none
WCF Authentication Issues RRS feed

  • Question

  • I have a WCF Windows Service. When a client connects to the service while on the same domain there is no issue. But if the computer is taken offsite and VPN'ed in the Client now gets the error message The Server has rejected the client credentials. When VPN'ed, shouldn't it behave the same way it does while logged on to the domain directly? How should the config file be set up to enable the user to connect whether they are logged on to the domain locally or are offsite and VPN'ed in? 

    Thanks, JLinker

    Tuesday, June 17, 2014 3:13 AM

Answers

  • Hi,

    From your description, you're encountering some problem when calling a WCF service from a client which use a VPN connection to the server's domain environment, correct?

    According to your description, the following code is the reasonable approach to make it work:
    serviceProxy.ClientCredentials.Windows.ClientCredential =
     new System.Net.NetworkCredential("userName", "password", "domain");

    The fact is that for your VPN connected client, it is not a machine joined in the target domain( where the service running at), and your client user's logon account is likely not a domain user account. In that case, you need to manually use NetworkCredential to construct a credential with the certain domain user's username/password. 

    If you have already logon as a domain user account, you can try setting the
    serviceProxy.ClientCredentials.Windows.ClientCredential to the following
    value:

    System.Net.CredentialCache.DefaultCredentials
    or

    System.Net.CredentialCache.DefaultNetworkCredentials

    to see whether it works. This two properties represent the credentials of your application's current security context(mostly the logon user).

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Monday, June 30, 2014 10:19 AM
    Moderator

All replies

  • Hi,

    Which authentication mode do you use in your WCF Service?

    It will be better if you can post your config file here.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Wednesday, June 18, 2014 4:47 AM
    Moderator
  • Sorry for the delay in responding.  The service config file is set as such...

     <system.serviceModel>
        <services>
          <service behaviorConfiguration="EtcService.EtcServiceBehavior" name="EtcService.EtcService">
            <endpoint address="EtcService/EtcService" binding="basicHttpBinding" bindingConfiguration="HTTPBindingConfig" contract="EtcService.IEtcService"/>
            <endpoint address="net.tcp://localhost:8002/EtcService/EtcService" binding="netTcpBinding" bindingConfiguration="TCPBindingConfig" contract="EtcService.IEtcService"/>
            <endpoint address="net.pipe://EtcService/EtcService" binding="netNamedPipeBinding" bindingConfiguration="NamedPipeBindingConfig" contract="EtcService.IEtcService"/>
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
            <host>
              <baseAddresses>
                <add baseAddress="http://localhost:8001/"/>
              </baseAddresses>
            </host>
          </service>
        </services>
        <bindings>
          <basicHttpBinding>
            <binding name="HTTPBindingConfig" receiveTimeout="00:10:00" allowCookies="true" sendTimeout="00:10:00" transferMode="Streamed"/>
          </basicHttpBinding>
          <netTcpBinding>
            <binding name="TCPBindingConfig" transferMode="Buffered" maxBufferSize="2097152" receiveTimeout="00:10:00" sendTimeout="00:10:00" openTimeout="00:10:00" portSharingEnabled="false" maxReceivedMessageSize="2097152">
              <readerQuotas maxDepth="32" maxStringContentLength="131072" maxArrayLength="131072" maxBytesPerRead="16384" maxNameTableCharCount="16384"/>
              <security mode="Transport"/>
            </binding>
          </netTcpBinding>
          <netNamedPipeBinding>
            <binding name="NamedPipeBindingConfig" hostNameComparisonMode="StrongWildcard" maxBufferSize="2097152" maxConnections="10" maxReceivedMessageSize="2097152" receiveTimeout="00:10:00" transactionFlow="false">
              <security mode="Transport"/>
            </binding>
          </netNamedPipeBinding>
        </bindings>
        <behaviors>
          <endpointBehaviors>
          </endpointBehaviors>
          <serviceBehaviors>
            <behavior name="EtcService.EtcServiceBehavior">
              <!-- To avoid disclosing metadata information,
        set the value below to false and remove the metadata endpoint
        above before deployment -->
              <serviceMetadata httpGetEnabled="true"/>
              <!-- To receive exception details in faults for debugging purposes,
        set the value below to true.  Set to false before deployment to
        avoid disclosing exception information -->
              <serviceDebug includeExceptionDetailInFaults="true"/>
              <dataContractSerializer maxItemsInObjectGraph="131072"/>
            </behavior>
          </serviceBehaviors>
        </behaviors>
      </system.serviceModel>

    The client configuration is set as such....

