none
maxClockSkew issues RRS feed

  • Question

  • .net 4 Wcf:

    I am using a custom binding only because of the clock skew issue. All I want to do is use a user name and password to set up the security. I don't care about time skew, the app is low risk, and I have no control over the host time or the user's time. Is there any way to disable the time skew check?

    Otherwise what is the upper limit for the value of maxClockSkew? I am currently using 00:30:00.


    • Edited by P a u l Thursday, February 14, 2013 12:22 AM
    Thursday, February 14, 2013 12:21 AM

Answers

  • Hi, is the issue solved? If not, what's the issue now?

    Yes for my purposes it's solved. This is not a best practice example for wcf :+>

    Friday, February 15, 2013 7:06 AM

All replies

  • SecurityBindingElement.IncludeTimestamp=false should disable this. Refer  this  if it would help you.

    The upper limit maxClockSkew is equivalent to TimeSpan.MaxTimeSpan or Int64.MaxValue ticks. The string representation of this value is 10675199.02:48:05.4775807, or slightly more than 10,675,199 days


    Lingaraj Mishra



    Thursday, February 14, 2013 7:24 AM
  • I saw your link for includeTimestamp before and it didn't help. Plus I have a big problem understanding conversion between examples showing coded implementations and ones using web.config settings. After trying a few dozen guesses, I find that I have to set detectReplays = "false" as well as set includeTimestamp = "false".

    Here is the binding in web.config (the user's thick client .config is about the same) to show what I did. This setup allows me to use a local private cert on shared hosting (where I can't install certs), with user name and password authentication, and disable the clock skew.

    I would like to be able to convert this to an entirely coded implementation.

        <bindings>
          <customBinding>
            <binding name="WSHttpBinding_IExampleService"
                     receiveTimeout="00:10:00"
                     sendTimeout="00:10:00">
              <transactionFlow transactionProtocol="WSAtomicTransactionOctober2004" />
              <security
                defaultAlgorithmSuite="Default"
                authenticationMode="UserNameForCertificate"
                includeTimestamp="false"
                requireDerivedKeys="true"
                securityHeaderLayout="Strict"
                keyEntropyMode="CombinedEntropy"
                messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
                messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" 
                requireSignatureConfirmation="false">
                <localClientSettings
                  cacheCookies="true"
                  detectReplays="false"
                  replayCacheSize="900000"
                  maxClockSkew="00:30:00"
                  maxCookieCachingTime="Infinite"
                  replayWindow="00:05:00"
                  sessionKeyRenewalInterval="10:00:00"
                  sessionKeyRolloverInterval="00:05:00"
                  reconnectTransportOnFailure="false"
                  timestampValidityDuration="00:05:00"
                  cookieRenewalThresholdPercentage="60" />
                <localServiceSettings
                  detectReplays="false" 
                  issuedCookieLifetime="10:00:00" 
                  maxStatefulNegotiations="128"
                  replayCacheSize="900000" 
                  maxClockSkew="00:30:00" 
                  negotiationTimeout="00:01:00"
                  replayWindow="00:05:00" 
                  inactivityTimeout="00:02:00" 
                  sessionKeyRenewalInterval="15:00:00"
                  sessionKeyRolloverInterval="00:05:00" 
                  reconnectTransportOnFailure="false"
                  maxPendingSessions="128" 
                  maxCachedCookies="1000" 
                  timestampValidityDuration="00:05:00" />
                <secureConversationBootstrap />
              </security>
              <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Default" writeEncoding="utf-8">
                <readerQuotas maxDepth="32" maxStringContentLength="40000000" maxArrayLength="40000000" maxBytesPerRead="4096"
                              maxNameTableCharCount="16384" />
              </textMessageEncoding>
              <httpTransport manualAddressing="false" maxBufferPoolSize="524288" maxReceivedMessageSize="2000000000"
                             allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false"
                             decompressionEnabled="true" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true"
                             maxBufferSize="2000000000" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered"
                             unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true" />
            </binding>
          </customBinding>
        </bindings>


    • Edited by P a u l Thursday, February 14, 2013 9:54 PM
    Thursday, February 14, 2013 9:54 PM
  • Hi, is the issue solved? If not, what's the issue now?
    Friday, February 15, 2013 4:49 AM
  • Hi, is the issue solved? If not, what's the issue now?

    Yes for my purposes it's solved. This is not a best practice example for wcf :+>

    Friday, February 15, 2013 7:06 AM