none
Question on WCF Service Binding using Custom Username/PWord RRS feed

  • Question

  • Situation:  i have created a WCF Service app that is installed under the Default Web Site on IIS 7.5. This service uses wsHTTPBinding.  When it was configured to use Windows Authentication, everything was fine.  But it was necessary to switch to another method of authentication using custom Username and Password.  And now, i have been unable to establish any communication betwween my client app and the service.  Using this authentication method, i understand that a certificate is required.  So i created the certificate for the service using PlauralSight. I reference this certificate in the bindings of the service and the client app.   My question is this:  do i need to do anything within IIS to the configuration of the wcf service i created?  as it stands now, i have done nothing.  There are no secure bindings setup under the Default Web Site.  So if i go to SSL Settings, it states that "the site does not have a secure binding(HTTPS) and cannot accept SSL connections. Must i setup a secure binding here so that the wcf service can make use of the certificate i created?  
              <serviceCredentials>
                <serviceCertificate 
                  findValue="localhost"
                  storeLocation="LocalMachine"
                  storeName="My"
                  x509FindType="FindBySubjectName" />
                <clientCertificate>
                  <authentication certificateValidationMode="PeerOrChainTrust"/>
                </clientCertificate>
    

    Tuesday, February 18, 2014 5:17 PM

All replies

  • Hi,

    After installation of the certificate, we should also config the default application pool to have access rights to the certificate's private key, in order to implement it, we should do the following:

    First please download WinHttpCertCfg.exe , this tool is a command line tool. After installing the tool, run the following command on the command prompt as Administrator.

    C:\Program Files (x86)\Windows Resource Kits\Tools>winhttpcertcfg 
                 -g -c LOCAL_MACHINE\My -s localhost -a DefaultAppPool
     

    After running the command, it should work.

    For more information, please try to refer to:
    #WCF Service with custom username password authentication:
    http://www.codeproject.com/Articles/96028/WCF-Service-with-custom-username-password-authenti .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Wednesday, February 19, 2014 9:36 AM
    Moderator
  • Amy, thank you for your detailed reply.  i have looked at my code and my configs in a dozen different ways, and i am just not seeing what i am not doing that needs to be done.  the client app is generating a service log....but it doesnt seem to give any additional details than the error message that comes up in the app.  it only repreats the text word for word.  thank you in advance for any additional insights.

    The sample application you provided a link for is one which i had used as a template for how i implemented the custom username authentication.  i had no problems getting that application working as intended. 

    here is the message i receive when attempting to initiate my wcf service by calling a simple method within it called PingService():

    System.ServiceModel.Security.SecurityNegotiationException:
    The token provider cannot get tokens for target 'http://localhost/VinNowDataService/VinNowDataService.svc'. --->
     System.ServiceModel.Security.SecurityNegotiationException:
    Secure channel cannot be opened because security negotiation
    with the remote endpoint has failed. This may be due to absent
    or incorrectly specified EndpointIdentity in the EndpointAddress
    used to create the channel. Please verify the EndpointIdentity
    specified or implied by the EndpointAddress correctly identifies
    the remote endpoint.  ---> System.ServiceModel.FaultException:
    The request for security token has invalid or malformed
    elements.at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)

    This throw me, because i am uncertain what this message is telling me exactly? 

    Here is applicable parts from service web.config:

    EDIT:   i created a self signed certificate within IIS named 'Raleigh-PC' to see if that would change things.  That is why cert find uses 'Raleigh-PC' instead of 'localhost' in below configs. 

       <bindings>
          <wsHttpBinding>
            <binding name="Binding1" maxReceivedMessageSize="524288">
              <security mode="Message">
                <message clientCredentialType="UserName"/>
              </security>
            </binding>
          </wsHttpBinding>
        </bindings>
    
        <services>
          <service name="VinNowDataService"
                   behaviorConfiguration="Behavior1">
            <endpoint address="" binding="wsHttpBinding"
                      bindingConfiguration="Binding1"
                      contract="IVinNowDataService" />
            <endpoint address="mex" binding="mexHttpBinding"
               contract="IMetadataExchange" />
            <host>
              <baseAddresses>
                 <add baseAddress="http://localhost/" />
              </baseAddresses>
            </host>
          </service>
        </services>
    
        <protocolMapping>
          <add scheme="http" binding="wsHttpBinding" />
        </protocolMapping>
    
        <behaviors>
          <serviceBehaviors>
            <behavior>
            </behavior>
            <behavior name="Behavior1">
              <serviceMetadata httpGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="true" />
              <serviceCredentials>
                <serviceCertificate findValue="Raleigh-PC"
                      storeLocation="LocalMachine"
                      storeName="My"
                      x509FindType="FindBySubjectName" />
                <userNameAuthentication userNamePasswordValidationMode="Custom"
                 customUserNamePasswordValidatorType="VinNowDataService.UserNamePassValidator, VinNowDataService" />
              </serviceCredentials>
            </behavior>

    And then from client side app.config:

            <client>
                  <endpoint address="http://localhost/VinNowDataService/VinNowDataService.svc"
                        binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IVinNowDataService"
                        contract="VNDataService.IVinNowDataService" name="WSHttpBinding_IVinNowDataService">
                    <identity>
                      <dns value="Raleigh-PC"/>
                    </identity>
                  </endpoint>
            </client>



    • Edited by raleigh5 Wednesday, February 19, 2014 8:24 PM explanation
    Wednesday, February 19, 2014 5:33 PM
  • So i still have not been able to get this to work.  Does anybody have a working sample that demonstrates a WCF Service running under IIS that implements custom username/password technique when used from a Windows client app?   i have found nothing in all the google searches i have done.
    Monday, February 24, 2014 9:33 PM