none
Endpoint Identity - not a domain user? RRS feed

  • Question

  • Hi,

    I'm struggling in getting a really simple 'Hello World' service working between my desktop machine and my 1&1 Virtual Server. I'm pretty sure I have opened up all firewalls enough, as rather than 'nothing listening', I am now receiving 'cannot authenticate' messages.

    I followed this guide in getting the simple service set up (http://www.codeproject.com/Tips/642296/Hello-World-Basic-Server-Client-Example-of-WCF) - and it did work perfectly locally.

    However when running remotely, from my desktop to the virtual server, I get the following error:

    Unhandled Exception: System.ServiceModel.Security.SecurityNegotiationException:
    The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
       at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message
     message, EndpointAddress target)
       at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)

    And when running the client on the virtual server, I see the following response:

    Unhandled Exception: System.ServiceModel.Security.MessageSecurityException: The identity check failed for the outgoing message. The expected identity is 'identity(http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty: http://
    schemas.xmlsoap.org/ws/2005/05/identity/claims/upn)' for the 'http://xx.xxx.xxx.xxx:16413/SayHelloService/HelloService' target endpoint.

    I have tried to query the server to find out what to use as the UPN - but I cannot find anything conclusive. At the moment I have tried using:

            <identity>
              <userPrincipalName value="Administrator" />
            </identity>

    and

            <identity>
              <userPrincipalName value="S12345678\Administrator" />
            </identity>

    where S12345678 is the remote server name. I am using wsHttpBinding.

    I have tried using whoami /upn to discover the UPN to use, but it tells me that I am not a domain user. I have no control over such settings, as this is a hosted Virtual Server.

    When I tried using a Powershell script I found online to discover the UPN, it failed with null arrays - presumably because no UPN was found.

    Any ideas please?

    Thanks

    John


    Cheers, John

    Sunday, June 7, 2015 12:15 PM

Answers

All replies

  • Hi j_dublevay,

    Based on your description, I know that you are using the wsHttpBinding, by default the wsHttpBinding will use the message security mode. So if your service and client are not in the same computer, the client will need to provide the correct credential. For your issue if you are not a domain user, you can try to set the security mode as none, in this way the client do not need to send the correct credential, or you can try to use the username/certificate authentication.

    For more information, please try to refer to the following articles:
    #Security for wsHttpBinding:
    https://msdn.microsoft.com/en-us/library/ms731362%28v=vs.110%29.aspx?f=255&MSPPError=-2147217396 .

    #How to: Use wsHttpBinding with Username Authentication:
    https://msdn.microsoft.com/en-us/library/ff648840.aspx?f=255&MSPPError=-2147217396 .

    #How to: Use Certificate Authentication with wsHttpBinding in WCF:
    https://msdn.microsoft.com/en-us/library/ff648360.aspx .


    Best Regards,
    Amy Peng

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by j_dublevay Thursday, June 11, 2015 8:38 PM
    Monday, June 8, 2015 6:23 AM
    Moderator
  • Many thanks for this Amy. I am having a go at using Certificate Authentication. Have currently set up and installed the keys - just need to create the new example service/client and try it out (rather than mess around too much with the existing one I have, and introduce mistakes).

    John


    Cheers, John

    Monday, June 8, 2015 3:55 PM