none
WCF Message Security, Windows Auth, between Virtual Machine and Host RRS feed

  • Question

  • Hi,

    I am testing a WCF solution between a physical machine and a virtual machine hosted on it. This is a home computer and I have not done anything to configure a domain, so I am guessing I am in a workgroup scenario, but the application will ultimately be deployed on LANs.

    The wcf application is hosted by a windows service. I am using wshttpbinding with both the client and service, with Message security, Windows Credentials and NegotiateServiceCredential set to True.

    When I have both client and server on the same machine (physical or virtual) or when the server is on the physical machine and the client on the virtual machine, the application works well.

    When I have the server on the virtual machine and the client on the physical machine, I get an error "the caller was not authenticated by the service".

    I am a bit confused about the lifecycle, especially creation and deployment of certificate so I'd rather stick to windows auth and understand the problem here.

    Cheers,

    Nic

    Saturday, February 25, 2017 9:08 AM

Answers

  • >> While on an enterprise network, there is no need to login due to that the security is controlled by Domain.

    True, which I am due to test soon. I am part of a big enough company that has multiple domains though, and I am keen to understand the limitation / setup required in this scenario. Probably won't know before I actually test it there with all these hidden subtleties.

    >> After you host service on virtual machine, could you access the wsdl from IE in physical machine?

    Yes (when httpGet is enabled)

    <strike>also, I tried to create user account on both machine just for testing, and it still didn't work (in case it was a problem with the account being admin or whatever)</strike>

    Actually it did work, for some reason it doesn't with the main account though; the account on the VM needs to have remote desktop enabled and be disconnected.

    Nic


    Tuesday, February 28, 2017 11:18 AM

All replies

  • Hi Nic,

    If you set NegotiateServiceCredential as False, will it work?

    Do you configure the same account in physical machine and virtual machine? For configuring WCF in workaroup scenario, you need to ensure that local user account exists on the service machine. The user account must have the same password on both machines, and the password must not be blank.

    For running in a Workgroup, I suggest you try solution in below link one by one.

    #Running the Samples in a Workgroup and Across Machines

    https://msdn.microsoft.com/en-us/library/ms751525(v=vs.90).aspx

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, February 27, 2017 2:14 AM
  • hi Ed,

    If i deactivate CredentialNegociation the Windows Service doesn't even start and times out with some other authentication error.

    I had set it to true because I read below it was the way to go for cross domain communication:

    https://msdn.microsoft.com/en-us/library/ff650862.aspx

    "In message security, you can configure your service to not negotiate service credentials. If you configure your service to not negotiate service credentials:

    • The client and service need to be in the same domain when using Windows authentication."

    implying that they they do not need to if it is set to true?

    Ultimately this application will run on an enterprise network, so I can't have it require to have every user login created on the server host.

    In any case, I also have the same user account on both machines for testing. What puzzles me a bit is that it works one way and not the other, so it can't be simply a credential issue. I am thinking somehow the VM must be trusted by the Physical machine but not the other way around, is that possible?

    I can consider doing a certificate but I find it a bit obscure how security would work with a single certificate on the server, and I don't want to have to install certificates on every client either...

    Nic

    Monday, February 27, 2017 10:36 AM
  • Hi Nic,

    >> Ultimately this application will run on an enterprise network, so I can't have it require to have every user login created on the server host.

    While on an enterprise network, there is no need to login due to that the security is controlled by Domain.

    >> I am thinking somehow the VM must be trusted by the Physical machine but not the other way around, is that possible?

    After you host service on virtual machine, could you access the wsdl from IE in physical machine?

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, February 28, 2017 8:00 AM
  • >> While on an enterprise network, there is no need to login due to that the security is controlled by Domain.

    True, which I am due to test soon. I am part of a big enough company that has multiple domains though, and I am keen to understand the limitation / setup required in this scenario. Probably won't know before I actually test it there with all these hidden subtleties.

    >> After you host service on virtual machine, could you access the wsdl from IE in physical machine?

    Yes (when httpGet is enabled)

    <strike>also, I tried to create user account on both machine just for testing, and it still didn't work (in case it was a problem with the account being admin or whatever)</strike>

    Actually it did work, for some reason it doesn't with the main account though; the account on the VM needs to have remote desktop enabled and be disconnected.

    Nic


    Tuesday, February 28, 2017 11:18 AM
  • Hi Nic,

    >>Actually it did work, for some reason it doesn't with the main account though; the account on the VM needs to have remote desktop enabled and be disconnected.

    Thanks for sharing. And I would suggest you mark your reply as answer to close this thread, and then others who run into the same issue would find the solution easily.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, March 1, 2017 2:12 AM