    <system.serviceModel>
        <behaviors>
          <endpointBehaviors>
            <behavior name="EtcService.EtcServiceBehavior">
              <dataContractSerializer maxItemsInObjectGraph="131064"/>
            </behavior>
          </endpointBehaviors>
        </behaviors>
        <bindings>
          <basicHttpBinding>
            <binding name="BasicHttpBinding_IEtcService" closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="2097152" maxBufferPoolSize="524288" maxReceivedMessageSize="2097152" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
              <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
              <security mode="None">
                <transport clientCredentialType="None" proxyCredentialType="None" realm=""/>
                <message clientCredentialType="UserName" algorithmSuite="Default"/>
              </security>
            </binding>
          </basicHttpBinding>
          <netNamedPipeBinding>
            <binding name="NetNamedPipeBinding_IEtcService" closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxBufferSize="2097152" maxConnections="10" maxReceivedMessageSize="2097152">
              <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
              <security mode="Transport">
                <transport protectionLevel="EncryptAndSign"/>
              </security>
            </binding>
          </netNamedPipeBinding>
          <netTcpBinding>
            <binding name="NetTcpBinding_IEtcService" closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="1048576" maxBufferSize="2097152" maxConnections="10" maxReceivedMessageSize="2097152">
              <readerQuotas maxDepth="32" maxStringContentLength="131072" maxArrayLength="131072" maxBytesPerRead="16384" maxNameTableCharCount="16384"/>
              <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false"/>
              <security mode="Transport">
                <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/>
                <message clientCredentialType="Windows"/>
              </security>
            </binding>
          </netTcpBinding>
        </bindings>
        <client>
          <endpoint address="http://localhost:8001/EtcService/EtcService" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IEtcService" contract="IEtcService" name="BasicHttpBinding_IEtcService"/>
          <!-- netTcpBinding -->
          <endpoint address="net.tcp://localhost:8002/EtcService/EtcService" behaviorConfiguration="EtcService.EtcServiceBehavior" binding="netTcpBinding" bindingConfiguration="NetTcpBinding_IEtcService" contract="IEtcService" name="NetTcpBinding_IEtcService">
            <identity>
              <userPrincipalName value="MyDomain\MyUserName"/>
            </identity>
          </endpoint>
          <endpoint address="net.pipe://EtcService/EtcService" binding="netNamedPipeBinding" bindingConfiguration="NetNamedPipeBinding_IEtcService" contract="IEtcService" name="NetNamedPipeBinding_IEtcService">
            <identity>
              <userPrincipalName value="MyDomain\MyUserName"/>
            </identity>
          </endpoint>
        </client>
      </system.serviceModel>

    If the client is logged on to a domain and the service is on the same domain there is no problem.  If they are not set up as a domain then as long as the credentials used to log on to the client's machine also exist on the machine that the service is on then there is no issue.  The current problem is we have a client where a user works fine when local, but when they are remote and they use VPN to log in it does not work.


    Thanks, JLinker

    Sunday, June 22, 2014 6:37 PM
  • Hi,

    From your description, you're encountering some problem when calling a WCF service from a client which use a VPN connection to the server's domain environment, correct?

    According to your description, the following code is the reasonable approach to make it work:
    serviceProxy.ClientCredentials.Windows.ClientCredential =
     new System.Net.NetworkCredential("userName", "password", "domain");

    The fact is that for your VPN connected client, it is not a machine joined in the target domain( where the service running at), and your client user's logon account is likely not a domain user account. In that case, you need to manually use NetworkCredential to construct a credential with the certain domain user's username/password. 

    If you have already logon as a domain user account, you can try setting the
    serviceProxy.ClientCredentials.Windows.ClientCredential to the following
    value:

    System.Net.CredentialCache.DefaultCredentials
    or

    System.Net.CredentialCache.DefaultNetworkCredentials

    to see whether it works. This two properties represent the credentials of your application's current security context(mostly the logon user).

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Monday, June 30, 2014 10:19 AM
    Moderator