Re: System.ServiceModel.Security.SecurityNegotiationException
- From: stcheng@xxxxxxxxxxxxxxxxxxxx (Steven Cheng [MSFT])
- Date: Thu, 05 Jun 2008 04:42:46 GMT
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi Manj,
\par
\par Thanks for your reply.
\par
\par The error seems still concerns with the certificate (which may not be validated as trusted one).
\par
\par Have you got the configuration setting in windows service working(setup WCF service host without using code)? Also, as I suggested previously, you can use a console application for test first so as to simplfy the troubleshooting.
\par
\par Here is the article which mentioned most info about using certificate authentication with message layer security. You can check some of the configuration setting with yours:
\par
\par #WCF security: How to configure message security with x509 authentication
\par http://developers.de/blogs/damir_dobric/archive/2006/09/24/931.aspx
\par
\par If you still cannot find the cause, I can send you a test solution I used on my side for your reference. BTW, for the test certificate, how did you generate them? Are you using makecert.exe or windows certificate service?
\par
\par Sincerely,
\par
\par Steven Cheng
\par
\par Microsoft MSDN Online Support Lead
\par
\par
\par Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@xxxxxxxxxxxxxx
\par
\par ==================================================
\par Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notifications.
\par
\par ==================================================
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par
\par
\par \pard\li720 --------------------
\par From: =?Utf-8?B?TWFuag==?= <garg@xxxxxxxxxxxxxxxx>
\par References: <592D36EB-36DF-40AF-9934-CCC00F2A5B53@xxxxxxxxxxxxx> <1B1ADF22-4501-4644-9F74-479B5B9F3CEB@xxxxxxxxxxxxx> <4F849E17-FCFE-4F53-9031-8480B051FC03@xxxxxxxxxxxxx> <JIS28EhxIHA.3644@xxxxxxxxxxxxxxxxxxxxxx>
\par Subject: Re: System.ServiceModel.Security.SecurityNegotiationException
\par Date: Wed, 4 Jun 2008 07:51:01 -0700
\par
\par
\par
\par Hi Steven,
\par
\par Thanks for the reply. Now I am getting following exception:
\par
\par System.ServiceModel.FaultException: The request for security token could not
\par be satisfied because authentication failed.
\par
\par Thought I have added Authentication to PeerOrChainTrust as follows at client:
\par
\par <client>
\par <endpoint address="http://localhost:8080/PreprocessingService";
\par binding="wsHttpBinding"
\par bindingConfiguration="WSHttpBinding_IPreprocess_IPreprocess"
\par behaviorConfiguration="ServiceBehavior"
\par contract="ServiceReference1.IPreprocess"
\par name="WSHttpBinding_IPreprocess_IPreprocess">
\par <identity>
\par <certificate
\par encodedValue="AwAAAAEAAAAUAAAADJPQRd/3I06+gno+HiOn3/qqct0gAAAAAQAAALcBAAAwggGzMIIBYaADAgECAhBTBwz954p0q0IsNrgvUW9KMAkGBSsOAwIdBQAwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3kwHhcNMDgwNTIxMTA0NjU4WhcNMzkxMjMxMjM1OTU5WjAWMRQwEgYDVQQDEwt3aW5kb3dzaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxELJ4QxIFY7sHWOf7zsW7lwsEXjXUhpY3xHSsvMK42nnHJotSmsSxLBNFRVvTgKITaowimtFX9/OSvTJ4MM5nB/W342rmclyjUaLSLBdDa7+39tPO5RRDjY3tln45mw1lCrI0TD1IrQ48/YrD6zmu1ZLzOaFEAf3vvpEYgUJKbcCAwEAAaNLMEkwRwYDVR0BBEAwPoAQEuQJLQYdHU8AjWEh3BZkY6EYMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5ghAGN2wAqgBkihHPuNSqXDX0MAkGBSsOAwIdBQADQQBydNDtJucuxVh4HhPXkDurEMx/f/rsxJQ4nVOtqdOH1dvp4SKA/GNXMGWb2z8sA/F3ELcNSPeRLo/4XYuZyHFf" />
\par <dns value="windowshost"/>
\par </identity>
\par </endpoint>
\par </client>
\par <behaviors>
\par <endpointBehaviors>
\par <behavior name="ServiceBehavior">
\par <clientCredentials>
\par <serviceCertificate>
\par <authentication certificateValidationMode="PeerOrChainTrust"/>
\par </serviceCertificate>
\par </clientCredentials>
\par </behavior>
\par </endpointBehaviors>
\par </behaviors>
\par
\par
\par Cheers,
\par
\par Manj
\par
\par "Steven Cheng [MSFT]" wrote:
\par
\par > Hi Manjree,
\par >
\par > From the description, the problem occurs when you try using x509
\par > certificate based message security in a windows service hosted WCF service.
