Re: ... forbidden with client authentication scheme Anonymous
- From: "Tiago Halm" <thalm@xxxxxxxxxxxxxxxxxx>
- Date: Sun, 30 Mar 2008 21:13:15 +0100
I may be wrong here, but you say "dual-channel communications", and MSDN
refers that duplex service contracts (WSDualHttpBinding) must use SOAP
security and you're using transport security and you're also using the
standard basicHttpBinding.
From what I can tell (I may be wrong) you're setting a dual channel manuallywhere both the client and server are both services. It would be useful to
gather more info on what WCF offers for true dual communication scenarios.
http://msdn2.microsoft.com/en-us/library/system.servicemodel.wsdualhttpbinding.aspx
Finally, if you want to maintain the architecture you have, you need both
services to be setup on IIS with secure channel setup (HTTPS) and seems that
the service that is acting as the client is not setup as such.
let me know if this helps
Tiago Halm
"mzarlenga" <mzarlenga@xxxxxxxxx> wrote in message
news:d42a875c-9fc0-4814-9e75-0b759012b1eb@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Mar 29, 1:13 pm, "Tiago Halm" <th...@xxxxxxxxxxxxxxxxxx> wrote:
Let us know more details, in particular the binding (basicHttpBinding,
wsHttpBinding, netTcpBinding, etc...) and its attributes. We need to know
where the security check takes place (transport or message) and how the
server/client authenticate.
I'm using .Transport security.
Both the client and server use the same classes for WCF.
A secure Host/Receiver is created as follows:
------------------------------------------------------------------
private static int MAX_RECEIVED_MESSAGE_SIZE = 128 * 1024; // 128KB
public static ServiceHost MakeServiceHost(IPost creator, string
endpoint)
{
receiver = new ServiceHost(...);
... .PostObj = creator; // the creator contains PostMessage()
Uri serviceUri = new Uri(endpoint);
BasicHttpBinding httpBinding = new BasicHttpBinding();
XmlDictionaryReaderQuotas quota = new XmlDictionaryReaderQuotas();
quota.MaxStringContentLength = MAX_RECEIVED_MESSAGE_SIZE;
httpBinding.ReaderQuotas = quota;
httpBinding.MaxBufferSize = MAX_RECEIVED_MESSAGE_SIZE;
httpBinding.MaxReceivedMessageSize = MAX_RECEIVED_MESSAGE_SIZE;
if (endpoint.Contains("https://";))
{
httpBinding.Security.Mode = BasicHttpSecurityMode.Transport;
httpBinding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Certificate;
receiver.AddServiceEndpoint(...);
return receiver;
}
... // non-secure endpoint code not shown
}
A secure Sender is created as follows:
--------------------------------------------------------
public static ... MakeSender(string endpoint, string
SSLCertThumbprint)
{
if (endpoint.Contains("https://";))
{
BasicHttpBinding secureBinding = new BasicHttpBinding();
secureBinding.Security.Mode = BasicHttpSecurityMode.Transport;
secureBinding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Certificate;
EndpointAddress secureEndpointAddress = new
EndpointAddress(endpoint);
sender = new ... (secureBinding, secureEndpointAddress);
sender.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine,
StoreName.My, X509FindType.FindByThumbprint, SSLCertThumbprint);
ServicePointManager.ServerCertificateValidationCallback += new
System.Net.Security.RemoteCertificateValidationCallback(customXertificateValidation);
return sender;
}
... // non-secure endpoint code not shown
}
We also have a custom validation method:
-------------------------------------------------------------
private static bool customXertificateValidation(object sender,
X509Certificate cert, X509Chain chain,
System.Net.Security.SslPolicyErrors error)
{
if ((error ==
System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch) ||
(error == System.Net.Security.SslPolicyErrors.None))
return true;
// Logger is a thread-safe log-to-file method
Logger.Write("ERROR: " + error.ToString());
return false;
}
And, you say the "the error the server gets (...)". Isn't the other way
around?
The architecture uses dual-channel communications.
On a request, the client posts to the server's endpoint. This works
for the server's secured and non-secured endpoints.
On a response, the server posts to the client's endpoint. This works
only for a non-secured client endpoint. When the client is using a
secured endpoint, and the server tries to respond to that endpoint,
the server gets the "forbidden with client authentication scheme
'Anonymous' error).
Here are some other items which may or may not be important:
The server is running on Windows Server 2003 Standard Edition Service
Pack 2, the client is on Windows XP Professional Version 2002 Service
Pack 2.
When the client system was initially set up, IIS was not installed.
Once the problem with secure endpoints was discovered, I installed IIS
from an XP SP2 CD. It was not the same CD that was used for the
original XP install.
Both client and server are using the same certificate to secure their
endpoints.
Thanks for helping!
.
- Follow-Ups:
- Re: ... forbidden with client authentication scheme Anonymous
- From: mzarlenga
- Re: ... forbidden with client authentication scheme Anonymous
- References:
- Re: ... forbidden with client authentication scheme Anonymous
- From: Tiago Halm
- Re: ... forbidden with client authentication scheme Anonymous
- From: mzarlenga
- Re: ... forbidden with client authentication scheme Anonymous
- Prev by Date: Re: Need to View SOAP Messages Between Client and Web Service
- Next by Date: Re: ... forbidden with client authentication scheme Anonymous
- Previous by thread: Re: ... forbidden with client authentication scheme Anonymous
- Next by thread: Re: ... forbidden with client authentication scheme Anonymous
- Index(es):
Relevant Pages
|
