tags:

views:

195

answers:

1
+1  Q: 

WCF with No security

Hi all,

I've got a WCF service setup which I can consume and use as intendid... but only on the same machine. I'm looking to get this working over multiple computers and I'm not fussed about the security. However when I set (client side) the security to = none, I get a InvalidOperationException:

The service certificate is not provided for target 'http://xxx.xxx.xxx.xxx:8731/Design_Time_Addresses/WcfServiceLibrary/ManagementService/'. Specify a service certificate in ClientCredentials.

So I'm left with:

<security mode="Message">
    <message clientCredentialType="None" negotiateServiceCredential="false"
        algorithmSuite="Default" />
</security>

But this gives me another InvalidOperationException:

The service certificate is not provided for target 'http://xxx.xxx.xxx.xxx:8731/Design_Time_Addresses/WcfServiceLibrary/ManagementService/'. Specify a service certificate in ClientCredentials.

Why would I have to provide a certificate if security was turned off?

UPDATED:

Server app config:

<system.serviceModel>
    <services>
      <service name="Server.WcfServiceLibrary.ManagementService" behaviorConfiguration="Server.WcfServiceLibrary.ManagementServiceBehavior">
        <host>
          <baseAddresses>
            <add baseAddress = "http://localhost:8731/Design_Time_Addresses/WcfServiceLibrary/ManagementService/" />
          </baseAddresses>
        </host>
        <endpoint address ="" binding="wsDualHttpBinding" contract="Server.WcfServiceLibrary.IManagementService"
                  bindingConfiguration="WSDualHttpBinding_IManagementService">
          <identity>
            <dns value="localhost"/>
          </identity>
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
      </service>
    </services>
      <bindings>
          <wsDualHttpBinding>
              <binding name="WSDualHttpBinding_IManagementService" closeTimeout="00:01:00"
                  openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:00:10"
                  bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                  maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                  messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">
                  <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                      maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                  <reliableSession ordered="true" inactivityTimeout="00:10:00" />
                  <security mode="None" />
              </binding>
          </wsDualHttpBinding>
      </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="Server.WcfServiceLibrary.ManagementServiceBehavior">
          <serviceMetadata httpGetEnabled="True"/>
          <serviceDebug includeExceptionDetailInFaults="False" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>

Client app config:

<system.serviceModel>
        <bindings>
            <wsDualHttpBinding>
                <binding name="WSDualHttpBinding_IManagementService" closeTimeout="00:01:00"
                    openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                    bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                    messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <reliableSession ordered="true" inactivityTimeout="00:10:00" />
                    <security mode="None" />
                </binding>
            </wsDualHttpBinding>
        </bindings>
        <client>
            <endpoint address="http://xxx:8731/Design_Time_Addresses/WcfServiceLibrary/ManagementService/"
                binding="wsDualHttpBinding" bindingConfiguration="WSDualHttpBinding_IManagementService"
                contract="ServiceReference.IManagementService">
                <!--name="WSDualHttpBinding_IManagementService">-->
                <identity>
                    <dns value="localhost" />
                </identity>
            </endpoint>
        </client>
    </system.serviceModel>

Thanks

+2  A: 

Gives you some more info to go on!!

What's your server side and client side config?? Anything in <system.serviceModel> is of interest. What bindings are you using?

For instance: if you set the client side security to None, you have to do the same on the server side - those settings need to match!

Update:

OK, with the config, I can point certain things out:

<bindings>
   <wsDualHttpBinding>
      <binding name="WSDualHttpBinding_IManagementService" ......>
          <readerQuotas .... />
          <reliableSession ordered="true" inactivityTimeout="00:10:00" />
          <security mode="Message">
              <message clientCredentialType="Windows" 
                       negotiateServiceCredential="true"
                       algorithmSuite="Default" />
          </security>
       </binding>
    </wsDualHttpBinding>
</bindings>

Questions:

  • do you really need wsDualHttpBinding? Is that an informed choice?

  • if you don't want any security, you need to use:

    <security mode="None" />

  • you need to have this <bindings> section on both client AND server, and you need to reference that binding configuration from your endpoints:

    <endpoint 
     address ="" 
     binding="wsDualHttpBinding" 
     bindingConfiguration="WSDualHttpBinding_IManagementService"
     contract="Server.WcfServiceLibrary.ICheckoutService">
  <identity>
    <dns value="localhost"/>
  </identity>
</endpoint>
marc_s  2010-04-21 05:12:54
Update question thanks!
ing0  2010-04-21 13:25:25
Ok thanks, yes there was a reason for the dual http bindings but atm I cant remember why! Yea I was aware of the security = none. Thanks I will update if its working in 10 mins! :)
ing0  2010-04-21 13:36:08
At the moment I can configure the service reference to my server but when I run I just get a timeout :( Any ideas why?
ing0  2010-04-21 13:51:01
Have updated qu again
ing0  2010-04-21 13:59:54
Well, a wsDualHttpBinding is a two-way binding - the server expects to have a callback contract to call back to the client. If you don't really need this - get rid of it! Try the basicHttpBinding first - that's the most basic and simplest binding. If that works, and you're need more punch, go to the wsHttpBinding (or netTcpBinding, if you're in a corporate, behind-the-firewall kind of setup)
marc_s  2010-04-21 14:33:28
Ok I will do that !
ing0  2010-04-21 14:34:07
Spanks.. It was the binding!! I've changed to wsHttp as we have that setup! Thanks ever so muchly :p
ing0  2010-04-21 14:59:57

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security