\par >
\par > The error message does indicate that the "identity" of the endpoint hasn't
\par > be specified. I think the endpoint identity should be the service
\par > endpoint's identify setting(at service side). In the code you provided, you
\par > programmtically create the servicehost and add the endpoint, however, you
\par > didn't add an endpoint identity for it.
\par >
\par > I've also replied you in another WCF windows service hosted thread. In that
\par > thread you mentioend that you can not get WCF configuration (in app.config)
\par > work with Windows service, correct? I've tested and verify that windows
\par > service can correctly load WCF configuration settings just like other
\par > application(console or winform or asp.net...) without problem. have you
\par > made sure the app.config is correctly copied with the windows service exe(
\par > as windowsservice.exe.config file)?
\par >
\par > Also, generally for such scenario, I suggest you first create a normal
\par > console application and copy the WCF code(change it to
\par > configuration/declarative style) into the console applicaiton to test. This
\par > can simplfy the troubleshooting and also detect whether the problem is
\par > specific to windows service.
\par >
\par > BTW, here is the test configuration setting( for server and client) I used:
\par >
\par >
\par > ==============server====================
\par > <system.serviceModel>
\par > <services>
\par > <service name="WcfService1.Service1"
\par > behaviorConfiguration="WcfService1.Service1Behavior">
\par > <endpoint address="" binding="wsHttpBinding"
\par > bindingConfiguration="certBinding"
\par > contract="WcfService1.IService1">
\par >
\par > <identity>
\par > <certificateReference storeName="My"
\par > storeLocation="LocalMachine"
\par > x509FindType="FindByThumbprint"
\par > findValue="b0d98888fc2fec907661ef11aa430f29e6ae8a91" />
\par > </identity>
\par > </endpoint>
\par > <endpoint address="mex" binding="mexHttpBinding"
\par > contract="IMetadataExchange"/>
\par > </service>
\par > </services>
\par >
\par >
\par > ======client =============
\par >
\par >
\par > <client>
\par > <endpoint address="http://localhost:33382/Service1.svc";
\par > binding="wsHttpBinding"
\par > bindingConfiguration="WSHttpBinding_IService1"
\par > contract="WCFCert.IService1"
\par > name="WSHttpBinding_IService1">
\par > <identity>
\par > <certificateReference storeLocation="LocalMachine"
\par > storeName="My"
\par > x509FindType="FindByThumbprint"
\par > findValue="b0d98888fc2fec907661ef11aa430f29e6ae8a91"/>
\par >
\par > </identity>
\par > </endpoint>
\par > </client>
\par > ==================
\par >
\par > Anyway, you need to make sure the one you specified at service side also
\par > matches the client-side's.
\par >
\par > If there is anything else unclear, please feel free to post here.
\par >
\par > Sincerely,
\par >
\par > Steven Cheng
\par >
\par > Microsoft MSDN Online Support Lead
\par >
\par >
\par > Delighting our customers is our #1 priority. We welcome your comments and
\par > suggestions about how we can improve the support we provide to you. Please
\par > feel free to let my manager know what you think of the level of service
\par > provided. You can send feedback directly to my manager at:
\par > msdnmg@xxxxxxxxxxxxxx
\par >
\par > ==================================================
\par > Get notification to my posts through email? Please refer to
\par > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
\par > ications.
\par >
\par > ==================================================
\par > This posting is provided "AS IS" with no warranties, and confers no rights.
\par >
\par >
\par > --------------------
\par > From: =?Utf-8?B?TWFuanJlZSBHYXJn?= <garg@xxxxxxxxxxxxxxxx>
\par > References: <592D36EB-36DF-40AF-9934-CCC00F2A5B53@xxxxxxxxxxxxx>
\par > <1B1ADF22-4501-4644-9F74-479B5B9F3CEB@xxxxxxxxxxxxx>
\par > Subject: Re: System.ServiceModel.Security.SecurityNegotiationException
\par > Date: Fri, 23 May 2008 02:12:00 -0700
\par >
\par >
\par > Thanks Morten. But it is still throwing the same exception. :(
\par >
\par >
\par > Manjree.
