Re: Both security mode with WSHttpBinding?

Thanks Steven,

I've been scouring the WCF Security Guide.

p.89 says: "The following security modes are available across the standard
bindings."

but then p. 99 says about "Both security": "Note that this is not a common
scenario, and only bindings that support the Microsoft Message Queuing
(MSMQ) protocol support this security mode."

p. 126 says: "In WCF, you have two primary choices for providing security:
either you provide the transfer security on the transport level, or on the
message level"
p. 127 table claims: "... This is far more than is needed in most
scenarios."

Unfortunately we are not creating the server, we must act as a client to
interoperate with the system created by the USDOL. Even though this may be
far more than is needed in most scenarios, we can't make that decision.
So-far we are the only state that is at the point of implementation testing
that is using a Microsoft platform. All of the states that are implementing
on various Java platforms are not running into this problem.

In our initial development we were not able to configure WCF to encrypt only
the content of an element inside the payload. We were able to have them
change to encrypting the entire content of the body, but when they moved
their development URL to an HTTPS transport, we can't get the message to
encrypt at all.

At this point any option that will work would be welcome.

Thanks!
Dave

""Steven Cheng"" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:1oT8MB7mJHA.3864@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Dave,

Nice to hear from you again.

Regarding on the issue you described, my understanding is that you want to
establish a binding which will support both transport security via
HTTS/SSL
and message layer security(like those default ones supported by
wsHttpBinding), correct?

Based on my understanding, for those built-in predefined bindings(such as
basicHttp or wsHttp..), it is not quite easy to change its binding
stack(for security related ones). My first thought is to define a custom
Binding which manually adopt the https transport channel and message layer
security binding elememts. Here is what I've tried in my service:

========customBinding which uses both message and transport
security========

<customBinding>
<binding name="sslWSBinding" >

<security authenticationMode="UserNameForCertificate" >
<localClientSettings maxClockSkew="00:30:00"/>
<localServiceSettings maxClockSkew="00:30:00"/>
</security>
<textMessageEncoding messageVersion="Soap11"
</textMessageEncoding>
<httpsTransport requireClientCertificate="false"
authenticationScheme="Anonymous" />
</binding>
</customBinding>
==============================================

As you can see, I added "httpsTransport" to enable https at transport
layer, and "UserNameForCertificate" to enable username+certificate
authentication security at message layer. However, at runtime, when I view
the WSDL metadata page, it report the following error:


========Exception from wcf security policy generation=========

An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true,
whose value is:
System.InvalidOperationException: An exception was thrown in a call to a
policy export extension.
Extension: System.ServiceModel.Channels.SymmetricSecurityBindingElement
Error: Security policy export failed. The binding contains both a
SymmetricSecurityBindingElement and a secure transport binding element.
Policy export for such a binding is not supported. ---->
System.InvalidOperationException: Security policy export failed. The
binding contains both a SymmetricSecurityBindingElement and a secure
transport binding element. Policy export for such a binding is not
supported.
......................

=====================

I think this probably means binding with security at both layer is not
supported with the current WCF bindings. Meanwhile, I'll try performing
some further research to see whether there is anything else we can try,
I'll update you if I get any new info.


Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support
Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.

--------------------
From: "Dave Gustafson" <msnews08@xxxxxxxxxxxxx>
Subject: Both security mode with WSHttpBinding?
Date: Mon, 2 Mar 2009 13:59:33 -0700

Is there any way to create a WCF client that can accomplish the effect of
the "Both" security mode with WSHttpBinding ?
We need to create a client that will connect to a service that requires
SSL
transport, signing, and message encryption.
The service is built on Java using the Spring framework, and we have been
unable to configure a WCF client that can interoperate.
It appears that NetMsmqSecurityMode is the only enum that offers the
"Both"
transfer mode...
Any help on how we can configure our client would be appreciated.





.

Relevant Pages

  • Re: MovieMaker Security Suite 2005 Case #: SRX050223602463
    ... > Review of MovieMaker Security, ... I think the reply from Microsoft support was fair enough. ... > players are .wma which is > Review of MovieMaker Security, ...
    (microsoft.public.windowsxp.moviemaker)
  • RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
    ... > A/V software that does any less is simply dangerous. ... > offer excellent commercial support for our commercial products. ... Does Microsoft fix the security issues that plagued it faster than ...
    (Full-Disclosure)
  • FW: {RTCProd#003-520-317}Windows Update Support Request
    ... support policy for Windows NT 4.0 Workstation SP6a. ... The Microsoft Support Lifecycle defines the support policies for all ... This means that after this date, Microsoft would no longer create ... security fixes for this platform, nor automatically post to WU, etc. ...
    (NT-Bugtraq)
  • RE: WCF on 2 machines
    ... about security verification that cause the error. ... BTW, for WCF specific problems, you can post them in webservice newsgroup ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.vsnet.general)
  • Re: DomainLocalServer$ is not a valid user
    ... insert into to the remote server. ... the remote server will be a security hole? ... Microsoft Online Partner Support ... Microsoft technology partners in the United States and Canada. ...
    (microsoft.public.sqlserver.security)
Loading