WCF SOAP security negotiation after changing certificate
After I changed self-signed certificate "localhost" (DNS=localhost) to "Cloudflare Origin Certificate" (dns=mydomain.com) I get following error:
SOAP security negotiation with 'http://localhost:8000/MyService.svc' for target 'http://localhost:8000/MyService.svc' failed. See inner exception for more details.
Inner exception:
Either the client credential was invalid or there was an error collecting the client credentials by the SSPI.
What I noticed is after I start up client I get window to enter credentials. Dunno why.
What I did exactly:
- Generated certificate request in IIS
- Completed certificate on CloudFlare
- Received key pasted into text file with CloudFlare Root CA
- Completed certificate in IIS (Personal, LocalMachine)
- In MMC added to Trusted Publishers CloudFlare Root CA (LocalMachine)
- For WCF website changed SSL certificate to CloudFlare
- Changed in client value from "localhost" to "mydomain.com"
- Changed in server value from "localhost" to "mydomain.com"
- Changed findValue for
WCF web.config
<system.serviceModel>
<client />
<behaviors>
<serviceBehaviors>
<behavior name="authBehavior">
<serviceAuthorization principalPermissionMode="UseWindowsGroups">
<authorizationPolicies>
<add policyType="WCF.Common.AuthorizationPolicy, WCF" />
</authorizationPolicies>
</serviceAuthorization>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WCF.Common.IdentityValidator, WCF" />
<serviceCertificate findValue="CloudFlare Origin Certificate" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My" />
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="svcBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpsBinding>
<binding name="basicHttpsEndpointBinding" maxReceivedMessageSize="1073741824" maxBufferSize="1073741824" maxBufferPoolSize="1073741824">
<readerQuotas maxDepth="32" maxArrayLength="1073741824" maxStringContentLength="1073741824" />
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpsBinding>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding"></binding>
</wsHttpBinding>
</bindings>
<services>
<service name="WCF.MyService" behaviorConfiguration="svcBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" contract="WCF.IMyService">
<identity>
<dns value="mydomain.com" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
Client app.config
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="MessageAndUserName">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
<binding name="WSHttpBinding_IMyService" />
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:8777/MyService.svc"
binding="wsHttpBinding" contract="WCF.IMyService"
name="WSHttpBinding_IMyService">
<identity>
<dns value="mydomain.com" />
</identity>
</endpoint>
</client>
<behaviors>
<serviceBehaviors>
<behavior name="DefaultServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
I host addional services in my WCF and also I host some services in Client but none of them are needed.
I use wsHttpBindings between WCF and Client. What can I do to get rid of this error?
What is purpose of ussing wsHttpBinding etc...: Allow only this Client to communicate with MyService.. no one else will be allowed. Client app will run on multiple computers in domain. Do you suggest ussing different approach?
Thanks for any idea!
EDIT: Computer with error is not running in domain. Neither work for computer in domain :/
EDIT2: Security mode transport WCF web.config bindings:
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Transport">
<message clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
Client side config bindings:
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IMyService">
<security mode="Transport">
<message clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost:8001/MyService.svc"
binding="wsHttpBinding" contract="WCF.IMyService"
name="WSHttpBinding_IMyService">
<identity>
<dns value="mydomain.com" />
</identity>
</endpoint>
</client>
IIS:
Here a few resources to review to help determine if NetTcpBinding would work for you, it sounds like it would since you are consuming the web service internally.
NetTcpBinding netTcpBinding is best when WCF service and its clients are in intranet infrastructure. As it supports only TCP protocol and not HTTP, so service cannot be accessed over internet.
This is secure binding is used to send binary encoded SOAP messages with in intranet computers. It supports reliability, transaction and security. If your using netTcpBinding and host WCF service in IIS, you need to make some settings on system and IIS this article will help you for required settings.
A few tips for troubleshooting related issues:
- Double click on the cert in MMC does it give you any error messages under the Certificate Information header?
- Are you able to browse the service from your client in a browser?
- Is the cert assigned in IIS
- Do you have the correct binding
- Is the client using the same binding as the service host?
- Does your endpoint reference the correct binding and service behavior
Additional helpful information about NetTcpBinding:
- Why does an empty preprocessor command still evaluate to something?
- How to implement variable sized array within C struct
- Character array typecasting to integer
- How can I exclude non-numeric keys? CS50 Caesar Pset2
- How to get the sign, mantissa and exponent of a floating point number
- Why do MCU libraries use logic operations instead of bitfield structs?
- What kind of implementation can I use for a static associative array on a vintage system with very limited resources?
- Determine libraries to link against for a windows library function?
- Passing macro values to arm linker that places variable at a specific location
- running a program with wildcards as arguments
- How to perform addition of two vectors of 8-bit integers with a single addition in C/C++
- GNU RISC-V Embedded GCC throws "x ISA extension `xw' must be set with the versions" error
- Counting pulses using a swiss flow meter with an Arduino, how is it done?
- How to create a folder in C (need to run on both Linux and Windows)
- Is there any way to compute the width of an integer type at compile-time?
- How can I initialize all members of an array to the same value?
- Is C notably faster than C++
- How to get the Windows SDK version number a program is compiling with at compile time
- Confused by difference between expression inside if and expression outside if
- Equivalent of atoi for unsigned integers
- k&r: Exercise 1-18. Program takes input but doesnt produce any output?
- Using in C thrd_sleep() to either wait for time or interrupt by signal. Example?
- How can I compute `exp(x)/2` when `x` is large?
- c programming: answer always equates to 0
- Is it possible to access a parameter of a function from another function in C?
- Will this expression evaluate to true or false (1 or 0) in C?
- What Is the Return Value of strcspn() When Str1 Does not Contain Str2?
- Mapping a numeric range onto another
- Signalled and non-signalled state of event
- Why is faster to do a branch than a lookup?