\par >
\par > "Morten Abrahamsen" wrote:
\par >
\par > > Try changing
\par > > <identity>
\par > > <servicePrincipalName value="host/Avacta-n31m-1" />
\par > > </identity>
\par > >
\par > > to the common name of your service certificate?
\par > >
\par > > Morty
\par > >
\par > > "Manjree Garg" <garg@xxxxxxxxxxxxxxxx> wrote in message
\par > > news:592D36EB-36DF-40AF-9934-CCC00F2A5B53@xxxxxxxxxxxxxxxx
\par > > > Hi,
\par > > >
\par > > > I created a web service and hosted it in Windows Services. It is
\par > working
\par > > > fine. Now I am trying to implement the X509 certificates for message
\par > layer
\par > > > security. But it is throwing the following exception:
\par > > >
\par > > > An unhandled exception of type
\par > > > 'System.ServiceModel.Security.SecurityNegotiationException' occurred in
\par > > > mscorlib.dll
\par > > >
\par > > > Additional information: Secure channel cannot be opened because security
\par > > > negotiation with the remote endpoint has failed. This may be due to
\par > absent
\par > > > or
\par > > > incorrectly specified EndpointIdentity in the EndpointAddress used to
\par > > > create
\par > > > the channel. Please verify the EndpointIdentity specified or implied by
\par > > > the
\par > > > EndpointAddress correctly identifies the remote endpoint.
\par > > >
\par > > >
\par > > > The WinSvchost file is:
\par > > >
\par > > >
\par > > >
\par > > > namespace PreprocessingWinSvcHost
\par > > > \{
\par > > > public partial class PreprocessingWinSvc : ServiceBase
\par > > > \{
\par > > > private ServiceHost myHost;
\par > > > public PreprocessingWinSvc()
\par > > > \{
\par > > > InitializeComponent();
\par > > > \}
\par > > >
\par > > > protected override void OnStart(string[] args)
\par > > > \{
\par > > > try
\par > > > \{
\par > > > //Create the host.
\par > > >
\par > > > Uri address = new
\par > > > Uri("http://localhost:8080/PreprocessingService";);
\par > > > WSHttpBinding binding = new WSHttpBinding();
\par > > > Type contract = typeof(IPreprocess);
\par > > >
\par > > > binding.MaxBufferPoolSize = 200000000;
\par > > > binding.MaxReceivedMessageSize = 200000000;
\par > > > binding.Name = "WSHttpBinding_IPreprocess";
\par > > >
\par > > > binding.Security.Mode = SecurityMode.Message;
\par > > > binding.Security.Message.ClientCredentialType =
\par > > > MessageCredentialType.Certificate;
\par > > >
\par > > > myHost = new ServiceHost(typeof(PreprocessingService));
\par > > > myHost.AddServiceEndpoint(contract, binding, address);
\par > > >
\par > > > myHost.Credentials.ServiceCertificate.SetCertificate(
\par > > > StoreLocation.LocalMachine, StoreName.My,
\par > > > X509FindType.FindBySubjectName, "windowshost");
\par > > >
\par > > > ClientCredentials creds = new ClientCredentials();
\par > > > // Configure peer trust.
\par > > >
\par > > > creds.ServiceCertificate.Authentication.CertificateValidationMode =
\par > > > X509CertificateValidationMode.PeerOrChainTrust;
\par > > >
\par > > > //Creates an output file.
\par > > > Stream MyOutputFile =
\par > > > File.Create("c:\\\\checklog\\\\Logfile1.txt");
\par > > > TextWriterTraceListener TextListener1 = new
\par > > > TextWriterTraceListener(MyOutputFile);
\par > > > Trace.Listeners.Add(TextListener1); //Add a listner to
\par > the
\par > > > Trace.
\par > > >
\par > > > // Writes output message to the output file and to a
\par > > > console
\par > > > screen.
\par > > > Trace.WriteLine(DateTime.Now.ToLongTimeString() + " -
\par > > > Service starting...");
\par > > >
\par > > >
\par > > > myHost.Open();
\par > > >
\par > > > Trace.WriteLine("state = "+ myHost.State);
\par > > >
\par > > > // Flush and close the output file.
