none
Migrating Web Service WSE client to WCF (how to?) RRS feed

  • Question

  • I have a Web Service I can't control much. But the requirement is to upgrade the WSE client (working) to the WCF client. Below is how the original working WSE conf looks like, and then what WCF client I have tried (follow mostly this instruction).

    The error I am getting is "Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security."

    And yet another one in the logs "The security protocol cannot verify the incoming message"

    Am I missing something obvious? What else could I try? (and again, can't control the service side, even not to turn on logging there)

    Copied below the most essential conf I think, but can have more details if necessary.

    The old WSE client that works:

    <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
    	<extensions>
    		<extension name="mutualCertificate10Security" type="Microsoft.Web.Services3.Design.MutualCertificate10Assertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    		<extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    		<extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    	</extensions>
    
    	<policy name="WebServicePolicyCustomSync">
    		<mutualCertificate10Security establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">
    		<clientToken>
    			<x509 storeLocation="LocalMachine" storeName="My" findValue="E=MyService@somewhere.com, CN=bbb, OU=xxx, OU=yyy, DC=zzz, DC=aaa, DC=no" findType="FindBySubjectDistinguishedName" />
    		</clientToken>
    		<serviceToken>
    			<x509 storeLocation="LocalMachine" storeName="TrustedPeople" findValue="CN=My Service, O=My Company, C=NO" findType="FindBySubjectDistinguishedName" />
    		</serviceToken>
    		<protection>
    			<request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
    			<response signatureOptions="IncludeAddressing, IncludeTimestamp" encryptBody="true" />
    			<fault signatureOptions="IncludeAddressing, IncludeTimestamp" encryptBody="true" />
    		</protection>
    		</mutualCertificate10Security>
    		<requireActionHeader />
    	</policy>
    </policies>
    

    The best I could come up with for the WCF client (not working):

    <client>
    	<endpoint address="http://some.where.com/MyserviceProcess.NET_WS/v1.0.0/Myservice.asmx"
    		binding="customBinding" bindingConfiguration="MySoap"
    		contract="WebRefCustomerSync.MySoap" name="MySoap"
    		behaviorConfiguration="MyBehavior">
    		<identity>
    			<dns value="My Service" />
    		</identity>
    	</endpoint>
    </client>
    <bindings>
    	<customBinding>
    		<binding name="MySoap">
    			<security messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
    				authenticationMode="MutualCertificate"
    				messageProtectionOrder="SignBeforeEncrypt"
    				requireSignatureConfirmation="false"
    				requireDerivedKeys="false" />
    				<textMessageEncoding messageVersion="Soap12WSAddressingAugust2004" />
    			<httpTransport />
    		</binding>
    	</customBinding>
    </bindings>
    <behaviors>
    	<endpointBehaviors>
    		<behavior name="MyBehavior">
    			<clientCredentials>
    				<clientCertificate findValue="E=MyService@somewhere.com, CN=bbb, OU=xxx, OU=yyy, DC=zzz, DC=aaa, DC=no" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
    				<serviceCertificate>
    					<defaultCertificate findValue="CN=My Service, O=My Company, C=NO" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectDistinguishedName" />
    					<authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck" />
    				</serviceCertificate>
    			</clientCredentials>
    		</behavior>
    	</endpointBehaviors>
    </behaviors>
    

    Wednesday, April 25, 2012 2:09 PM

Answers

  • See the above description, you have not converted the web service to WCF service on the server side, for example:WCF implements a ServiceContract attribute to define the service interface, and an OperationContract attribute for each method or property exposed. But see the error message information, it seems that you have not placed security headers in the request soap message, you need to check the binding between the client and server is the same and the security mode between the server and client is the same, you can use Fiddler tool to the request and response message.

    Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

    Saturday, April 28, 2012 2:07 AM
    Moderator

All replies

  • Hi,

    How does your security header look like? Try to compare the security headers in the SOAP requests of both the approaches.

    We faced similar issue (we did not use X.509 certificate for encryption though). We used basicHttpBinding and then injected the required security header through webconfig like this -  

    <client>

       <endpoint address="http://blablabla/proxy/operations"

         binding="basicHttpBinding" contract="mycontract" name="myservice">

            <headers>

                <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"      env:mustUnderstand="true" xmlns:env="http://www.w3.org/2003/05/soap-envelope">

                   <wsse:Username>BlahBlahBlah</wsse:Username>

                   <wsse:Password>BlahBlahBlah</wsse:Password>

                    .....           

                </wsse:Security>

            </headers>

       </endpoint>

    </client>




    • Edited by dhanabal Thursday, April 26, 2012 3:39 AM
    Thursday, April 26, 2012 3:38 AM
  • Thanks for giving a direction, my upvote! Unfortunately the pressure to get it working got so high that we had to revert to WSE for the time being. I hope to post the solution once we get there. (I wish the whole WCF upgrading had a migration tool or something...)
    Friday, April 27, 2012 12:18 PM
  • See the above description, you have not converted the web service to WCF service on the server side, for example:WCF implements a ServiceContract attribute to define the service interface, and an OperationContract attribute for each method or property exposed. But see the error message information, it seems that you have not placed security headers in the request soap message, you need to check the binding between the client and server is the same and the security mode between the server and client is the same, you can use Fiddler tool to the request and response message.

    Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

    Saturday, April 28, 2012 2:07 AM
    Moderator
  • please publish a sample soap that the wse sends and that the server returns.

    http://webservices20.blogspot.com/
    WCF Security, Interoperability And Performance Blog

    Saturday, April 28, 2012 11:03 AM