none
How the heck can I secure a STREAMED (yes, I yelled that) WCF net.tcp endpoint using WIF? RRS feed

  • Question

  • Or, in other words, how can I secure a streamed endpoint using a GenericXmlSecurityToken, which is issued from a STS server?

    Related question can be viewed here: http://stackoverflow.com/questions/20691482/catch-22-prevents-streamed-tcp-wcf-service-securable-by-wif-ruining-my-christma

    Service is streamed because it is transferring large files.  The client calls the server, which then uses callbacks to pull files from the client. 

    I'm trying to create the channel using an issued token, 

    ChannelFactory.CreateChannelWithIssuedToken(token);

    but this requires Message security in order to function.  Or, in other words, the call does no null reference checking and fails poorly if Message security is not configured.

    This is 4.5, so please don't send me links to anything referencing Microsoft.IdentityModel, as while I have read the phrase "only a couple namespaces have changed, lol" a million times in a million articles while trying to figure this out, it is a complete heartless bastard of a lie.  

    Thursday, December 19, 2013 9:45 PM

All replies

  • Hi,

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Best Regards,
    Amy Peng

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, December 20, 2013 6:12 AM
    Moderator
  • Thanks..  Found something that may be an answer, however I'm still looking for some help.

    http://msdn.microsoft.com/en-us/library/cc668765(v=vs.110).aspx

    Friday, December 20, 2013 7:34 PM
  • Hi,

    May I know whether you have tried TransportWithMessageCredential? Based on my understanding, Federation requires message credential, but it would not require message security, Streaming doesn't allow message security, so it is needed to use TransportWithMessageCredential. There're at least 2 evidences why this could work: According to http://zamd.net/2008/07/04/federation-over-tcp-streaming/, streaming with WCF's built-in federation feature supports TransportWithMessageCredential. According to http://leastprivilege.com/2012/11/16/wcf-and-identity-in-net-4-5-external-authentication-with-ws-trust/, WIF supports TransportWithMessageCredential as well.

    Best Regards,

    Ming Xu


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, December 23, 2013 3:14 AM
  • Nope, doesn't work with streaming.  Changed the host config to the following:

    <bindings>
        <customBinding>
            <binding name="FederationDuplexTcpMessageSecurityBinding">
                <security authenticationMode="SecureConversation">
                    <secureConversationBootstrap authenticationMode="IssuedTokenForCertificate"/>
                </security>
                <sslStreamSecurity/>
                <tcpTransport transferMode="Streamed"
                                maxReceivedMessageSize="9223372036854775807"/>
            </binding>
        </customBinding>
    </bindings>
    <services>
        <service name="WcfWif.Service">
            <endpoint address=""
                        binding="customBinding"
                        bindingConfiguration="FederationDuplexTcpMessageSecurityBinding"
                        name="ServiceHost"
                        contract="ServiceDefinition.IHerp" />
            <host>
                <baseAddresses>
                    <add baseAddress="net.tcp://localhost:49627/MyService" />
                </baseAddresses>
            </host>
        </service>
    </services>


    This is based on the "Create a Duplex Federated Binding" MSDN link.  I get the same error as before...

    Additional information: The binding ('CustomBinding','http://tempuri.org/') supports streaming which cannot be configured together with message level security.  Consider choosing a different transfer mode or choosing the transport level security.

    So this still does not work with a streamed duplex tcp binding.  

    Any further thoughts?



    • Edited by WillSullivan Thursday, December 26, 2013 6:09 PM
    Thursday, December 26, 2013 6:07 PM