Hi, I'm creating a WCF service hosted on Discountasp.net. I'm little new to WCF. I have been playing around with WCF for a while now. I have couple of questions: 1) To host a username and password authenticated WCF on discountasp, do I need to have/do certificates, because all WCF authentication seems to required certificates? 2) Do I have to have SSL certificate (I need to buy) to do authenticated WCF on discountasp? 3) If I need some kind of certificate, do I have to buy one (expensive) or do a self-generated(?) certificate. I don't need to do certificate on the authentication for now. 4) Do I need to follow the instruction on running WCF on discountasp.net like the "factory" stuff instruction posted on a different forum thread? I'm basically creating a WCF username and password authenticated service (from the database table) and the user runs the application by logging in. The thing that really confuses me is the whole "certificate" thing that keeps popping up on the internet. I don't need to do any certificate if possible on the service for now. Any help is appreciated.
You don't need to go the certificate route for WCF security and there are a few different ways to implement security in WCF that I know of. Here's one: Implement WCF services in asp.net compatibility mode combined with forms authentication. In most cases (at least for public networks) an ssl certificate is required to securely implement forms authentication otherwise there will be a security hole in the application. Once this is working, implement a custom WCF ServiceAuthorizationManager class to check access in there and then you can be sure that only allow authenticated users get access to the service layer. If you like the sound of this, let me know and I'll post some sample code.
I need help too. OK I need help too. Here is what I did: 1) I took a look at this WCF video tutorial, 2 minutes long. Very simple, very nice: http://wcfsecurity.codeplex.com/wik...from Windows Forms&referringTitle=Video Index (two minute video on basicHttpBinding and using SSL certificates) [“Video: How To - Use basicHttpBinding with Certificate Authentication from Windows Forms. In this video, you will see how to use basicHttpBinding with certificate authentication in WCF, when calling WCF Service from a Windows Forms client.”) 2) I took a look at this blog post, which seems to be an extension of 1), in that he also uses a custom "Validation Class", see here: http://blogs.infosupport.com/blogs/...me-and-password-authentication-mechanism.aspx (it seems to me that the only difference between 2) and 1) is that in 1) every message to and from your web method is encrypted, while for 2) you first need to 'log on' with a password, then every message to and from your web service is encrypted. Please correct me if I'm wrong). 3) I bought a SSL certificate from DiscountASP.net just now for about $60. I need to complete some steps, according to an email I just got. But once I complete these steps how do I use this certificate? Where do I put it? In my root directory? Below is some info. Background: I have programmed in ASP.NET using localhost, but for the most part I program now in Silverlight, using web services and web methods (WCF SOAP) that I upload onto DiscountASP.net (DASP). I have had no problems with these web services/methods, but I understand they are public methods. I'd like to make them private. Hence the SSL solution I just bought. Now, having gone through the video at 1), it seems very simple to do--just change a few attributes in your .config file(s) after you copy a SSL file (certificate) onto your root directory, right? But now with more information from DASP I'm starting to get confused--maybe it's not so simple? For example (one of many questions reeling through my head at the moment): what's this talk about a subdomain? Are https type URLs somehow part of a subdirectory to your root? Should I store all files/folders dealing with web services that are SSL secure in this/these subdomain/subdirectory/subfolders? What's this all about? Any help appreciated. I will check this post in about two days time... Even a word of encouragement such as 'you are on the right track' is welcome. PJ Message from DASP after I bought my SSL certificate (and I need to verify I'm an actual person, which I will do): What you must do now: 1. Log in to the Control Panel SSL Manager and submit your Organization Information. 2. Using the Organization information, we will generate a CSR* and send it to you, along with web server information. You will need the CSR and web server information to apply for an SSL certificate. IMPORTANT NOTE: To ensure the widest possible browser compatibility, we strongly recommend that you purchase a "single root" certificate. Please see our list of recommended certificate providers for more information. 3. When the SSL application is approved, you will receive your SSL certificate from the provider. Go to the Control Panel SSL Manager and submit the SSL Certificate. Your Unique IP/Unlimited Subdomain add-on has been processed. Your new IP address is 9x.3x.4x.xxx <subdomain>.yourdomain.com will now resolve to the above IP address. To learn how to programmatically redirect subdomains to different subdirectories, please review this Knowledge Base article. See the billing summary in the control panel for billing details. Note: If you ordered the personal SSL add-on, this Unique IP/Unlimited Subdomain bundle is a required part of that service. [WHY? Thank you for hosting with DiscountASP.NET. DiscountASP.
