Re: ... forbidden with client authentication scheme Anonymous

On Mar 29, 1:13 pm, "Tiago Halm" <th...@xxxxxxxxxxxxxxxxxx> wrote:
Let us know more details, in particular the binding (basicHttpBinding,
wsHttpBinding, netTcpBinding, etc...) and its attributes. We need to know
where the security check takes place (transport or message) and how the
server/client authenticate.

I'm using .Transport security.

Both the client and server use the same classes for WCF.

A secure Host/Receiver is created as follows:
------------------------------------------------------------------

private static int MAX_RECEIVED_MESSAGE_SIZE = 128 * 1024; // 128KB
public static ServiceHost MakeServiceHost(IPost creator, string
endpoint)
{
receiver = new ServiceHost(...);
... .PostObj = creator; // the creator contains PostMessage()
Uri serviceUri = new Uri(endpoint);

BasicHttpBinding httpBinding = new BasicHttpBinding();

XmlDictionaryReaderQuotas quota = new XmlDictionaryReaderQuotas();
quota.MaxStringContentLength = MAX_RECEIVED_MESSAGE_SIZE;
httpBinding.ReaderQuotas = quota;
httpBinding.MaxBufferSize = MAX_RECEIVED_MESSAGE_SIZE;
httpBinding.MaxReceivedMessageSize = MAX_RECEIVED_MESSAGE_SIZE;

if (endpoint.Contains("https://";))
{
httpBinding.Security.Mode = BasicHttpSecurityMode.Transport;
httpBinding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Certificate;
receiver.AddServiceEndpoint(...);
return receiver;
}
.... // non-secure endpoint code not shown
}


A secure Sender is created as follows:
--------------------------------------------------------

public static ... MakeSender(string endpoint, string
SSLCertThumbprint)
{
if (endpoint.Contains("https://";))
{
BasicHttpBinding secureBinding = new BasicHttpBinding();
secureBinding.Security.Mode = BasicHttpSecurityMode.Transport;
secureBinding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Certificate;
EndpointAddress secureEndpointAddress = new
EndpointAddress(endpoint);

sender = new ... (secureBinding, secureEndpointAddress);

sender.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine,
StoreName.My, X509FindType.FindByThumbprint, SSLCertThumbprint);

ServicePointManager.ServerCertificateValidationCallback += new
System.Net.Security.RemoteCertificateValidationCallback(customXertificateValidation);
return sender;
}
.... // non-secure endpoint code not shown
}

We also have a custom validation method:
-------------------------------------------------------------

private static bool customXertificateValidation(object sender,
X509Certificate cert, X509Chain chain,
System.Net.Security.SslPolicyErrors error)
{
if ((error ==
System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch) ||
(error == System.Net.Security.SslPolicyErrors.None))
return true;

// Logger is a thread-safe log-to-file method
Logger.Write("ERROR: " + error.ToString());
return false;
}


And, you say the "the error the server gets (...)". Isn't the other way
around?

The architecture uses dual-channel communications.

On a request, the client posts to the server's endpoint. This works
for the server's secured and non-secured endpoints.

On a response, the server posts to the client's endpoint. This works
only for a non-secured client endpoint. When the client is using a
secured endpoint, and the server tries to respond to that endpoint,
the server gets the "forbidden with client authentication scheme
'Anonymous' error).

Here are some other items which may or may not be important:

The server is running on Windows Server 2003 Standard Edition Service
Pack 2, the client is on Windows XP Professional Version 2002 Service
Pack 2.

When the client system was initially set up, IIS was not installed.
Once the problem with secure endpoints was discovered, I installed IIS
from an XP SP2 CD. It was not the same CD that was used for the
original XP install.

Both client and server are using the same certificate to secure their
endpoints.


Thanks for helping!
.

Relevant Pages

  • Re: ... forbidden with client authentication scheme Anonymous
    ... the service that is acting as the client is not setup as such. ... Both the client and server use the same classes for WCF. ... A secure Host/Receiver is created as follows: ... // non-secure endpoint code not shown ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Secure file transfers
    ... A customer will call in with a issue and I'll request they send me log ... as most users do not have pgp or a secure ftp client (mostly windows ... I believe one can set up a Apache server with SSL to PHP and have the ...
    (freebsd-questions)
  • Re: Socket Server with Encryption help
    ... do you know that .NET 2.0 has support for secure channels and the NTLM, ... write some encryption process. ... Client connects into Server and Server accepts the connection. ...
    (microsoft.public.dotnet.security)
  • Re: Windows SSH Secure Shell
    ... This client has now asked us to use Windows SSH Secure Shell ... made to a new server, you are asked to confirm that you're sure about ... IMAP port, to high ports on the localhost, letting me reach my email ...
    (microsoft.public.windows.server.sbs)
  • Re: IsInRole always return fasle on secure remoting call (Framework 2.0)
    ... I doing remoting calls over a TCP channel set to "SECURE", ... means that on the server side the ... information about the client, and it cannot impersonate the client. ...
    (microsoft.public.dotnet.distributed_apps)