on the client side.
    2. Set the username and password as you are doing already.

    Client endpoint shown here, but this config is automatically generated and should work.

    <client>

    <endpoint address="http://mlbvaio/WCFHostASPNETRoles/HelloIndigoService.svc"

    binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IHelloIndigoService1"

    contract="Client.localhost.IHelloIndigoService" name="WSHttpBinding_IHelloIndigoService">

    <identity>

    <certificate encodedValue="AwAAAAEAAAAUAAAAreiGqilku9hngWEQL1g+HolOpWAgAAAAAQAAAO4BAAAwggHqMIIBU6ADAgECAhDfhrqcaYGUhk2SPYyDX6vrMA0GCSqGSIb3DQEBBAUAMBAxDjAMBgNVBAMTBVJQS2V5MB4XDTA2MDYxMjIzNDUyM1oXDTM5MTIzMTIzNTk1OVowEDEOMAwGA1UEAxMFUlBLZXkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN98qei7Mc6hJE2VhTk3RZ2u5Yn5C0C3b+ZIA3PqmmfWB2l5SExFe0gVbdFaWXkKcP8+NDJcSURvxofW32cJi1Wrm7VreuoBFwJuIqAir3Ujb4dO7br2jcyPlsZTwjSkxlP83rYjUGJlIr+oifAXAuyJx5LOv48znNpmv06sGhAxAgMBAAGjRTBDMEEGA1UdAQQ6MDiAEJlUK+Mc5VUd6vh29RSA0C6hEjAQMQ4wDAYDVQQDEwVSUEtleYIQ34a6nGmBlIZNkj2Mg1+r6zANBgkqhkiG9w0BAQQFAAOBgQBsOTnPoUSFRx6hc/ZpMWyeKAZIJod+WENWJ4QWhGy4aRxokuKKps9Pe26DiZgxuOimfi0l2U5qQpljADif90Oy86i3LmYdorl/bRIIfLQA+a1ME3MAC3jhinBjWLQhUyxAavWw5jS0/oBd0vDwZaqjy47g0jFV9pF0VHhoVbTtOA==" />

    </identity>

    </endpoint>

    </client>

     

     

    Thursday, July 27, 2006 6:05 PM

All replies

  • Could be that the binding on the service is also incorrect, so I'll start with the service.

    ****SERVICE*****

    1. Your wsHttpBinding configuration should be set to "UserName"
    2. Your behavior should turn on the ASP.NET membership provider, and also the roles provider, otherwise you will be authenticating against the Windows domain
    3. You will need to secure the username token exchange, so either use SSL certificates in IIS, or use a service certificate (shown here) to secure the exchange. That means you have to have a private key at the service (mine, show here, is RPKey) that is located in the local machine certificate store. Change the name of my key, to your key.

    THe entire service configuration is shown here including metadata support for proxy generation:

    <system.serviceModel>

    <services>

    <service name="HelloIndigo.HelloIndigoService" behaviorConfiguration="serviceBehavior">

    <endpoint binding="wsHttpBinding" bindingConfiguration="wsHttp" contract="HelloIndigo.IHelloIndigoService"/>

    <endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />

    </service>

    </services>

    <bindings>

    <wsHttpBinding>

    <binding name="wsHttp">

    <security mode="Message">

    <message clientCredentialType="UserName"/>

    </security>

    </binding>

    </wsHttpBinding>

    </bindings>

    <behaviors>

    <serviceBehaviors>

    <behavior name="serviceBehavior">

    <serviceMetadata httpGetEnabled="true"/>

    <serviceAuthorization principalPermissionMode="UseAspNetRoles" />

    <serviceCredentials>

    <userNameAuthentication userNamePasswordValidationMode="MembershipProvider"/>

    <serviceCertificate findValue="RPKey" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />

    </serviceCredentials>

    </behavior>

    </serviceBehaviors>

    </behaviors>

    </system.serviceModel>

    ****CLIENT*****

    1. Use svcutil.exe or "Add Service Reference" to generate client side configuration and proxy. THis should add an <identity> element to the client endpoint with the certificate information for security, so that you don't have to install the service public cert on the client side.
    2. Set the username and password as you are doing already.

    Client endpoint shown here, but this config is automatically generated and should work.

