WCF Services and SSL

Question

4.00/5 (2 votes)

See more:

I have a WPF client app that uses WCF web services. We are attempting to install into our Data Center but want to use SSL for the web services. I have found articles on how to install this configuration. My understanding is that you are required, as one of the steps, to execute the makecert.exe and certmgr.exe (as per this article: http://msdn.microsoft.com/en-us/library/ms751516.aspx.

Currently when I execute my code and config file, I get the following error. This appears to be telling me that my code is correct, but that the server and client don't yet share the same certificate. Is there anything I may be missing here?

{"An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail."}
    [System.ServiceModel.Security.MessageSecurityException]: {"An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail."}
    Data: {System.Collections.ListDictionaryInternal}
    HelpLink: null
    InnerException: {"An error occurred when verifying security for the message."}
    Message: "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail."
    Source: "mscorlib"
    StackTrace: "\r\nServer stack trace: \r\n   at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result)\r\n   at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)\r\n   at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)\r\n   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeEndService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)\r\n   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)\r\n\r\nException rethrown at [0]: \r\n   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)\r\n   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)\r\n   at Agilysys.BI.Client.Core.Security.ISecurity.EndLogin(IAsyncResult result)\r\n   at Agilysys.BI.Client.Core.Security.SecurityClient.EndLogin(IAsyncResult result) in Z:\\Projects\\BI\\Infrastructure\\Main\\Client\\Core\\Service Refe
rences\\Security\\Reference.cs:line 2586\r\n   at Agilysys.BI.Client.Core.Security.SecurityClient.OnEndLogin(IAsyncResult result) in Z:\\Projects\\BI\\Infrastructure\\Main\\Client\\Core\\Service References\\Security\\Reference.cs:line 2594\r\n   at System.ServiceModel.ClientBase`1.OnAsyncCallCompleted(IAsyncResult result)"
    TargetSite: {Void HandleReturnMessage(System.Runtime.Remoting.Messaging.IMessage, System.Runtime.Remoting.Messaging.IMessage)}

Posted 16-May-12 20:41pm

Randy Kroeger

Updated 16-May-12 20:49pm

Sandeep Mewara

v2

Add a Solution

3 solutions

Solution 1

What Microsoft does not make clear is that you cannot use private certificates for authentication on an SSL connection. As I recall (my memory is foggy) there are two steps to the deployment. The first is defining to IIS and for that you can use a private certificate (using makecert). For authentication outside of a testing environment you must use a public certificate acquired from a certificate authority. You cannot be your own authority when deploying to a production environment.

There are also a few other gotcha's you'll encounter. The articles make it sound easy but SSL on WCF is one of the hardest deployments possible.

Posted 17-May-12 11:39am

SASS_Shooter

Solution 2

I had spoken with a coworker and they mentioned that I would not want client certificate for this implementation. So, I reverted my code. The error I am getting is:

[System.ServiceModel.EndpointNotFoundException]: {"There was no endpoint listening at https://[domain.com]/WebServices/Core/Security.svc/Username that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details."}
Data: {System.Collections.ListDictionaryInternal}
HelpLink: null
InnerException: {"The remote server returned an error: (404) Not Found."}
Message: "There was no endpoint listening at https://[domain.com]/WebServices/Core/Security.svc/Username that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details."
Source: "mscorlib"

When I try to execute the svcutil.exe on the wsdl, I get the same error above.
when I look at the https://[domain.com]/WebServices/Core/Security.svc?wsdl in a browser, instead of the wsdl content, I get instructions to execute the svcutil.exe but the link that appears is http://[domain.com]/WebServices/Core/Security.svc?wsdl, not ssl protocol. It appears there is a redirection to port 80.

Posted 17-May-12 18:39pm

Randy Kroeger

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

SASS_Shooter · Accepted Answer · 2012-05-18T05:22:00

You cannot have an HTTPS address for you WCF service without a client certificate. Without the certificate you are bound to http as your protocol.

An alternative approach is to devise a scheme where the client computes a token and embeds the token in the header of the message. Then you write handlers that intercept the message in the WCF stack and accept or deny the message based on the presence of a valid token. This immediately kills all messages sent to you without a token in the header.