tags:

views:

114

answers:

2
+4  Q: 

Why doesn't my WCF endpoint throw a Max Clock Skew exception?

With almost all of the (secure) WCF service endpoints in my application, if the client's system clock is set too far in the future or past, I get an exception from WCFs Clock Skew mechanism (described here: http://www.danrigsby.com/blog/index.php/2008/08/26/changing-the-default-clock-skew-in-wcf/).

However the one endpoint where my Login() method is implemented never throws this exception even though it has transport security enabled (naturally no credentials are required for it).

Why isn't the "Clock Skew mechanism" working for this endpoint? Maybe it's because clientCredentialType is set to "None"?

As an example, here's a simplified version of my configuration:

<services>
    <service name="Foo">
        <endpoint address=""
            binding="wsHttpBinding"
            bindingConfiguration="binding1"
            contract="IFoo" />
    </service>
</services>

<bindings>
    <wsHttpBinding> 
        <binding name="binding1" maxReceivedMessageSize="100000000">
            <readerQuotas maxDepth="1000000000" maxArrayLength="1000000000" maxStringContentLength="1000000000" />
            <security mode="Transport">
                <transport clientCredentialType ="None"/>
            </security>
            <reliableSession enabled="false" />
        </binding>
    </wsHttpBinding>    
</bindings>
+1  A: 

Other people have a similar problem:

http://stackoverflow.com/questions/3386216/triggering-maxclockskew-when-accessing-wcf-service

So I do not think that it is a problem with your configuration.

It appears to be, that if it does not use machine time, it does not check if there is a difference in time between the machines.

You could program your way around it, send the client machine time as a parameter in your login method, if it is different, throw an exception.

Shiraz Bhaiji  2010-08-08 20:53:11
+1  A: 

The security mode - security mode="Transport" - does not include time stamp in the message which cause the MaxClockSkew validation to ignore the message and not throws a security exception. Change the security mode to security mode="TransportWithMessageCredential" which include time stamps and allow the MaxClockSkew validation to test the message for time delta.

Aryeh215  2010-08-11 07:12:13

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability