Hi,
I have run into a total showstopper on using forms authentication over SSL with Silverlight on WCF.

The problem is that when using https then it seems the authentication cookie is either lost or never sent after the inital log in (after a successful logon then subsequent service calls which are configured to require authentication will fail due to the user not being authenticated - and this same configuration works well for regular http).

Another strange thing as well - I am not able to use Add Service Reference from Silverlight on https.

Specifically, when I check https://www.gamersworldmap.com/GWMServer/Game.svc
then it says that meta information is available at
svcutil.exe https://eweb702.dotnetplayground.com/GWMServer/Game.svc?wsdl

i.e., it seems that https://www.gamersworldmap.com is somehow an alias to https://eweb702.dotnetplayground.com - and that could I guess explain the problems with not sending the authentication ticket on requests after log in.

I asked discountASP.net support about this but just said this had to do with my application configuration. However - I have been trawling the net for some time now and I see no trace of any others having a similar problem - my configuration is also quite "plain" and by the book.

Thus - have any of you used forms authentication with SSL and Silverlight (I have the free Rapid certificate from discountASP.net) and made it work?

Thanks in advance!

Best regards
--Egil

Wow, this is a tough one for sure.
Most of us do use all three of those technologies, at least to help others here.
As you noted using them all together can be tough.

I think the first thing that will get recommended is your own Machine Key.
Have you done that yet?

And the best place to get a ton of really sharp help may be here: http://stackoverflow.com/

You'll find most of the Devs there very knowledgeable.

Sorry I can't nail this for you.
All the best,
Mark

..have any of you used forms authentication with SSL and Silverlight (I have the free Rapid certificate from discountASP.net) and made it work?
Here's a sample application I developed a while back.
http://www.jjssoftware.co.uk/securedwcf.aspx
It:

Is a Silverlight application
Introduces client side forms authentication / application services
Is hosted on the DASP web server over SSL (RapidSSL) and you can execute the application to see it working
Demonstrates how to restrict access to a WCF service to only authenticated users
Includes full downloadable source code

If you run this hosted sample and login, you'll see the login session is maintained across postbacks / page refreshes so there's no lost cookie problem / logon session here. I'm not sure what problem you've run into but this sample app does seem to meet all of the requirements you mentioned ;-)

...Ooooo spiffy. ;-)

Hi, and thanks for your replies - and a great sample application CrystalCMS.

I finally managed to fix the problem. That is, there were two different issues.
The alias issue was solved by migrating to .Net 4 and using the then supported config setting "multipleSiteBindingsEnabled='true'"; i.e.,

<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" >

which then made it possible to get meta-info in Add Service Reference in Silverlight. This was not a showstopper, but useful.

However, the showstopper was due to a bug in WCF (and it seems it has not been fixed by MS), but - eventually - I found what others have proposed as a solution, namely to add

<serviceAuthorization principalPermissionMode="None" />

The reason is that when using principalPermission declaratively for the services (which I find very pleasent and clean), then despite setting

Thread.CurrentPrincipal = HttpContext.Current.User;

in the constructor, the Thread.CurrentPrincipal is for some unknown and WCF bug reason set to null before the principalPermission check is made leading to a service not found error.

All in all - I simply do not have the time to get into every detail on WCF configuration for https, or WCF in general, but to me it seems like something of a nightmare...... The forms authentication framework is so easy and pleasent to use so I really cannot understand why MS cannot come up with some easy alternative configurations for "plain" applications like my own - I am really not trying to do anything fancy :-)

Anyway - thanks again!

Best regards
--Egil