views:

1586

answers:

1

I have two WCF services on the same machine. One is the publisher and one is the listener.

The Publisher is dynamically creating proxies based upon and endpoint. I am configuring the proxy in code like this:

            WSHttpBinding binding = new WSHttpBinding(SecurityMode.Message, true);
            binding.Security.Message.NegotiateServiceCredential = true;
            binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
            binding.Security.Transport.ProxyCredentialType = HttpProxyCredentialType.None;
            binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
            binding.Security.Message.EstablishSecurityContext = true;
            binding.ReliableSession.Enabled = true;
            binding.TransactionFlow = true;
            return binding;

and then...

            Binding binding = GetBindingFromAddress(address);

            ChannelFactory<T> factory = new ChannelFactory<T>(binding);
            factory.Credentials.UserName.UserName = "an account on the machine";
            factory.Credentials.UserName.Password = "a password for that account";

            T proxy = factory.CreateChannel(new EndpointAddress(address));

When I go to make my call I receive the above error. Here is my listener config file:

   <service behaviorConfiguration="MEX Enabled" name="InvoiceSubscriber">
<endpoint binding="wsHttpBinding"
          bindingConfiguration="ReliableTransactionalHTTP"
          contract="AtlanticBT.SubscriptionService.Contracts.v1.IAtlanticEvents">
 <identity>
  <dns value="localhost" />
 </identity>
</endpoint>

     <bindings>
  <wsHttpBinding>
   <binding name="ReliableTransactionalHTTP" transactionFlow="true">
    <reliableSession enabled="true"/>
      <security mode="Message">
        <transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>
        <message clientCredentialType="Windows" negotiateServiceCredential="true" 
                 algorithmSuite="Default" establishSecurityContext="true"/>
      </security>
   </binding>
  </wsHttpBinding>
 </bindings>

I have checked all my ACL on the directories that host the services and they appear to be correct. IIS security is set to Anonymous access and Windows Authentication.

So if I am explicitly setting the credentials in code, why can't my listener authenticate?

+3  A: 

First, this message usually means the machines aren't on the same domain and, thus, can't communicate using Windows security. Are the two servers are on the same domain?

Second, you've configured your endpoint to use Windows security. You using Windows security not only at the message level, but at the transport level. Both seems like overkill, you probably just want to do transport.

Third, everything you have configured says "i want to use Windows authentication", but then you are setting the UsernameClientCredentials properties of the ClientCredentials. Those properties are only used for Username token security, not Windows. Windows security is going to take the identity of the current thread and forward it on.

Assuming your intention was to be using Windows security, then you either need to:

  1. Run your publisher process under a single Windows identity you want it to be communicating with the subscribers as.
  2. Use impersonation within the publisher process to change the security context for each call (look into WindowsIdentity.Impersonate for more info)

Right now you are technically doing #1 even if you think you're doing #2 by setting the username/password properties since they are being ignored.

Finally, here's some good documentation on how to setup your bindings for different kinds of Windows authentication scenarios:


Beyond this, I'm not sure what else I can give without more information from you. If you revise your question to provide some more info/answer some of my questions I will gladly revise my answer to hopefully make it more useful.

Drew Marsh
Drew - thank you so much for your response. I am going to ready over the articles you mentioned and reply back later in the day.My intent is to use Windows Authenication. The services are on the same machine running in the same domain.Thanks!
Daryl
I had two scenarios to account for. Is this service to service I definitely wanted Windows Security. I set up IIS only do Windows Authentication (allowing the ThreadCurrentPrincipal to be the caller) and removed the ClientCredentials. For non-windows clients I am going to explore using Username token security or certificate based security. I am on my way now thanks to your post...thanks for the articles they were VERY helpful.Daryl
Daryl