none
WCF routing service - an unsecured or incorrectly secured fault was received from the other party RRS feed

  • Question

  • Hi all,

    I have a WCF routing service that acts as intermediate between my Azure App Services and my on prem legacy WCF Services.

    The App Service is .Net Core 2.2, and by design the best secure binding I can get is basicHttpsBinding, with Windows credentials.

    The routing service is WCF routing 4.0, routing by address. It is exposed as basicHttpBinding with security mode Transport.

    The on prem services are WCF 4.0, exposed as wsHttpBinding.

    The configuration of the routing service is this:

    <system.serviceModel>
        <bindings>
          <basicHttpBinding>
            <binding name="SecureRoutingService" closeTimeout="00:10:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
              <readerQuotas maxDepth="32" maxStringContentLength="2097152" maxArrayLength="16384" maxBytesPerRead="8192" maxNameTableCharCount="16384" />
              <security mode="Transport">
                <transport clientCredentialType="Windows" proxyCredentialType="None"/>
              </security>
            </binding>
          </basicHttpBinding>
    	  <wsHttpBinding>
    		<binding maxBufferPoolSize="52428800" maxReceivedMessageSize="52428800" name="wsHttpBindingConfigAPIService">
              <readerQuotas maxDepth="32" maxStringContentLength="2097152" maxArrayLength="2097152" maxBytesPerRead="8192" maxNameTableCharCount="16384"/>
    		 <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>
                <message clientCredentialType="Windows" establishSecurityContext="true" negotiateServiceCredential="true"/>
              </security>
            </binding>
    	  </wsHttpBinding>
        </bindings>
    	<protocolMapping>
            <add binding="basicHttpBinding" scheme="https" />
    		<add binding="wsHttpBinding" scheme="https" />
        </protocolMapping>
        <services>
          <service name="System.ServiceModel.Routing.RoutingService" behaviorConfiguration="defaultBehavior">
            <endpoint address="https://myroutingserver/RoutingService.svc" binding="basicHttpBinding" bindingConfiguration="SecureRoutingService" contract="System.ServiceModel.Routing.IRequestReplyRouter" name="RoutingServiceEndpointHttp" />
          </service>
        </services>
        <behaviors>
          <serviceBehaviors>
            <behavior name="defaultBehavior">
              <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="true" />
              <serviceSecurityAudit auditLogLocation="Application" suppressAuditFailure="true" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="Failure" />
              <dataContractSerializer maxItemsInObjectGraph="2147483647" />
              <routing filterTableName="RoutingTable" routeOnHeadersOnly="true" />
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <client>
          <!-- Define the client endpoint(s) to route messages to -->
    	  <endpoint address="https://myonpremserver/Service1.svc" binding="wsHttpBinding" contract="*" name="Service1Https" bindingConfiguration="wsHttpBindingConfigAPIService"/>
        </client>
        <routing>
          <filters>
            <filter name="Service1FilterHttps" filterType="PrefixEndpointAddress" filterData="https://myroutingserver/RoutingService.svc/Service1" />
          </filters>
          <filterTables>
            <filterTable name="RoutingTable">
              <add filterName="Service1FilterHttps" endpointName="Service1Https" />
            </filterTable>
          </filterTables>
        </routing>
      </system.serviceModel>

    The configuration of one of the on prem services is this (other services are similar):

    <system.serviceModel>
        <services>
          <service behaviorConfiguration="APIServiceBehavior" name="Service1">
    		<endpoint binding="wsHttpBinding" bindingConfiguration="wsHttpBindingConfigAPIService" contract="IService1" />
            <endpoint address="mex" binding="mexHttpBinding" bindingConfiguration="" name="mexHttpBinding" contract="IMetadataExchange" />
          </service>
        </services>
        <behaviors>
          <serviceBehaviors>
    		<behavior name="APIServiceBehavior">
              <serviceDebug includeExceptionDetailInFaults="true" />
              <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
              <serviceSecurityAudit auditLogLocation="Application" suppressAuditFailure="true" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="Failure" />
              <dataContractSerializer maxItemsInObjectGraph="2147483647" />
            </behavior>
        </behaviors>
        <serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
        <bindings>
          <wsHttpBinding>
    		<binding maxBufferPoolSize="52428800" maxReceivedMessageSize="52428800" name="wsHttpBindingConfigAPIService">
              <readerQuotas maxDepth="32" maxStringContentLength="2097152" maxArrayLength="2097152" maxBytesPerRead="8192" maxNameTableCharCount="16384"/>
    		 <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>
                <message clientCredentialType="Windows" establishSecurityContext="true" negotiateServiceCredential="true"/>
              </security>
            </binding>
          </wsHttpBinding>
        </bindings>
      </system.serviceModel>

    In terms of IIS, the routing services only allows Windows authentication, Negociate and NTLM. Anonymous is disabled.

    The on prem services allow anonymous and Windows authentication (Negociate and NTLM), it is required.

    Now & then when I send a request to my App Service, I get a 500 error "an unsecured or incorrectly secured fault was received from the other party".

    Fetching svclog files, I find that this happens between my routing service and my on prem services.

    Some notes about this:

    It is not related to a specific service (it happens with more than one)

    It happens now & then, not always, but it can happen 2 or 3 times sequently.

    I've tried pointing directly to my on prem services without routing service and what happens is that I must change my on prem services from wsHttp to basic and remove anonymous authentication from IIS (which I need in some services...).

    What could I do in order to overcome this issue?

    Is it related with the fact that the routing service is basic and the on prem services are wsHttp?


    • Edited by Pakojones Thursday, May 23, 2019 10:03 AM Wrong config
    Thursday, May 23, 2019 10:02 AM

All replies