Does anybody have a web.config file that was successful? I'm now looking for a web.config and/or app.config file(s) for any basicHttpBinding (since this kind of binding is used in Silverlight) that shows "<security mode >" attribute or "< serviceCredentials>" Anybody have one? Any code that does WCF Configuration in a secure way (using SSL) is appreciated. Please refer to the short 2:30 minute video I referenced in my previous post for more details (it appears at the 1 minute mark in the video). For example, I assume somebody at DASP (as per the video at 1:22') will do the makecert.exe command?
Reward offered I'm upping the ante! Anybody who can give me examples of successful client config files (app.config and web.config. etc) where in WCF basicHttpBinding worked for WCF using SSL certificates, I will mention them in a referral when getting a second DASP domain name (since I'm planning to, to do my Visual Studio 2010 development, since I'm presently using VS 2008 and they don't play well together on the same domain).
@CrystalCMS CrystalCMS, where are you? Can you provide me with some config files showing basicHttpBinding and SSL? Also confirm that somebody at DASP will do a makecert and/or make the certificate 'work' on your site, once I sign up for it...
I'm sorry but I don't have Silverlight+WCF sample code working in the DASP environment with the setup you describe (SSL & basicHttpBinding). I do have a Silverlight+WCF application running over SSL using wsHttpBinding on local IIS7 servers, but just not on DASP. I suppose I need to run some tests in the DASP environment myself but unfortunately I don't have the time at the moment. I'm happy to post the contents of my <system.serviceModel> sections from my web.config and ServiceReferences.ClientConfig files from my local application into this thread but I can't say this type of setup will definitely work on the DASP servers without some further tweaks. So long as you're happy with this disclaimer, just let me know if you still want it ;-)
Joe, please do upload code! Yes, please, do upload your code. If I have any problems I always like to look at similar or analogous code, and IIS is probably close enough to DASP's servers (if not identical) so the code would be useful. I'll check this thread in a few days... Thank you!
Thanks Joe ;-) PJ...There have been multiple Microsoft articles about this over the past week. Want me to post some links or will Joe's example do it? All the best, Mark
Ok here goes. This is from the web application root web.config: Code: <system.serviceModel> <behaviors> <serviceBehaviors> <behavior name="ASPNETHostedSilverlightBehaviour"> <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/> <serviceDebug includeExceptionDetailInFaults="true"/> <serviceAuthorization serviceAuthorizationManagerType="EPLC.Framework.Common.Application.HttpContextUserAuthorizationManager, EPLC.Framework.Common.Application, Version=1.0.0.0, Culture=neutral, PublicKeyToken=9562d862bc31f1fe"/> </behavior> </serviceBehaviors> </behaviors> <bindings> <wsHttpBinding> <binding name="SilverlightWSHttpBinding" bypassProxyOnLocal="true" allowCookies="true"> <security mode="Transport"> <transport clientCredentialType="None"/> <message clientCredentialType="None"/> </security> </binding> </wsHttpBinding> </bindings> <serviceHostingEnvironment aspNetCompatibilityEnabled="true"/> <services> <service behaviorConfiguration="ASPNETHostedSilverlightBehaviour" name="EPLC.PlanningManagement.Services.UtilsPlanningManagementService"> <endpoint address="" behaviorConfiguration="" binding="wsHttpBinding" bindingConfiguration="SilverlightWSHttpBinding" contract="EPLC.PlanningManagement.Services.IPlanningManagementService"/> </service> </services> </system.serviceModel> This is from the SL applications' ServiceReferences.ClientConfig: Code: <system.serviceModel> <bindings> <customBinding> <binding name="WSHttpBinding_IPlanningManagementService"> <textMessageEncoding messageVersion="Default" writeEncoding="utf-8"/> <httpsTransport maxReceivedMessageSize="2147483647" maxBufferSize="2147483647"> <extendedProtectionPolicy policyEnforcement="Never"/> </httpsTransport> </binding> </customBinding> </bindings> <client> <endpoint address="https://a_censored_domain/UtilsPlanningManagementService.svc" binding="customBinding" bindingConfiguration="WSHttpBinding_IPlanningManagementService" contract="PlanningManagementService.IPlanningManagementService" name="WSHttpBinding_IPlanningManagementService"/> </client> </system.serviceModel> As you can see I'm not doing anything with client credential passing in the message (clientCredentialType="None" in this example) because this application relies on forms authentication and the fact that the web application <serviceHostingEnvironment> is configured to run in ASP.NET compatibility mode. This means that I can enforce the rule that only authenticated users can call WCF service methods through the implementation of a custom WCF serviceAuthorizationManagerType class. If you're interested to see how the HttpContextUserAuthorizationManager serviceAuthorizationManagerType class is implemented, I can post that too. This might not be exactly what you're looking for, but I hope it makes sense.
