We're trying to harden a WCF service that we use with an XBAP application and have some questions that we haven't been able to answer yet. To give some background: The communication between the application and service is over HTTPS. The user is authenticated using username/password. The data being sent/received is compressed (gzip) bi...
I need to implement transport security with certificates to secure my client and service. I am absolutely confused by server certificate, client certificate and mutual certificates. I am using tcp endpoint for communication and the client and service is hosted in windows service. Could someone please throw some light on difference betwee...
I have a requirement (govt client) to turn off all authentication schemes (No anon, NTLM, digest, basic, etc) in IIS6 and enable client certificates only. This part is non-negotiable. This WCF web service provides the data to a Silverlight client. With Basic authentication is on, everything works peachy. When it is turned off, we get...
With almost all of the (secure) WCF service endpoints in my application, if the client's system clock is set too far in the future or past, I get an exception from WCFs Clock Skew mechanism (described here: http://www.danrigsby.com/blog/index.php/2008/08/26/changing-the-default-clock-skew-in-wcf/). However the one endpoint where my Logi...
Hi All, My server and client side configured the value of inactivityTimeout = "00:01:00" and after the client goes inactive for more than 1 minute (exceeded the timeout value) I must to wait another 9 minutes (10 min in total) to get session timeout fault. Although, i set the receiveTimeout="00:01:00" on both sides. Below my app config...
I am trying to do some basic authentication in a WCF RequestInterceptor. I am using this article as a start. The problem I am running into is communicating between the interceptor and the service. Nothing I have tried seems to work. So far, I have tried: OperationContext.Current requestContext.RequestMessage.Properties[HttpRequestMess...
Hi Guys, Stack overflow is been great help every time I face problem. however, I have struggling to find an answer for a new issue i am facing. I have working on WCF service to validate client certificate using WebHttpBinding. I have service interface as shown below:- // IAuthenticatedMessageService.cs namespace AuthenticatedMessageS...
I created a custom Membership Provider which is now working in production just fine validating my WCF calls. I do have an issue every now and then that for some unknown reason my provider cannot validate the user. In those cases I do not want the ValidateUser function to just return false, so I thought of throwing and excception with a ...
My understanding is that an IAuthorizationPolicy (added through my web.config) should be called BEFORE my ServiceAuthorizationManage.CheckAccessCore (also added through my web.config). (I also have principal authorization mode set to Custom in the web.config). This way, the IAuthorizationPolicy can add a ClaimSet, then the ServiceAuthor...
I have a WCF service which needs to be called from client side(ajax call). I want to use ScriptManager on ASPX page to add a ServiceReference to the WCF service (or) JQuery ajax call to the WCF service. I want to deny anonymous users accessing the WCF service. Is there any way to do user authentication before calling a service method fro...
Hallo all, I am writing service in internet scenario. I have to implement message encryption. I got everything but When I browse this service from IIS I am getting following exception. Server Error in '/MyTestService' Application. Keyset does not exist Description: An unhandled exception occurred during the execution...
I am using a wcf service that I created, when both hosting machine and the client machine are on the same domain everything works just fine. When I publish the client app to the webserver in the DMZ I am getting the following error: SOAP security negotiation with 'http://10.0.0.14:3790/Bullfrog/QBService/QBService' for target 'http:/...
Hi, I am creating a WCF web service using wsHttpBinding and a corresponding application that calls this web service. The idea behind the application that calls the WS is that it will be installed and run from multiple client sites as a background process. The background processes will periodically send information from it's respective...
I'm using a custom UserNamePasswordValidator, which instantiates and logs in to our internal API. This API exposes an event that's fired when the user is "kicked" (by another administrative user), and I'd like to respond to this by killing the WCF session, so that further calls throw an exception. How do I go about doing this? My WCF ...
Related to this question, I'm instantiating a connection to our internal API inside my custom UserNamePasswordValidator. Can I stash this somewhere so that I can use it in future calls in that user's session? This is similar to this question, but I'm not using IIS, so I can't use HttpContext.Current (or can I?). Update: Some context: o...
Related to this question, I've got a custom UserNamePasswordValidator that logs in to our internal API. As part of this logging-in, I can discover the user's roles in our system. I'd like to later use these in PrincipalPermissionAttribute demands on the service methods, e.g.: [OperationContract] [PrincipalPermission(SecurityAction.Dema...
It seems like I'm barking up the wrong tree when asking this question, this question and this question. I need to authenticate users against a custom API (in COM), and I need to keep that custom API (the COM object) alive (for that user) for future WCF calls. During authentication against that custom API, I can get back a list of custo...
We currently support several WCF services running in a load balanced environment. In the past, we have used wsHttpBinding and set establishSecurityContext to false to allow the service to work properly with our load balancer. An issue we have ran into is that the wsHttpBinding encrypts the return results by default and, apparently, can...
I hosted my WCF service under IIS6. VD under IIS enabled "Integrated windows authorization". I used Session in WCF service and also used WSHttpBinding. The security mode for WSHttpBinding is like: Winform client called this web service. Everything works fine unde...
Here is my scenario, I have a WCF Service that is hosted on in internal server behind a firewall. The client is a web application that resides on the web server in the DMZ. The firewall is open on a port between the two nodes so the connection can be made from the client to the server. What type of binding do I need to be using for sec...