none
wcf + https + self-host + mutual authentication problem RRS feed

  • Question

  • Hi All:

    We're experincing another WCF issue recently.

    It's a client/server structure, server is a console app which hosts wcf service, client is also a console app.

    Here is app.config of service:

    <?xml version="1.0"?>
    <configuration>
      <startup>
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
      </startup>
      <system.serviceModel>
        <services>
          <service behaviorConfiguration="customBehavior" name="Wcf.Service.Impl.BookingService">
            <endpoint address="https://server1:6789/BookingService"
                      binding="wsHttpBinding"
                      bindingConfiguration="customWsHttpBinding"
                      contract="Wcf.Service.Interface.IBooking"/>
          </service>
        </services>
        <bindings>
          <wsHttpBinding>
            <binding name="customWsHttpBinding">
              <security mode="Transport">
                <transport clientCredentialType="Windows"/>
                <message clientCredentialType="Certificate"/>
              </security>
            </binding>
          </wsHttpBinding>
        </bindings>
        <behaviors>
          <serviceBehaviors>
            <behavior name="customBehavior">
              <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
              <serviceDebug includeExceptionDetailInFaults="false"/>
            </behavior>
          </serviceBehaviors>
        </behaviors>
      </system.serviceModel>
    </configuration>
    

    We also bind specific certificate to port 6789 via following commands:

    netsh http add urlacl url=https://+:6789/BookingService/ user=EVERYONE
    netsh http add sslcert ipport=0.0.0.0:6789 certhash=‎fee301fe70d419931b0f94d88c35b3f070c02f82 certstorename=My appid={BDCF9E12-ABF3-4EB4-9597-E34A1ECBC594} clientcertnegotiation=enable

    Here is app.config of client

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
      <startup>
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
      </startup>
      <system.serviceModel>
        <client>
          <endpoint address="https://server1:6789/BookingService" behaviorConfiguration="customBehavior"
            binding="wsHttpBinding" bindingConfiguration="customWsHttpBinding"
            contract="Wcf.Service.Interface.IBooking" name="WSHttpBinding_ICalculator">
            <identity>
              <dns value="server1" />
            </identity>
          </endpoint>
        </client>
        <behaviors>
          <endpointBehaviors>
            <behavior name="customBehavior">
              <clientCredentials>
                <clientCertificate findValue="tempClient"
                                   x509FindType="FindBySubjectName"
                                   storeLocation="CurrentUser"
                                   storeName="My"/>
                <serviceCertificate>
                  <authentication certificateValidationMode="ChainTrust"/>
                </serviceCertificate>
              </clientCredentials>
            </behavior>
          </endpointBehaviors>
        </behaviors>
        <bindings>
          <wsHttpBinding>
            <binding name="customWsHttpBinding">
              <security mode="Transport">
                <transport clientCredentialType="Windows"/>
                <message clientCredentialType="Certificate"/>
              </security>
            </binding>
          </wsHttpBinding>
        </bindings>
      </system.serviceModel>
    </configuration>

    I got exception if the client is running on different pc while trying to call service method:

    Unhandled Exception: System.ServiceModel.Security.MessageSecurityException: TheHTTP request is unauthorized with client authentication scheme 'Negotiate'. The
    authentication header received from the server was 'Negotiate oXAwbqADCgEBomcEZWBjBgkqhkiG9xIBAgIDAH5UMFKgAwIBBaEDAgEepBEYDzIwMTQxMjA4MDgxNjEwWqUFAgMAzUymAwIBKa
    kNGwtBVTAwMi5MT0NBTKoYMBagAwIBAaEPMA0bC3hpYW5nIGZyYW5r'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.Comp
    onentModel.Win32Exception: The target principal name is incorrect
       at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode)
       at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob)
       at System.Net.NegotiateClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate)
       at System.Net.NegotiateClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials)
       at System.Net.AuthenticationManager.Authenticate(String challenge, WebRequest request, ICredentials credentials)
       at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo)
       at System.Net.HttpWebRequest.CheckResubmitForAuth()
       at System.Net.HttpWebRequest.CheckResubmit(Exception& e)
       --- End of inner exception stack trace ---
       at System.Net.HttpWebRequest.GetResponse()

    it's ok if client/server is running on same machine.

    Any idea?
    Any reference would be appreciated, thanks in advance.


    fight for future!



    • Edited by Mulder2008 Monday, December 8, 2014 8:23 AM
    Monday, December 8, 2014 8:03 AM

Answers

  • Hi Mulder2008,

    First please try to use the TransportWithMessageCredential security mode instead of the Transport mode in the both service and client side to see if it helps:

    <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="Windows"/>
                <message clientCredentialType="Certificate"/>
    </security>
    Then please try to set the includeExceptionDetailInFaults as true to get more detailed information:
    <serviceDebug includeExceptionDetailInFaults="true"/>
    Best Regards,
    Amy Peng



    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Tuesday, December 9, 2014 5:10 AM
    Moderator

All replies

  • Hi Mulder2008,

    First please try to use the TransportWithMessageCredential security mode instead of the Transport mode in the both service and client side to see if it helps:

    <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="Windows"/>
                <message clientCredentialType="Certificate"/>
    </security>
    Then please try to set the includeExceptionDetailInFaults as true to get more detailed information:
    <serviceDebug includeExceptionDetailInFaults="true"/>
    Best Regards,
    Amy Peng



    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Tuesday, December 9, 2014 5:10 AM
    Moderator
  • yes, TransportWithMessageCredential works.

    thanks.


    fight for future!

    Wednesday, December 10, 2014 1:35 AM