Hi,
I have two problems (I think they might be connected)
I have an application a little similar to the project tracker example. I have built a channel, Service and client. I am trying to run the client to get information from the server (similar to the GetProjects example.
The first problem I have is getting a hard time to work with the service to host on . I have created a new V.Directory pointing to the service home directory, modified the V.Dir settings to work with ASP.Net 2 and created an application + execute scripts only. The V.Dir runs with anonymous access (regular anonymous user)
I am keep getting the following exception when running the "GetProjects" equivalent:
System.ServiceModel.Security.SecurityNegotiationException: Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint. ---> System.ServiceModel.FaultException: The request for security token has invalid or malformed elements.
at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
--> When using the visual studio internal web server I am getting past this point but I fail with the following exception:
Invalid token for impersonation - it cannot be duplicated
This it thrown in the WcfProxy.cs file when running:
WcfResponse response = svr.Create(
new CreateRequest(objectType, criteria, context));
I think this is due to some security settings either on (BTW - using IIS6 on Windows 2003 Server) - Any help will be greatly appreciated!!!
It could be due to WCF security too. I have found security to be the single biggest roadblock to using WCF...
One easy solution is to turn of WCF security in your <system.serviceModel> section
<bindings>
<wsHttpBinding>
<binding name="Transport">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
<binding name="NoSecurity">
<security mode="None"/>
</binding>
</wsHttpBinding>
</bindings>
Or to explicitly set security to what you need - though figuring out even basic security configurations is really tough... I'm still trying to get the darn thing to allow me to use SSL but not to pass the Windows identity over the wire at the same time...
Hi Rocky,
I have tried your suggestion with no luck.
I have also tried to run the ProjectTracker example with the same result. To run the example I performed the following:
1. I have added the PTWcfClient, PTWcfServiceAuth and PTWcfService projects/websites to the Project Trackercs solution and compiled it.
2. Added a virtual directory under the IIS default web site, created an application and changed the website to run with .Net 2 instead of .Net 1.
3. When running the PTWcfClient I am getting the same following exception (This is thrown on the "
PTWcfService.ProjectData[] list = svc.GetProjectList();" line):
System.ServiceModel.Security.SecurityNegotiationException: Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint. ---> System.ServiceModel.FaultException: The request for security token has invalid or malformed elements.
at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
Any thing else I have missed to run this example (I am using the cslacs-3.0.3-071127[1].zip)
Thanks
Shai
PTWcfClient is different from using the WCF data portal channel.
PTWcfClient has a couple configuration options to support the different
scenarios I walk through in the ebook. One scenario is unsecured, the other
passes username/password credentials to the server over an encrypted channel.
Both client and server need to agree on the security model or
you’ll get errors like the one you have.
One thing you can try is to right-click on the service reference
in PTWcfClient and tell it to refresh/update the reference. That’ll cause
it to re-read the WSDL from the service and recreate the client-side config.
Once you’ve done that it should work.
If that does not work, then the service is configured to require
some sort of security you aren’t providing. It is probably configured (in
whole or part) to require the encrypted channel and/or the username/password
credentials.
As I say, configuring WCF security is really unpleasant. Read
carefully through the WCF security section of the ebook, and read the security
chapter in Juval Lowy’s Programming WCF Services book, and read
the MSDN content on WCF security. And remember that the config files are
case-sensitive.
I find dark humor in all this. One major support issue I’ve
always had with CSLA is configuring remoting – mostly because it is so
easy to do a typo in the config files. Along comes WCF, which is “superior”
to remoting, with far more complex configuration. Microsoft’s “move
forward” is (in this case at least) a big move backward if you ask me…
Though to be fair, there is a Microsoft GUI tool you can use to
manipulate the WCF config sections. And you may consider using that to
view/edit both config files because it might help you identify how they are mismatched.
Here’s some info on that tool: http://jeffbarnes.net/portal/blogs/jeff_barnes/archive/2007/02/28/wcf-configuration-editor.aspx
Rocky
From: shaih
[mailto:cslanet@lhotka.net]
Sent: Sunday, January 06, 2008 8:19 AM
To: rocky@lhotka.net
Subject: Re: [CSLA .NET] Wcf issues - IIS and VS internal web server
Hi Rocky,
I have tried your suggestion with no luck.
I have also tried to run the ProjectTracker example with the same result. To
run the example I performed the following:
1. I have added the PTWcfClient, PTWcfServiceAuth and PTWcfService
projects/websites to the Project Trackercs solution and compiled it.
2. Added a virtual directory under the IIS default web site, created an
application and changed the website to run with .Net 2 instead of .Net 1.
