I have created a workflowservice in .net 4.0
I am trying to secure this (WCF) service and used the following link to see how this is done.
I followed the instructions, however when a define a servicebehavior everthing works fine. The configuration is like this:
<behaviors>
<serviceBehaviors>
<behavior>
<serviceCredentials name="ServiceBehavior">
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="AspNetSqlMembershipProvider" />
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
My bindings is specified like this:
<bindings>
<wsHttpBinding>
<binding name="CentralAdminBinding">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None"/>
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
When I call the url to see the xamlx for the service, the following error is shown:
Could not find a base address that matches scheme https for the endpoint with binding BasicHttpBinding. Registered base address schemes are [http]
How can I handle this error ? I do not use https at all but still get an error.
I also tried to change to basichttpbinding instead of wshttp, but it gives a similar error.
When changing the securitymode to Message I get the following error : The service certificate is not provided. Specify a service certificate in ServiceCredentials
Is there way to use the configuration without the certificate?
TransportWithMessageCredential means that you want to use transport security and send credential in message. Transport security in this case means HTTPS. First realease of WCF demanded that user name and password can be only used with secured communication. Later on MS released patch which allows workaround to avoid HTTPS but still it is not recommended. In .NET 4.0 the patch is directly included.
If you want to use message credentials without secured communication you have to create custom binding similar to this:
<bindings>
<customBinding>
<binding name="HttpWithAuthentication">
<security authenticationMode="UserNameOverTransport" allowInsecureTranpsort="true" />
<context /> <!-- needed for durable worklfows -->
<textMessageEncoding messageVersion="Soap12Addressing10" />
<httpTransport />
</binding>
</customBinding>
</bindings>
Problem with allowInsecurTransport is that it is some "quick fix" which does not integrate with all WCF features. So for example when you use it your service is not able to generate WSDL / metadata because this part still requires secure communication.