none
Configuring my app to use SSL with WCF web services? RRS feed

  • Question

  • So I'm about ready to move my app over to a production server.  I'm using VS 2015 and SL5.x with WCF web services.  The web services were created with VS and reside within the same solution.  My solutions has about 30 projects, one being a Web app (to start SL app), the SL app, and the rest are .NET server side projects and some client side .SL projects.

    I've deployed my app (Publish from VS and then copy published files over to my server) on a test server that does not have SSL enabled.  All is working well, no issues.

    However, I attempted to deploy the same published code over to our production server that uses an EV SSL cert and my SL app fails when attempting to reference/call any of it's WCF web services IF I try to access it via HTTPS (SL app is an OOB app).  The HTTP and HTTPS bindings are setup correctly on the IIS7 server side, but any call to any web service results in a Arg_NullReferenceException

    If I go back to standard HTTP everything works as expected.

    After reading this article HERE there seems to be a rather lengthy process of configuring my web.config, ServiceReferences.ClientConfig and clientaccesspolicy.xml ... I'm not entirely sure this process is correct?

    So I have a few questions:

    1.  Why doesn't VS 2015 simply configure these correctly via a UI option?

    2.  If I make the changes suggested in the article above, how will that impact me when working from within VS 2015 on my development PCs?

    3.  When I reference WCF web services on client side SL code, I do NOT want to have to change how I call them based on whether or not I'm in VS 2015 debug session or if it is "deployed" (i.e. Debugger.IsAttached = false).  My code reference is usually this:

     Dim webServiceURI As New Uri("../WebServices/Client.svc", UriKind.RelativeOrAbsolute)
     Dim webServiceAddress As New EndpointAddress(webServiceURI)
    
     Dim wsClients As New ClientServicesClient
     wsClients.Endpoint.Address = webServiceAddress
    
    AddHandler wsClients.LoadCompleted, AddressOf LoadCompleted
    
    wsClients.LoadAsync(ClientID)

    So I guess my question is how to I configure SSL Web Services being consumed by my SL application AND not have to resort to changing references and/or code going from my VS 2015 environment to my deployed production server environment?  

    Thanks, Rob.


    • Moved by Weiwei Cai Wednesday, May 18, 2016 5:35 AM more related to WCF
    Friday, May 13, 2016 4:30 PM

All replies

  • If it's the same site then you don't need any crossdomain policy files. That's only necessary if your Silverlight app is on a different site from the wcf service. As the article title says "including cross-domain scenario". Maybe the author assumed it ought to be obvious this is optional.

    If you want easy then don't secure your wcf services using a certificate.

    This is an unusual scenario you have chosen, there's no button click wizard support available for this and a number of other scenarios.

    .

    Each thread is 1 question. The header is supposed to be your one question.

    .

    2) I've never used ssl with wcf and Silverlight. I have in the past installed iis on dev machines and set them up as if they were live servers. You could do that. It would then be crossdomain. Or of course you could install your wcf service on a separate site on a server and use that.

    .

    It is usual to have different web.config for dev/test/live. Common to use xml transforms or just substitute files.


    Hope that helps.

    Technet articles: WPF: Layout Lab; All my Technet Articles

    Friday, May 13, 2016 7:38 PM
  • Thanks for response, agree Cross Domain policy isn't required in my case since the web services are published and deployed with my web/SL app.

    WCF service must be secured (we have an EV SSL for our main production and test servers) for PCI/PADS security.

    I can live with file substitution for Web.Config, but what about the ServiceReferences.ClientConfig ... would I need to publish those specific to SSL enabled server also?

    If so, what do I specifically change, endpoint address and <serviceMetadata httpsGetEnabled="true" /> in the Web.Config?

    Sounds like what you're saying it's impossible to have a single "all-in-one" deployed web/SL app with WCF when SSL is required on the destination IIS server?

    If you have a sample on how the Web.Config and ServiceReferences.ClientConfig for deployment to an SSL enabled server with a CA registered DNS, that would be most greatful.

    Thanks, Rob.

    Friday, May 13, 2016 9:18 PM
  • Please refer to this sample.

    http://stackoverflow.com/questions/5041274/deploying-wcf-service-and-silverlight-in-ssl

    And another simple tutorial.

    https://msdn.microsoft.com/en-us/library/hh556232(v=vs.110).aspx

    Monday, May 16, 2016 9:43 AM
  • Thanks for the links, but unfortunately I'm not able to get SSL web services working under my Silverlight 5 applications.  I've exhausted ALL possibilities from those links provided and more.