Yes, help, thank you! Hi CrystalCMS. I'm at wit's end with trying to get https to work using this example from Alex van Beek's blog: http://tinyurl.com/22ue3wm . I have successfully done many SOAP web service programs using Visual Studio 2008 and Silverlight, where I publish the service on DASP, see here: http://community.discountasp.net/showthread.php?t=7719 I almost made Alex van Beek's example work, but I have a problem that I think you or somebody here can help me with. First, I get a warning "I" see at the note 1 below, and I think I figured out why: somehow my two files, the 'clientaccesspolicy.xml' files and the 'crossdomain.xml' file (see note 2 below) are not in my virtual https directory, called "MYNAMEprogramming.com". About three weeks ago, I bought a https certificate (SSL secure certificate) from DASP by a company called RapidSSL. DASP set up some sort of virtual directory -- MYNAMEprogramming.com -- that mirrors my 'regular' DASP directory, which is http://MYCOMPANY.web707.discountasp.net/ But did they copy these two vital .xml files from note 2 below? Or do I do that? And how? One clue: when I add a Service Reference from Visual Studio 2008 in my client app, that attempts to reference the server-side web service (in this case found in my directory:/WebSiteHelloSecureB2/WcfService1.svc) I get the warning: "An error occurred while trying to make a request to URI 'https://web707.dotnetplayground.com/WebSiteHelloSecureB2/WcfService1.svc'. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. This error may also be caused by using internal types in the web service proxy without using the InternalsVisibleToAttribute attribute. Please see the inner exception for more details." This is a clue that perhaps these two files are not present. A further clue is found in the ServiceReferences.clientconfig file, note 3 below, which is automatically generated by the VS wizard when I "update service reference", and it references an obscure website name: "https://web707.dotnetplayground.com" What is this? Do I need to somehow add .xml policy files to this website? Apparently this dotnetplayground.com is somehow related to https. I tried various variations, and nothing works. Below are my two files of ServiceRefereces.config and Web.config from a version (I have six different versions, various tweaks)--see Note 4 below Keep in mind I am running the client locally using Visual Studio 2008 'localhost', yet my SOAP web service is at DASP. Should I be doing something else? I will, after posting this, try one more thing: adding a section from van beek's blog: <host> <baseAddresses> <add baseAddress="https://localhost"/> </baseAddresses> </host> But I doubt this works. My hunch: something needs to be done at the DiscountASP.net end--perhaps when they set up this virtual Https directory they did not add the vital .xml cross-domain policy file? Any help appreciated. I've about given up hope on this, and thinking of trying this secure web services stuff at the Azure site (virtually) rather than struggling here... PJ Notes: Warning "I": Warning 1 Could not locate cross-domain policy at 'web707.dotnetplayground.com': Web services might not be accessible at runtime by your Silverlight application. For more details please contact the web server administrator or press F1 after selecting this warning Note2: the 'clientaccesspolicy.xml' file: <?xml version="1.0" encoding="utf-8" ?> - <access-policy> - <cross-domain-access> - <policy> - <allow-from http-request-headers="*"> <domain uri="*" /> </allow-from> - <grant-to> <resource path="/" include-subpaths="true" /> </grant-to> </policy> </cross-domain-access> </access-policy> the 'crossdomain.xml' file <?xml version="1.0" encoding="utf-8" ?> - <access-policy> - <cross-domain-access> - <policy> - <allow-from http-request-headers="*"> <domain uri="*" /> </allow-from> - <grant-to> <resource path="/" include-subpaths="true" /> </grant-to> </policy> </cross-domain-access> </access-policy> Note 3: ServiceReferences.ClientConfig file (generated by VS 2008 Wizard) <configuration> <system.serviceModel> <bindings> <basicHttpBinding> <binding name="BasicHttpBinding_IService1" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647"> <security mode="TransportWithMessageCredential" /> </binding> </basicHttpBinding> </bindings> <client> <endpoint address="https://web707.dotnetplayground.com/WebSiteHelloSecureB5/WcfService1.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IService1" contract="ServiceReference1.IService1" name="BasicHttpBinding_IService1" /> </client> </system.serviceModel> </configuration> *NOTE 4* for .ClientConfig file of the client, see above for Web.config file of the server-side web service: (relevant portions are <?xml version="1.0"?> <!--stuff deleted that's not important --> <system.serviceModel> <services> <service name="WcfService1.Service1" behaviorConfiguration="WcfService1.Service1Behavior"> <!-- Service Endpoints --> <endpoint address="" binding="basicHttpBinding" bindingConfiguration="test" contract="WcfService1.IService1"> <!-- Upon deployment, the following identity element should be removed or replaced to reflect the identity under which the deployed service runs. If removed, WCF will infer an appropriate identity automatically. --> </endpoint> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/> </service> </services> <serviceHostingEnvironment> <baseAddressPrefixFilters> <add prefix="http://MYNAMEprogramming.com"/> </baseAddressPrefixFilters> </serviceHostingEnvironment> <bindings> <basicHttpBinding> <binding name="test"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName"/> </security> </binding> </basicHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="WcfService1.Service1Behavior"> <serviceMetadata/> <serviceDebug includeExceptionDetailInFaults="false"/> <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WcfService1.MyValidator, WcfService1"/> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel> </configuration>
