none
WCF SSL certificate authentication not recognizing configuration settings RRS feed

  • Question

  • I am trying to use SSL certificate authentication in WCF/.NET version 4.0 IIS version 7.5, but, when I enable the oneToOneMappings authentication, the system does not recognize the maxReceivedMessageSize, when I comment out the oneToOneMappings authentication section, IIS recognize the maxReceivedMessageSize variable.

    Any ideas about how to make this WCF service use the maxReceivedMessageSize value that I set when the SSL certificate authentication is enabled?

    Service Model section:

    <system.serviceModel>
        <services>
          <service behaviorConfiguration="AServiceBehavior" name="<IContract>">
            <endpoint address=""  binding="basicHttpBinding" bindingConfiguration="MutualSslBinding" contract="<IContract>"  name="AnEndpoint" />
            <host><baseAddresses><add baseAddress="https://asite.com/service" /></baseAddresses></host>
          </service>
        </services>
        <behaviors>
          <serviceBehaviors>
            <behavior name="AServiceBehavior">
              <serviceCredentials>
              </serviceCredentials>
              <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="true" httpHelpPageEnabled="true" />
              <serviceSecurityAudit auditLogLocation="Security" />
            </behavior>
          </serviceBehaviors>
        </behaviors>
      <bindings>
          <basicHttpBinding>
            <binding name="MutualSslBinding" axReceivedMessageSize="2147483647">
              <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647"
                        maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
              <security mode="Transport"> <transport clientCredentialType="Certificate" /></security>
            </binding>
          </basicHttpBinding>
        </bindings>
        <serviceHostingEnvironment aspNetCompatibilityEnabled="false" multipleSiteBindingsEnabled="true">
        </serviceHostingEnvironment>  
      </system.serviceModel>

    Certificate Security section:

    <system.webServer>
        <security>
          <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
          <authentication>
            <anonymousAuthentication enabled="true" />
            <basicAuthentication enabled="false" />
            <clientCertificateMappingAuthentication enabled="false" />
            <digestAuthentication enabled="false" />
            <windowsAuthentication enabled="false" />
            <iisClientCertificateMappingAuthentication enabled="true" oneToOneCertificateMappingsEnabled="true" manyToOneCertificateMappingsEnabled="true">
              <oneToOneMappings>
                            <clear />
                            <add userName="<LocalUser>" password="<EncryptedPassword>" certificate="<Authentication certificate text>" />
              </oneToOneMappings>
            </iisClientCertificateMappingAuthentication>
          </authentication>
        </security>
        <modules runAllManagedModulesForAllRequests="true" />
        <directoryBrowse enabled="false" />
      </system.webServer>
    Tuesday, December 1, 2015 10:41 PM

Answers

  • Hi pedro.a.morales,

    According to your description, perhaps you should try set the trace file to web.config file.

    How to configure the trace file, please refer to the following articles:

    1.Configuring Tracing

    If we host our WCF service to IIS, maybe that is a IIS issue. If so, we need to check the

    IIS log file to find the more detailed error message.

    But, as far as I know, maybe you could try set the IIS Request Filtering.

    To do this, open IIS Manager. Select your application.

    In the Features view you will see “Request Filtering”.

    Open this feature and on the right hand panel you will find “Edit Feature Settings”

    Maximum Allowed Content Length is an Optional U-Int attribute.

    It specifies the maximum length of content in a request, in bytes.  The default value is 30000000,

    which is approximately 28.6MB.

    Next, we can set the uploadReadAheadSize in IIS.

    To navigate to this setting, use the following steps:

    • Launch "Internet Information Services (IIS) Manager"
    • Expand the Server field
    • Expand Sites
    • Select the site your application is in.
    • In the Features section, double click "Configuration Editor"
    • Under "Section" select: system.webServer>serverRuntime

    Because the default setting is 49Kb.

    I hope that will be helpful to you.

    Best Regards,

    Grady 


    Friday, December 4, 2015 6:31 AM
    Moderator

All replies

  • Hi pedro.a.morales,

    According to this case, when we used certificate to WCF. The web.config file like below:

    server:

     
      <system.serviceModel>
        <behaviors>
          <serviceBehaviors>
            <behavior name="userNameBehavior">
              <serviceMetadata httpGetEnabled="true" httpGetUrl="http://127.0.0.1:9999/calculatorservice/metadata"/>
              <serviceDebug  includeExceptionDetailInFaults="true"/>
              <serviceCredentials>
                <issuedTokenAuthentication allowUntrustedRsaIssuers="true"></issuedTokenAuthentication>
                <clientCertificate>
                  <authentication certificateValidationMode="None"/>
                </clientCertificate>
                <serviceCertificate findValue="WCFCert" storeName="My" storeLocation="CurrentUser" x509FindType="FindBySubjectName"/>
             </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <bindings>
          <wsHttpBinding>
            <binding name="userBinding">
              <security mode="Transport">
               <transport clientCredentialType="Certificate"></transport>
              </security>
            </binding>
          </wsHttpBinding>
        </bindings>
        <services>
          <service behaviorConfiguration="userNameBehavior" name="Service1.CalculatorService">
            <host>
              <baseAddresses>
                <add baseAddress="http://127.0.0.1:9999/calculatorservice/"/>
              </baseAddresses>
            </host>
            <endpoint address="" binding="wsHttpBinding" bindingConfiguration="userBinding"
                       name="username" contract="Contract1.ICalculator">
            </endpoint>
          </service>
        
        </services>
      
      </system.serviceModel>

    We don't need to set Certificate Security section with WCF.