    No matter what I do, any attempt to reference the WebService via SL code results in a 

    "Arg_NullReferenceException" when I have my server setup for SSL bindings.  Don't really know where to go from here.

    Here is my Web.config

    <configuration>
      <system.web>
        <compilation debug="true" strict="false" explicit="true" targetFramework="4.0" />
        <httpRuntime maxRequestLength="2097151" maxQueryStringLength="2097151" executionTimeout="20000" />
      </system.web>
      <system.webServer>
        <defaultDocument>
          <files>
            <clear />
            <add value="MyCompanyCloud.aspx" />
          </files>
        </defaultDocument>
        <httpProtocol>
          <customHeaders>
            <add name="P3P" value="CP=&quot;OTI DSP COR CUR ADMi IVDi HISi OUR LEG PHY CAO PSA&quot;" />
          </customHeaders>
        </httpProtocol>
      </system.webServer>
      <system.serviceModel>
        <behaviors>
          <serviceBehaviors>
            <behavior name="">
              <serviceMetadata httpsGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="true" />
              <dataContractSerializer maxItemsInObjectGraph="2147483647" />
            </behavior>
            <behavior name="ReportServiceBehavior">
              <serviceMetadata httpsGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="false" />
              <dataContractSerializer maxItemsInObjectGraph="2147483647" />
            </behavior>
          </serviceBehaviors> 
          <endpointBehaviors>
            <behavior name="WebBehavior">
              <webHttp />
            </behavior>
          </endpointBehaviors>
        </behaviors>
        <bindings>
          <!-- <basicHttpBinding>
            <binding name="BasicHttpsBindingConfig" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" receiveTimeout="00:20:00" sendTimeout="00:20:00">
              <readerQuotas maxArrayLength="2147483647" maxStringContentLength="2147483647" />
            </binding>
          </basicHttpBinding> -->
          <basicHttpBinding>
            <binding name="SecureBasicHttpBinding" closeTimeout="00:02:00"
                openTimeout="00:02:00" receiveTimeout="00:20:00" sendTimeout="00:20:00"
                allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                maxBufferSize="2147483647" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647"
                messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                useDefaultWebProxy="true">
              <readerQuotas maxDepth="2147483647" maxArrayLength="2147483647" maxStringContentLength="2147483647" />
              <!-- <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                  maxBytesPerRead="4096" maxNameTableCharCount="16384" /> -->
              <security mode="Transport">
                <transport clientCredentialType="None" proxyCredentialType="None"
                    realm="" />
                <message clientCredentialType="UserName" algorithmSuite="Default" />
              </security>
            </binding>
          </basicHttpBinding>
          <wsHttpBinding>
            <binding name="wsBinding" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
              <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
            </binding>
          </wsHttpBinding>
          <webHttpBinding>
            <binding maxBufferSize="2147483647" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" >
              <security mode="Transport" />  
            </binding >
          </webHttpBinding>
        </bindings>
        <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
        <services>
          <service name="MyCompanyCloud.Web.UserServices">
            <endpoint address="" binding="basicHttpBinding" bindingConfiguration="SecureBasicHttpBinding" contract="MyCompanyCloud.Web.UserServices" />
            <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
          </service>
          <service name="MyCompanyCloud.Web.ClientServices">
            <endpoint address="" binding="basicHttpBinding" bindingConfiguration="SecureBasicHttpBinding" contract="MyCompanyCloud.Web.ClientServices" />
            <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
          </service>
          <service name="MyCompanyCloud.Web.SiteServices">
            <endpoint address="" binding="basicHttpBinding" bindingConfiguration="SecureBasicHttpBinding" contract="MyCompanyCloud.Web.SiteServices" />
            <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
          </service>
        </services>
      </system.serviceModel>
      <runtime>
        <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
          <dependentAssembly>
            <assemblyIdentity name="System.Runtime" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
            <bindingRedirect oldVersion="0.0.0.0-2.6.8.0" newVersion="2.6.8.0" />
          </dependentAssembly>
          <dependentAssembly>
            <assemblyIdentity name="System.Threading.Tasks" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
            <bindingRedirect oldVersion="0.0.0.0-2.6.8.0" newVersion="2.6.8.0" />
          </dependentAssembly>
        </assemblyBinding>
      </runtime>
    </configuration>
    Here is my ServiceReferences.ClientConfig:

    <configuration>
      <system.serviceModel>
        <bindings>
          <basicHttpBinding>
            <binding name="SecureBasicHttpBinding" closeTimeout="00:01:00"
                openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                maxBufferSize="2147483647" maxReceivedMessageSize="2147483647"
                textEncoding="utf-8" transferMode="Buffered">
              <security mode="Transport">
              </security>
            </binding>
          </basicHttpBinding>
        </bindings>
        <client>
          <endpoint address="https://www.MyCompanycloud.com/WebServices/User.svc"
            binding="basicHttpBinding" bindingConfiguration="SecureBasicHttpBinding"
            contract="WebServiceUser.UserServices" />
          <endpoint address="https://www.MyCompanycloud.com/WebServices/Client.svc"
            binding="basicHttpBinding" bindingConfiguration="SecureBasicHttpBinding"
            contract="WebServiceClient.ClientServices" />
          <endpoint address="https://www.MyCompanycloud.com/WebServices/Site.svc"
            binding="basicHttpBinding" bindingConfiguration="SecureBasicHttpBinding"
            contract="WebServiceSite.SiteServices" />
        </client>
      </system.serviceModel>
    </configuration>
    My SL5 calling code is pretty simple:

    Dim wsClient As New ClientServicesClient
    AddHandler wsClient.LoadMasterServerCompleted, AddressOf LoadMasterServerCompleted
    wsClient.LoadMasterServerAsync(aToken)


    The Arg_NullReferenceException is triggered as soon as I execute "Dim wsClient As New ClientServicesClient.  The service was added to the project as "Add Service Reference" ... here is where I think something is wrong or not configured correctly.

    Under SL Project References Tab I my service listed with the Path column showing "...http://localhost:15757/WebServices/Client.svc" ... if I click on "Update" button (in the references tab) I get the following error: 

    Updating web reference 'WebServiceClient' failed.  There was an error downloading "...http://localhost:15757/WebServices/Client.svc ... Could not find a base address that matches scheme https for the endpoint with binding BasicHttpBinding.  Registered base address schemes are [http].

    I'm obviously missing something as I thought the ServiceReferences.ClientConfig was the file that defined the "Path" (which I had changed to my production DNS www.MyCompanyCloud.com) so I was expecting to see the www.MyCompanyCloud.com reference rather than "...http://localhost:15757/WebServices/Client.svc in the Project References Tab.   But apparently that's not how it works so I really don't understand the relationship between the Project reference settings and the ServiceReferences.ClientConfig?  Are the WebService references stored in a project file ... if so, what's the purpose behind having a ServiceReferneces.ClientConfig?  

    Only Microsoft could come up with such a complicated process that I'm sure could have been handled in a much simpler manner for the 95% use case.

    This is turning out to be VERY frustrating as I've spent the last 2 days trying to figure this out and trying all kinds of combinations based on links provided with ZERO success.  I don't really know how to proceed any further??  Non SSL web service is not a viable option and will kill this project.  I'm somewhat baffled that Visual Studio 2015 seems to be rather brain dead in relationship to SSL configurations ... does Microsoft NOT care about secure communications?

    Cheers, Rob.
    Tuesday, May 17, 2016 12:12 AM
  • Hi Rob,

    According to the exception and the location the exception occurs, the problem seems caused by can't find the WCF Service.

    Please try access your WCF Service through web browser directly to confirm whether the WCF Service can be accessed. If can't access the WCF Service, please check whether you have add the clientaccesspolicy.xml and crossdomain.xml file for your WCF Service to allow it enable cross domain access.

    If the WCF Service can be accessed from browser directly, the problem should be in client side. Please check your client side, whether it has setup client access policy for the web site. The policy file should be stored at the accessed site root of your domain. Following is an example of the file that enables HTTP access.

    <?xml version="1.0" encoding="utf-8"?> 
    <access-policy> 
        <cross-domain-access> 
            <policy> 
                <allow-from http-request-headers="*"> 
                    <domain uri="http://*"/> 
                    <domain uri="https://*"/> 
                </allow-from> 
                <grant-to> 
                    <resource path="/" include-subpaths="true"/> 
                </grant-to> 
            </policy> 
        </cross-domain-access> 
    </access-policy> 

    Best Regards,
    Weiwei


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, May 17, 2016 5:10 AM
  • Hi Weiwei,

    Agree, I think that is exactly it, but why?  I have tried adding entries in the clientaccesspolicy.xml but they made no difference.

    Let me give you some background to my VS 2015 Solution.

    My single solution contains a:

    1.  Web Application project (calls the SL5 project)

    2.  An SL5 Project (runs OOB after install)

    3.  Some .NET 4 DLL projects

    4.  Some SL5 DLL projects

    My WCF web services (*.svc) are contained/code in my Web Application project (#1 above).  I have an SL5 "services" DLL  project that references (Add Service References) the WCF web services from my Web application project.  My other SL5 DLLs then reference my SL5 "services" DLL project.