help! about out of gas with this project... Sure enough, it did not work (or even run--I got a runtime error). One reason I cannot do local host is that I don't have IIS configured with Administrator privileges. Instead, I simply publish the web services onto DASP, then get a ServiceReference from there for my local client, running under the Visual Studio built-in server. Once everything works, then I publish the client on DASP. In the past, this has worked fine for SOAP, but since I'm trying to experiment with https (SSL) and web services, following Alex van Beek's blog, I cannot get this to work. Really, all I'm trying to do is make running the backend WCF service of a Silverlight app secure, so that the web methods cannot be accessed except by authorized users. I hear perhaps Visual Studio 2010 and Silverlight might have some business methods that do that "automatically". And I understand, reading between the lines, there are several other ways of doing this in Visual Studio 2008 besides the van Beek blog way. Does anybody have any pointers? PJ
clientaccesspolicy.xml / crossdomain.xml files will not be uploaded to your web space unless you uploaded them; it's not something DASP do for you because these are application files that configure service access rules therefore they're the account owners' responsibility. I won't attempt to fault find your application because there are too many variables. As I implied in post #7 in this thread if I had the time to develop a proof of concept to publish the code to the community I'd do it but sorry I can't at the moment.
Workaround: use ASP.NET membership?! Thanks Joe, but it's not the .xml files at fault--they were uploaded-though here's a question that will save me time: if I disable basic authentication on my 'original' website I got from DASP (http://MYFIRSTNAME.web707.discountasp.net), using the IIS7.0 application tool (that you download from Microsoft), then I get assigned (I buy) another website, "MYNAMEHERE.COM", do I have to disable basic authentication again? I think they are aliases, so no need to do this twice? I ask because I forget how I did this the first time (but I did it), it was on another machine, and I don't have the IIS7 tool on this machine (but I'm planning to, if I have to do it again). UPDATE: just checked it out, using this Knowledge base link: https://support.discountasp.net/KB/a400/how-to-connect-to-windows-2008iis-7-using-microsoft.aspx and I'm OK with disabled basic authentication but my 'Forms Authentication' is also disabled--should I enable this? Probably so...I will Google this...seems that you need to enable Forms Authentication to use Membership as discussed below so I have. As for the original question workaround, I found a workaround--I think. I'm going to try using "Membership" with ASP.NET forms authentication with Silverlight in view of this article: http://blogs.msdn.com/b/brada/archi...-profile-and-role-service-in-silverlight.aspx There's one tiny (big?) problem however with this workaround: the tutorial article assumes you have control over your website and can run the WAP (WebSite Administration Tool, which is built into Visual Studio) (I think it's part of the IIS: from the web: "As discussed in Part 1 of this article series, the ASP.NET Website Administration Tool (AWAT) will happily create a SQL Server 2005 Express Edition database named ASPNETDB.MDF for you in your application's App_Data folder that has the tables, views, and stored procedures needed to implement all of the membership-related services."). But we users at DASP have no such control over this and/or the IIS, nor, to my knowledge, do we get a "free" SQL Server 2005 Express database--you have to pay for every database instantiation (I've paid for one for example). So, how do you set up ASP.NET forms authentication membership if you are a DASP customer with access to only one database (as myself)? One solution: just have a login page and code that encrypts password and login name to and from DASP (e.g. using AES or triple DES encryption) and stores these strings in the database that you have already paid DASP for, as a table. Do you agree? This is not easy or elegant but I'm not looking for elegant or easy, just something that works. So how to do the 'faster', 'cheaper' 'more elegant' way of Forms authentication aka membership? To answer this...I did some searching of this forum, and found this link: http://community.discountasp.net/showthread.php?t=7957 and from there, Wisemx's webcast at: http://iis7test.com/MembershipProvider/Default.aspx (going through it now...looks easy, but I have to install SQL Management Studio which this pc does not have, and it seems this webcast was for ASP 2.0, but I suppose it's still good for 3.5?) Also good: http://support.discountasp.net/KB/a...rshiproles-provider-to.aspx?KBSearchID=214913 Do you have any general thoughts? Are other people having any problems with ASP.NET membership, or is this something very common at DASP? Which forum answers this? I will try and follow Wisemx / Mark's video...but any support or comments appreciated. PJ
...I wish I could help, honest, but I'd have to drop everything for a few weeks just to mess with this. I do need to re-visit the membership stuff on Win7 and ASP.NET v4. Should all still work but I have not tried. If I don't get with the SSRS Reporting webcasts Bruce will kick me. ;-)
I use forms authentication and membership on DASP without any issues so you'll be fine with that. It looks like you're leaning towards the same solution I currently use for securing my publicly exposed WCF services (not on DASP but elsewhere). Remember #10 in this thread just after the config sample I pasted for you?: "..this application relies on forms authentication and the fact that the web application <serviceHostingEnvironment> is configured to run in ASP.NET compatibility mode...only authenticated users can call WCF service methods through the implementation of a custom WCF serviceAuthorizationManagerType class."