    <client>

    <endpoint address="http://mlbvaio/WCFHostASPNETRoles/HelloIndigoService.svc"

    binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IHelloIndigoService1"

    contract="Client.localhost.IHelloIndigoService" name="WSHttpBinding_IHelloIndigoService">

    <identity>

    <certificate encodedValue="AwAAAAEAAAAUAAAAreiGqilku9hngWEQL1g+HolOpWAgAAAAAQAAAO4BAAAwggHqMIIBU6ADAgECAhDfhrqcaYGUhk2SPYyDX6vrMA0GCSqGSIb3DQEBBAUAMBAxDjAMBgNVBAMTBVJQS2V5MB4XDTA2MDYxMjIzNDUyM1oXDTM5MTIzMTIzNTk1OVowEDEOMAwGA1UEAxMFUlBLZXkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN98qei7Mc6hJE2VhTk3RZ2u5Yn5C0C3b+ZIA3PqmmfWB2l5SExFe0gVbdFaWXkKcP8+NDJcSURvxofW32cJi1Wrm7VreuoBFwJuIqAir3Ujb4dO7br2jcyPlsZTwjSkxlP83rYjUGJlIr+oifAXAuyJx5LOv48znNpmv06sGhAxAgMBAAGjRTBDMEEGA1UdAQQ6MDiAEJlUK+Mc5VUd6vh29RSA0C6hEjAQMQ4wDAYDVQQDEwVSUEtleYIQ34a6nGmBlIZNkj2Mg1+r6zANBgkqhkiG9w0BAQQFAAOBgQBsOTnPoUSFRx6hc/ZpMWyeKAZIJod+WENWJ4QWhGy4aRxokuKKps9Pe26DiZgxuOimfi0l2U5qQpljADif90Oy86i3LmYdorl/bRIIfLQA+a1ME3MAC3jhinBjWLQhUyxAavWw5jS0/oBd0vDwZaqjy47g0jFV9pF0VHhoVbTtOA==" />

    </identity>

    </endpoint>

    </client>

     

     

    Thursday, July 27, 2006 6:05 PM
  • I'm doing exactly as described (except for using a custom validator), I've got an example from the WCF Samples to help me with out. When I hand-write the clients app.config myself I can get it working. The config is at the bottom of this post (and I guess that 90% of this post can be considered the bottom ;-)

    But when I auto generate the config (with either svcutil or by add service reference) it doesn't work and I get an ugly error. The error : The X.509 certificate CN=localhost chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

    Any idea why I get the error!? Thanks in advance!

    ----[ SERVICE CONFIG : Just behaviors ]----------------------------------------------------------------

    <behaviors>

    <serviceBehaviors>

    <behavior name="whatever">

    <serviceAuthorization principalPermissionMode="Custom"/>

    <serviceCredentials>

    <serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>

    <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="CustomAuthentication.MyValidator, CustomAuthentication" />

    </serviceCredentials>

    <serviceMetadata />

    </behavior>

    </serviceBehaviors>

    </behaviors>

    ---[ CLIENT CONFIG SELF-CREATED ]---------------------------------------------

    <system.serviceModel>

    <client>

    <endpoint address="http://localhost:8080/WebshopService" binding="wsHttpBinding"

    bindingConfiguration="test" contract="ShoppingCart"

    name="WSHttpBinding_ShoppingCart" behaviorConfiguration="behave">

    </endpoint>

    </client>

    <bindings>

    <wsHttpBinding>

    <binding name="test">

    <security mode="Message">

    <message clientCredentialType="UserName"/>

    </security>

    </binding>

    </wsHttpBinding>

    </bindings>

    <behaviors>

    <endpointBehaviors>

    <behavior name="behave">

    <clientCredentials>

    <serviceCertificate>

    <authentication certificateValidationMode="PeerOrChainTrust"/>

    </serviceCertificate>

    </clientCredentials>

    </behavior>

    </endpointBehaviors>

    </behaviors>

    </system.serviceModel>

    Wednesday, January 31, 2007 9:12 PM
  • My guess would be default makecert parameters were used in creating the localhost cert, which causes the created cert to chains up to the Root Agency cert, which is by default in the intermediate CA instead of the root cert CA store.  A deeper understanding of how X509 certificate issuance and chaining works may help in understanding the error message (which, while not smoothly phrased, is pretty precise about what the problem is).
    Monday, February 05, 2007 7:35 PM
  • Hi,

    I had the same exception when I tried to connect to the service from another machine. After lot of tries I finally was able to fix this issue by setting the negotiateServiceCredentials value to false in Web.config and Client.exe.config:

    Web.config

    <security mode="Message">
      <message clientCredentialType="UserName" negotiateServiceCredential="false" />
    </security>
    

    Client.exe.config

    <security mode="Message" >
      <message clientCredentialType="UserName" negotiateServiceCredential="false" />
    </security>
    



     


    • Edited by Plamen Wednesday, October 19, 2011 2:10 PM
    Wednesday, October 19, 2011 2:08 PM
  • I am getting this issue while accessing SOAP method with  ws2007FederationHttpBinding

    Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. 
    Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint

    Thanks

    Krunal Jani

    Thursday, March 21, 2013 5:24 AM