\par > > > Trace.Flush();
\par > > > TextListener1.Flush();
\par > > > TextListener1.Close();
\par > > > \}
\par > > > catch (Exception e)
\par > > > \{
\par > > > Console.WriteLine("Message: \{0\}", e.Message);
\par > > > \}
\par > > >
\par > > >
\par > > > \}
\par > > >
\par > > > and the Client is:
\par > > >
\par > > >
\par > > > namespace PreprocessingClient
\par > > > \{
\par > > > class Program
\par > > > \{
\par > > > static void Main(string[] args)
\par > > > \{
\par > > > Console.WriteLine("**** Preprocessing Client ****");
\par > > > EndpointAddress address = new
\par > > > EndpointAddress("http://localhost:8080/PreprocessingService";);
\par > > > WSHttpBinding binding = new WSHttpBinding();
\par > > > binding.MaxBufferPoolSize = 200000000;
\par > > > binding.MaxReceivedMessageSize = 200000000;
\par > > > System.ServiceModel.ChannelFactory<IPreprocess> cf =
\par > > > new
\par > > > System.ServiceModel.ChannelFactory<IPreprocess>(binding,
\par > > > address);
\par > > > cf.Credentials.ClientCertificate.SetCertificate(
\par > > > StoreLocation.LocalMachine, StoreName.My,
\par > > > X509FindType.FindBySubjectName, "WCFUser");
\par > > > cf.Credentials.ServiceCertificate.SetDefaultCertificate(
\par > > > StoreLocation.LocalMachine, StoreName.My,
\par > > > X509FindType.FindBySubjectName,"windowshost");
\par > > > IPreprocess proxy = cf.CreateChannel();
\par > > > // PreprocessClient proxy = new PreprocessClient();
\par > > > //proxy.Open(); //open the client's proxy
\par > > >
\par > > > proxy.EnableMatGui(false);
\par > > > \}
\par > > >
\par > > >
\par > > > The app.config for the client is :
\par > > >
\par > > >
\par > > > <?xml version="1.0" encoding="utf-8" ?>
\par > > > <configuration>
\par > > > <system.serviceModel>
\par > > > <bindings>
\par > > > <wsHttpBinding>
\par > > > <binding name="WSHttpBinding_IPreprocess"
\par > > > closeTimeout="00:01:00"
\par > > > openTimeout="00:01:00" receiveTimeout="00:10:00"
\par > > > sendTimeout="00:40:00"
\par > > > bypassProxyOnLocal="false" transactionFlow="false"
\par > > > hostNameComparisonMode="StrongWildcard"
\par > > > maxBufferPoolSize="200000000"
\par > > > maxReceivedMessageSize="20000000"
\par > > > messageEncoding="Text" textEncoding="utf-8"
\par > > > useDefaultWebProxy="true"
\par > > > allowCookies="false">
\par > > > <readerQuotas maxDepth="32"
\par > > > maxStringContentLength="8192" maxArrayLength="16384"
\par > > > maxBytesPerRead="4096"
\par > > > maxNameTableCharCount="16384"
\par > > > />
\par > > > <reliableSession ordered="true"
\par > > > inactivityTimeout="00:10:00"
\par > > > enabled="false" />
\par > > > <security mode="Message">
\par > > > <transport clientCredentialType="Windows"
\par > > > proxyCredentialType="None"
\par > > > realm="" />
\par > > > <message clientCredentialType="Certificate"
\par > > > negotiateServiceCredential="true"
\par > > > algorithmSuite="Default"
\par > > > establishSecurityContext="true" />
\par > > > </security>
\par > > > </binding>
\par > > > </wsHttpBinding>
\par > > > </bindings>
\par > > > <client>
\par > > > <endpoint
\par > address="http://localhost:8080/PreprocessingService";
\par \pard
\par
\par }
- Follow-Ups:
- Re: System.ServiceModel.Security.SecurityNegotiationException
- From: Steven Cheng [MSFT]
- Re: System.ServiceModel.Security.SecurityNegotiationException
- References:
- Re: System.ServiceModel.Security.SecurityNegotiationException
- From: Steven Cheng [MSFT]
- Re: System.ServiceModel.Security.SecurityNegotiationException
- From: Manj
- Re: System.ServiceModel.Security.SecurityNegotiationException
- Prev by Date: I have the same problem.
- Next by Date: RE: Exceptions not serializable due to new data property?
- Previous by thread: Re: System.ServiceModel.Security.SecurityNegotiationException
- Next by thread: Re: System.ServiceModel.Security.SecurityNegotiationException
- Index(es):
Relevant Pages
|