    For more information, please refer to the following articles:

    1.Use Mutual SSL Authentication in WCF

    2.Securing WCF Services with Certificates

    Best Regards,

    Grady

    Wednesday, December 2, 2015 6:41 AM
    Moderator
  • Hi Grady, thanks a lot for the response, your approach to activate SSL authentication is as well valid, the problem is when you try to submit messages bigger than 110Kb, 

    Here is my serviceModel using your configuration.

    <system.serviceModel>
        <behaviors>
          <serviceBehaviors>
            <behavior name="customBehavior">
              <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
             
              <serviceDebug includeExceptionDetailInFaults="false"/>
              <serviceCredentials>
                <issuedTokenAuthentication allowUntrustedRsaIssuers="true"></issuedTokenAuthentication>
                <clientCertificate>
                  <authentication certificateValidationMode="None"/>
                </clientCertificate>
                <serviceCertificate findValue="AKEY" storeName="Root" storeLocation="LocalMachine" x509FindType="FindByThumbprint" />
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <protocolMapping>
          <add binding="wsHttpBinding" scheme="https" />
        </protocolMapping>    
        <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
        <bindings>
          <wsHttpBinding>
            <binding name="aBinding"  maxReceivedMessageSize="2147483647">
              <readerQuotas maxDepth="2147483647"
                            maxStringContentLength="2147483647"
                            maxArrayLength="2147483647"
                            maxBytesPerRead="2147483647"
                            maxNameTableCharCount="2147483647" />
              <security mode="Transport">
                <transport clientCredentialType="Certificate" />
              </security>
            </binding>
          </wsHttpBinding>
        </bindings>
        <services>
          <service behaviorConfiguration="customBehavior" name="wcfSSLAuthentication.ALogic" >
            <host>
              <baseAddresses>
                <add baseAddress="https://localhost:44300/"/>
              </baseAddresses>
            </host>
            <endpoint address="" binding="wsHttpBinding" bindingConfiguration="aBinding" name="simpleUser"
                      contract="wcfSSLAuthentication.IALogic">
              
            </endpoint>
          </service>
        </services>
      </system.serviceModel>

    I still get the error

    Additional information: The remote server returned an unexpected response: (413) Request Entity Too Large.

    Regards, Pedro Morales.


    Wednesday, December 2, 2015 5:37 PM
  • Hi pedro.a.morales,

    According to your description, perhaps you should try set the trace file to web.config file.

    How to configure the trace file, please refer to the following articles:

    1.Configuring Tracing

    If we host our WCF service to IIS, maybe that is a IIS issue. If so, we need to check the

    IIS log file to find the more detailed error message.

    But, as far as I know, maybe you could try set the IIS Request Filtering.

    To do this, open IIS Manager. Select your application.

    In the Features view you will see “Request Filtering”.

    Open this feature and on the right hand panel you will find “Edit Feature Settings”

    Maximum Allowed Content Length is an Optional U-Int attribute.

    It specifies the maximum length of content in a request, in bytes.  The default value is 30000000,

    which is approximately 28.6MB.

    Next, we can set the uploadReadAheadSize in IIS.

    To navigate to this setting, use the following steps:

    • Launch "Internet Information Services (IIS) Manager"
    • Expand the Server field
    • Expand Sites
    • Select the site your application is in.
    • In the Features section, double click "Configuration Editor"
    • Under "Section" select: system.webServer>serverRuntime

    Because the default setting is 49Kb.

    I hope that will be helpful to you.

    Best Regards,

    Grady 


    Friday, December 4, 2015 6:31 AM
    Moderator
  • <binding name="MutualSslBinding" maxReceivedMessageSize="2147483647">

    Typo? or is it really in there without that "m"?

    It's also curious that you use basicHttpBinding instead of basicHttpsBinding.

    The "service"-Tags "name"-attribute needs to match the name of your Service completely.

    "<IContract>" most likely is not a correct name

    Often the Exception gets misinterpreted and does not occur on the Server, but on the Client. Check your Size settings in your Clients config too.


    • Edited by MDeero Friday, December 4, 2015 7:29 AM
    Friday, December 4, 2015 6:53 AM
  • Thanks a lot Wanjun, this did the trick for me,

    The real problem was the TLS Overhead, it was about 52K, after I increased the uploadReadAheadSize everything worked as expected.

    Regards, Pedro Morales.

    Friday, January 8, 2016 4:07 PM