none
Windows authentication errors when SSL subject does not match machine name RRS feed

  • Question

  • I am having some issues with Windows auth over Transport with IIS 8.0.

    I have a WCF soap service with the following binding:

          <wsHttpBinding>

            <binding name="wsHttp_Windows">

              <security mode="TransportWithMessageCredential">

                <transport clientCredentialType="None" />

                <message clientCredentialType="Windows"  negotiateServiceCredential="false"/>

              </security>

            </binding>

          </wsHttpBinding>

    The service works fine when I have IIS configured to use an SSL cert whose subjectname matches my machines dns name (fqdn).  However, when I change the SSL certificate to a different SSL certificate (the fqdn of the web farm / cluster), I get the following errors:

    CLIENT SIDE:

    Client (inner) exception:

    Message: The request for security token could not be satisfied because authentication failed.

    FaultCode: FailedAuthentication

    Client stack trace:

       at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)

       at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)

       at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)

       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

       at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)

       at System.ServiceModel.Security.SecurityProtocol.OnOpen(TimeSpan timeout)

       at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)

       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

       at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)

       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

       at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)

       at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)

       at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)

       at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)

       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)

       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

       at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)

       at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)

       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    SERVER/SERVICE SIDE:

    Svc trace log:

    <E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">

    <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">

    <EventID>131075</EventID>

    <Type>3</Type>

    <SubType Name="Error">0</SubType>

    <Level>2</Level>

    <TimeCreated SystemTime="2012-12-06T06:21:06.2105109Z" />

    <Source Name="System.ServiceModel" />

    <Correlation ActivityID="{163ba61b-d937-44ba-b516-68f6a296ebd4}" />

    <Execution ProcessName="w3wp" ProcessID="9696" ThreadID="9" />

    <Channel />

    <Computer>x</Computer>

    </System>

    <ApplicationData>

    <TraceData>

    <DataItem>

    <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error">

    <TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.ThrowingException.aspx</TraceIdentifier>

    <Description>Throwing an exception.</Description>

    <AppDomain>/LM/W3SVC/1/ROOT/RPActiveBVT-1-129992484647011691</AppDomain>

    <Exception>

    <ExceptionType>System.ComponentModel.Win32Exception, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>

    <Message>The Security Support Provider Interface (SSPI) negotiation failed.</Message>

    <StackTrace>

    at System.ServiceModel.Security.WindowsSspiNegotiation.GetOutgoingBlob(Byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy)

    at System.ServiceModel.Security.SspiNegotiationTokenAuthenticator.ProcessNegotiation(SspiNegotiationTokenAuthenticatorState negotiationState, Message incomingMessage, BinaryNegotiation incomingNego)

    at System.ServiceModel.Security.NegotiationTokenAuthenticator`1.ProcessRequestCore(Message request)

    at System.ServiceModel.Security.NegotiationTokenAuthenticator`1.NegotiationHost.NegotiationSyncInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp; outputs)

    at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc&amp; rpc)

    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc&amp; rpc)

    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc&amp; rpc)

    at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

    at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext)

    at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)

    at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result)

    at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)

    at System.ServiceModel.Diagnostics.TraceUtility.&lt;&gt;c__DisplayClass4.&lt;CallbackGenerator&gt;b__2(AsyncCallback callback, IAsyncResult result)

    at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)

    at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)

    at System.Runtime.InputQueue`1.Dispatch()

    at System.Runtime.ActionItem.DefaultActionItem.TraceAndInvoke()

    at System.Runtime.ActionItem.CallbackHelper.InvokeWithoutContext(Object state)

    at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)

    at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)

    at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)

    </StackTrace>

    <ExceptionString>System.ComponentModel.Win32Exception (0x80004005): The Security Support Provider Interface (SSPI) negotiation failed.</ExceptionString>

    <NativeErrorCode>8009030C</NativeErrorCode>

    </Exception>

    </TraceRecord>

    </DataItem>

    </TraceData>

    </ApplicationData>

    </E2ETraceEvent>

    <E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">

    <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">

    <EventID>458760</EventID>

    <Type>3</Type>

    <SubType Name="Warning">0</SubType>

    <Level>4</Level>

    <TimeCreated SystemTime="2012-12-06T06:21:06.2165170Z" />

    <Source Name="System.ServiceModel" />

    <Correlation ActivityID="{163ba61b-d937-44ba-b516-68f6a296ebd4}" />

    <Execution ProcessName="w3wp" ProcessID="9696" ThreadID="9" />

    <Channel />

    <Computer>x</Computer>

    </System>

    <ApplicationData>

    <TraceData>

    <DataItem>

    <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning">

    <TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Security.SecurityNegotiationProcessingFailure.aspx</TraceIdentifier>

    <Description>Service security negotiation processing failure.</Description>

    <AppDomain>/LM/W3SVC/1/ROOT/RPActiveBVT-1-129992484647011691</AppDomain>

    <ExtendedData xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/NegotiationTokenAuthenticatorTraceRecord">

    <NegotiationTokenAuthenticator>System.ServiceModel.Security.SpnegoTokenAuthenticator</NegotiationTokenAuthenticator>

    <AuthenticatorListenUri>https://xxxxx/RPActiveBVT/ActiveRPService.svc/Windows</AuthenticatorListenUri>

    <Exception>System.ComponentModel.Win32Exception (0x80004005): The Security Support Provider Interface (SSPI) negotiation failed.

