views:

334

answers:

2

Hi !

I have a WCF service hosted on a windows service on my Server1. It also has IIS on this machine. I call the service from a web app and it works fine. But within this service, I have to call another WCF sevice (also hosted on a windows service) located on Server2. The security credentials are set to "Message" and "Username". I have an error like "SOAP protcol negociation failed". It's a problem with my server certificate public key that doesn't seem to be recognise. However, if I call the service on the Server2 from Server1 in a console app, it works fine.

I followed this tutorial to set up my certificates : http://www.codeproject.com/KB/WCF/wcf_certificates.aspx

Here's the config file from my service on Server1 that tries to call the second one :

    <endpoint address=""
              binding="wsHttpBinding"
              contract="Microsoft.ServiceModel.Samples.ITraitement" />


    <endpoint address="mex"
              binding="mexHttpBinding"
              contract="IMetadataExchange" />
  </service>

</services>

<client>
  <endpoint address="http://Server2:8000/servicemodelsamples/service"
    behaviorConfiguration="myClientBehavior" binding="wsHttpBinding"
    bindingConfiguration="MybindingCon" contract="Microsoft.ServiceModel.Samples.ICalculator"
    name="">
    <identity>
      <dns value="ODWCertificatServeur" />
    </identity>
  </endpoint>
</client>

<bindings>
  <wsHttpBinding>
    <binding name="MybindingCon">
      <security mode="Message">
        <message clientCredentialType="UserName" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

<behaviors>
  <serviceBehaviors>
    <behavior name="ServiceTraitementBehavior">
      <serviceMetadata httpGetEnabled="True"/>
      <serviceDebug includeExceptionDetailInFaults="True" />
    </behavior>
  </serviceBehaviors>
  <endpointBehaviors>
    <behavior name="myClientBehavior">
      <clientCredentials>
        <clientCertificate findValue="MachineServiceTraitement" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
        <serviceCertificate>
          <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/>
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

And here's the config file from the web app that calls the service on Server1 :

<system.serviceModel>
<bindings>
  <wsHttpBinding>
    <binding name="WSHttpBinding_ITraitement" closeTimeout="00:01:00"
        openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
        bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
        maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
        messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
        allowCookies="false">
      <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
          maxBytesPerRead="4096" maxNameTableCharCount="16384" />
      <reliableSession ordered="true" inactivityTimeout="00:10:00"
          enabled="false" />
      <security mode="Message">
        <transport clientCredentialType="Windows" proxyCredentialType="None"
            realm="" />
        <message clientCredentialType="Windows" negotiateServiceCredential="true"
            algorithmSuite="Default" establishSecurityContext="true" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<client>
  <endpoint address="http://localhost:8020/ServiceTraitementPC"
      binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ITraitement"
      contract="ITraitement" name="WSHttpBinding_ITraitement">
  </endpoint>
</client>

Any idea why it works if if I call it in a console app and not from my service ? Maybe it has something to do with the certificateValidationMode="ChainTrust" ?

A: 

When you call the service from the console app you are in the security context of the logged in user.

When you call the service from a service running in IIS, with default settings, you are in the security context of a local account NETWORK SERVICE.

The way to fix it is probably to set impersonate=true in the system.web section of your web.config.

Shiraz Bhaiji
+1  A: 

Well, finally it was just a matter of trusting the issuer of the certificate on the client machine. It was mentioned in the tutorial and I must have missed that step. Still wonder why it worked when calling from a console app, but... anyway, it works fine now.

Thanks !

ultraman69