3. When running the PTWcfClient I am getting the same following exception
(This is thrown on the "
PTWcfService.ProjectData[]
list = svc.GetProjectList();" line):
System.ServiceModel.Security.SecurityNegotiationException:
Secure channel cannot be opened because security negotiation with the remote
endpoint has failed. This may be due to absent or incorrectly specified
EndpointIdentity in the EndpointAddress used to create the channel. Please
verify the EndpointIdentity specified or implied by the EndpointAddress
correctly identifies the remote endpoint. --->
System.ServiceModel.FaultException: The request for security token has invalid
or malformed elements.
at
System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message
message, EndpointAddress target)
at
System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message
incomingMessage, SspiNegotiationTokenProviderState sspiState)
Any thing else I have missed to run this example (I am using the
cslacs-3.0.3-071127[1].zip)
Thanks
Shai
Hi Rocky,
Thanks for your help, after hard work I was able to make both the ProjectTracker and my application work with the custom security defined.
I am not clear though on the service side - should a login call be made on each call to the service? Or is it supposed to be managed by the WCF once the configuration files define the custom validator? After debugging the service I have noticed that the PrincipalPolicy Evaluate is called with my Windows identity and the CredentialValidator Validate is not called
Any thing I missed - I did not find anything in the CSLA .Net 3 eBook on this
Thanks
I chose not to cover Windows security in the 3.0 book, because
that’s the one topic that is covered in every WCF book I’ve looked
at. While passing a custom username/password is covered in none of the
books I have found, so I was able to cover new (and important) ground.
It makes total sense that your credential validator wouldn’t
be called – you can’t validation the Windows credentials, and so
WCF defers to Windows in that case.
But it makes sense that the policy evaluation would be called,
because WCF is claims-based and they need to allow you to create the
appropriate set of claims/roles based on the Windows user (because Windows
credentials have no built-in claims).
You should be able to implement the policy evaluation class as
shown in the 3.0 ebook, and use that location to create your custom principal
based on the username of the validated credential provided by WCF.
In the end, no, you should not need to call a login method in each
service implementation - though honestly I think that might be easier than
implementing the credential validator and policy evaluator... WCF does have an
impressive extensibility model, but it isn’t easy.
Rocky
From: shaih
[mailto:cslanet@lhotka.net]
Sent: Wednesday, January 09, 2008 7:56 AM
To: rocky@lhotka.net
Subject: Re: [CSLA .NET] RE: Wcf issues - IIS and VS internal web server
Hi Rocky,
Thanks for your help, after hard work I was able to make both the
ProjectTracker and my application work with the custom security defined.
I am not clear though on the service side - should a login call be made on
each call to the service? Or is it supposed to be managed by the WCF once the
configuration files define the custom validator? After debugging the service I
have noticed that the PrincipalPolicy Evaluate is
called with my Windows identity and the CredentialValidator Validate is not
called
Any thing I missed - I did not find anything in
the CSLA .Net 3 eBook on this
Thanks
Hi Rocky and thanks for the quick reply,
I think I was not clear in my previous thread. I am using custom credentials - for the matter of question I am running the project Tracker example after implementing the security configurations in the ebook (certificate, custom authentication code and configuration changes).
The GetProjects method returns all the projects from the database when using for example the "pm" user and "pm" password, but it also returns the project data in case I deliberately send a wrong password for the pm user name.
I have commented the logout call in the service GetProperties method as instructed in the comment above: //TODO: comment out the following if using the PTWcfServiceAuth components to require a username/password from the caller
My question was - should I replace the logout call with a login call or something else I might have done incorrectly to make this work - the above was tries with the Project tracker example (client and service)
Thanks
Shai
If you are using the username/password technique from the book
then the credential validator should be called. If it is not being called then it
is likely that the issue is in your server’s web.config. You need to
ensure that the config tells WCF to use both the credential and policy classes
you’ve created.
Rocky
From: shaih
[mailto:cslanet@lhotka.net]
Sent: Wednesday, January 09, 2008 9:04 AM
To: rocky@lhotka.net
Subject: Re: [CSLA .NET] RE: RE: Wcf issues - IIS and VS internal web
server
Hi Rocky and thanks for the quick reply,
I think I was not clear in my previous thread. I am using custom credentials
- for the matter of question I am running the project Tracker example after
implementing the security configurations in the ebook (certificate, custom
authentication code and configuration changes).
The GetProjects method returns all the projects from the database when using
for example the "pm" user and "pm" password, but it also
returns the project data in case I deliberately send a wrong password for the
pm user name.
I have commented the logout call in the service GetProperties method as
instructed in the comment above: //TODO: comment out the following if using the PTWcfServiceAuth
components to require a username/password from the caller
My question was - should I replace the logout call
with a login call or something else I might have done incorrectly to make this
work - the above was tries with the Project tracker example (client and
service)
Thanks
Shai
Thanks a lot Rocky,
Your solution got me working after 8 hours of struggling.
Where can I read more about security, next phase I have to implement SSL for the same.
Thanks,
Rajesh
Thankfully the Microsoft Patterns and Practices group just got a beta of their WCF security guidance out at http://www.codeplex.com /wcfsecurityguide.
This is probably the single best resource for WCF security information available today.
Rocky's link did not work for me.
Here is another one:
http://www.codeplex.com/Project/ProjectDirectory.aspx?ProjectSearchText=wcfsecurityguide
Copyright (c) Marimer LLC