    The SL5 "services" DLL references the web application project services via Add Service Reference which is "http://localhost:15757/WebServices/Client.svc" as a "Path". 

    I deploy my Solution (Web Application and SL5 App and WCF web services) via a single "Publish" of my web application.  I then "copy" the published files over to our production server that has HTTPS setup.  If I configure the production server IIS7 to use SSL bindings, my application does not work (the NullReferenceException).  If I configure my the production server IIS7 to NOT use SSL and just use standard HTTP, my application works fine.

    In my case, my Web Application, my WCF Web Services, and my SL5 and .NET DLLs are all deployed together as a single "published" web app.

    I think my problem is that my SL5 app, calls my SL5 "services" DLL which does the actual Web Service calls but those calls are referenced with  endpoint of "http://localhost:15757/WebServices/Client.svc" which isn't found under HTTPS when deployed to my production server.  So in my quest to resolve this I made changes to Web.config and the ServiceReferences.ClientConfig (in the SL5 "services" DLL project which almost must be added to the SL5 app project) ... unfortunately NONE of these changes made any difference.  It's as if the ServiceReferences.ClientConfig is completely ignored and when I look in my .XAP file I can't find the ServiceReferences.ClientConfig so the file apparently does NOT get "published" for deployment.

    In the SL5 "services" DLL project I can't change http://localhost:15757/WebServices/Client.svc to anything else or I'll get an error, "https://localhost:15757/WebServices/Client.svc" will trigger the same error.

    I tried two different methods of how I called the WCF web services from my SL5 code:

    Method 1 (in my SL5 "services" DLL)

    Dim webServiceURI As New Uri("../WebServices/Client.svc", UriKind.RelativeOrAbsolute)
    Dim webServiceAddress As New EndpointAddress(webServiceURI)

    ' (Add Service Reference that comes from Web App in same solution)

    Dim wsClients As New ClientServicesClient  
    wsClients.Endpoint.Address = webServiceAddress

    Method 2 (in my SL5 "services" DLL)

    Dim wsClients as New ClientServicesClient

    Method 1 was working fine with HTTP when deployed to server, but will NOT work with HTTPS when deployed to server.  With HTTPS, neither method works.

    Cheers, Rob.



    Tuesday, May 17, 2016 7:33 AM
  • Hi Rob,

    After discussing with WCF experts, we find this problem more related to WCF, I will help you move this thread to WCF forum for a better help. Thanks for your understanding.

    Best Regards,
    Weiwei


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, May 18, 2016 5:35 AM
  • Hi Weiwei,

    Ok, did any of your WCF experts you discussed this issue with provide any information that could help me resolve this problem? 

    Unfortunately I've not been able to find a working solution using Visual Studio 2015 on a Microsoft platform, so I've started to explore alternate technologies across other OS platforms to see if they offer a less complex and more robust solution including deployment of web based applications.

    I work for a small company and we can't afford to spend several days on something as simple as switching over from HTTP to HTTPS.

    Cheers, Rob.


    Wednesday, May 18, 2016 7:01 AM
  • Hello Robin Ainscough,

    To further help you about this issue, I am trying to invoke someone experienced to help look into this thread, this may take some time and as soon as we get any result, we will post back. 

    Best regards,

    Cole Wu



    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, May 20, 2016 8:04 AM
  • Hi Cole,

    If you can find out any more information on how I can deploy my SL5 web application for SSL IIS7 and/or IIS8.5 servers that would be appreciated.

    My objectives:

    1.  Dynamically call my web services (HTTP or HTTPS) ... see my first post for calling code sample.

    2.  Deploy my SL5 web application on HTTPS servers.

    Please note that my SL5 applications current work fine on my servers under HTTP.

    On a side note: I'm pretty disappointed that Visual Studio 2015 seems to be rather limited when it comes to deployment of SSL applications ... it's somewhat troubling that Microsoft appear to have rather complex and lengthy processes of manually editing .xml and/or .config files just to go from HTTP to HTTPS.  I could accept this  cumbersome process say 15 years ago, but not in today's world (aka VS 2015).

    It certainly doesn't encourage developers to deploy "secure" applications.  Is there any reason why VS 2015 isn't capable of a simple "check box" in the Publish dialog box that says "SSL"?

    Cheers, Rob.

    Friday, May 20, 2016 8:52 PM