       at System.ServiceModel.Security.WindowsSspiNegotiation.GetOutgoingBlob(Byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy)

       at System.ServiceModel.Security.SspiNegotiationTokenAuthenticator.ProcessNegotiation(SspiNegotiationTokenAuthenticatorState negotiationState, Message incomingMessage, BinaryNegotiation incomingNego)

       at System.ServiceModel.Security.NegotiationTokenAuthenticator`1.ProcessRequestCore(Message request)

       at System.ServiceModel.Security.NegotiationTokenAuthenticator`1.NegotiationHost.NegotiationSyncInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp; outputs)</Exception>

    </ExtendedData>

    </TraceRecord>

    </DataItem>

    </TraceData>

    </ApplicationData>

    </E2ETraceEvent>

    IIS logs:

    #Software: Microsoft Internet Information Services 8.0
    #Version: 1.0
    #Date: 2012-12-06 06:21:06
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
    2012-12-06 06:21:06 127.0.0.1 POST /RPActiveBVT/ActiveRPService.svc/Windows - 443 - 127.0.0.1 - - 200 0 0 2217
    2012-12-06 06:21:06 127.0.0.1 POST /RPActiveBVT/ActiveRPService.svc/Windows - 443 - 127.0.0.1 - - 200 0 0 6
    2012-12-06 06:21:06 127.0.0.1 POST /RPActiveBVT/ActiveRPService.svc/Windows - 443 - 127.0.0.1 - - 500 0 0 22

    The xxxxx is my machines fqdn, even though I've set the binding in IIS to use my cluster SSL certificate, and the service and client configuration is pointing to the subject name of the cluster SSL certificate (i.e. the cluster fqdn).  I have a host entry pointing 127.0.0.1 to my cluster fqdn, and I am not getting any SSL/TLS errors (the service .svc comes up in IE, and I can see the wsdl).

    If I switch back to my SSL certificate that matches my machine name, I don't get any errors. 

    Any Ideas?


    terryc_ms


    • Edited by terryc_ms Thursday, December 6, 2012 7:02 AM
    Thursday, December 6, 2012 6:52 AM

Answers

All replies

  • Hi,

    I would suggest you specify the service identity explicitly to see if it address this issue. For the detailed information, please refer to:

    Service Identity and Authentication

    http://msdn.microsoft.com/en-us/library/ms733130.aspx

    If your problem persists, please update here. Thanks.


    Leo Tang [MSFT]
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, December 7, 2012 7:00 AM
    Moderator
  • Unfortunately using an enpoint identity (spn or upn) did not help.

    In my endpoint (both on the client and the service) I have an SPN identity configured.  The SPN identity is registered (using setspn) with the app pool domain account that the service is running under.  The SPN matches the SSL certificate subject name (spn is HTTP/mycusterFQDN.com). 

    I get the same error on both client and service regardless of what I specify in the endpoint identity, or if I remove the endpoint identity config element altogether.

    Any ideas appreciated!


    terryc_ms


    • Edited by terryc_ms Thursday, December 13, 2012 7:25 AM
    Friday, December 7, 2012 7:36 AM
  • Hi terryc_ms,

    You are using wsHttpBinding with security mode="TransportWithMessageCredential.This settings will require a single service to establish an ssl connection between the client and the single service. That was what you have done the first time and logically it worked.

    Now when you switch to the web farm the whole schema should change. I assume that there is a load balancer between your client and the web farm.

    Therefore, if you want to use ssl (https) which is a transport level security it will be a host-to-host security mode. One of the drawbacks of transport security is that it is a Hop-to-hop security only. That is, the security will be established only from the client to the load balancer. Once the information reaches the load balancer, it will terminate the SSL at the load balancer and decrypt the traffic and redirect to the appropriate server. That is the reason why the error message mentioning http instead of https.

    Link:
    1-     http://www.clickoncerevolution.com/wiki/index.php?title=WCF_under_SSL_Acceleration_and_Load_Balancing
    2-     http://www.devproconnections.com/article/net-framework2/wcf-and-ssl-processing-load-balancers-122238
    3-    
    This is what Microsoft quoted about message security:

    “Transport security, such as Secure Sockets Layer (SSL) only secures messages when the communication is point-to-point. If the message is routed to one or more SOAP intermediaries (for example a router) before reaching the ultimate receiver, the message itself is not protected once an intermediary reads it from the wire. Additionally, the client authentication information is available only to the first intermediary and must be re-transmitted to the ultimate receiver in out-of-band fashion, if necessary. This applies even if the entire route uses SSL security between individual hops. Because message security works directly with the message and secures the XML in it, the security stays with the message regardless of how many intermediaries are involved before it reaches the ultimate receiver. This enables a true end-to-end security scenario.”

    Relating that to your case, you should configure the certificate at the load balancer level. Then, you will be able to use ssl between your client and the load balancer. The load balancer in turn will receive the encrypted message from the client and transfer that to the appropriate wcf service. Your service will still need to keep the spn configuration.


    Leo Tang [MSFT]
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, December 14, 2012 2:54 AM
    Moderator
  • Getting back to this today, I found this link:

    http://support.microsoft.com/?id=896861

    which solved the problem. Hope this helps anyone facing the same issue. Thanks for your help.


    terryc_ms

    • Marked as answer by terryc_ms Saturday, February 2, 2013 6:44 AM
    Saturday, February 2, 2013 6:44 AM