If you're "Mark" I like your smooth delivery...just reviewed this webcast: http://iis7test.com/MembershipProvider/Default.aspx Good stuff here...as good as those guys at Channel 9! I've switched tacks, slightly: if you read this and have a pointer to how to *access* your SSL certificate --it's already set up at DASP (that is, how to configure the app.config file for 'serviceCredentials', and how to find the 'thumbprint' of your certificate, since I'm attempting to do these (related) tutorials (but not using localhost, but rather using WPF (rather than Silverlight) using WCF, with the web method residing on DASP not localhost): http://wcfsecurity.codeplex.com/wikipage?title=Video Index&ProjectName=wcfsecurity (see Video: How To - Use basicHttpBinding with Certificate Authentication from Windows Forms, and, Video: How To - Use WsHttpBinding with Certificate Authentication with Message Security. In this video, you will see how to create a WCF service using wsHttpBinding, with message security, and authenticated using a certificate.). and http://msdn.microsoft.com/en-us/library/ff648360.aspx Is there a FAQ on SSL certificates at DASP? For example, if you are the Administrator or User on localhost you can follow this procedure here to view the 'thumbprint' of your certificate: http://msdn.microsoft.com/en-us/library/ms788967.aspx , but, what if your SSL certificate is remote, like at DASP? Is the thumbprint something you can find out yourself remotely? Stuff like that...if it's in the Knowledge Base. Thanks and keep up the good work! This is a great site. I'm also doing Azure (cloud computing) stuff...which has its own special needs, but I like the control you get from running your own server, though as you know the devil is in the details and it can get quite frustrating at times. Yes, quite right. Same question to you that I posed to wisemx...if you have a FAQ on how to configure/access/read your SSL certificate, please point me to it. Otherwise I'll keep surfing the net. Problem with most net tutorials is that they assume you are the server administrator and that your database resides at 'localhost' and you are using IIS there (I think). Few people are doing what I am doing with DASP, which is a sort of poor man's Cloud Computing attempt I think. BTW I notice all business apps use a stand alone app to access a database, not the browser via Silverlight, so I've given up on Silverlight and switched to WPF as the front end, which is built for (expressly) secure communications. But I have to get the protocol for accessing your SSL certificate first.
see this thread on SSL certificates I found this thread which answers some of my questions on SSL certificates: http://community.discountasp.net/showthread.php?t=11343&highlight=SSL+certificate
I got around to developing the proof of concept application that demonstrates protected WCF services in a Silverlight application on DASP. More info here: http://community.discountasp.net/showthread.php?p=42925
Very cool...goes into my library. Amazing, thanks!! I will add this to my library, very cool. I wasn't even thinking of ASP.NET with Ajax, but ASP + Silverlight. Haven't looked at the code...for some reason VS2010 Express need to be reinstalled on my machine (I must be past the 30 days trial period, and the key is failing). It will be amazing if your solution is a true protected WCF service (in that the web service method is protected) rather than a routine, protected .aspx login page, which are a dime-a-dozen and common on the net. I'll be very pleased if it's the former, but in any case thanks again! CrystalCMS/ Joe can I ask you a favor? Please go here to this thread, here: http://community.discountasp.net/showthread.php?p=42927#post42927 related to this thread...and tell me whether in your opinion I should open a help ticket on this... or do the people at the Help Desk not really understand this type of problem? (then I'm really stuck I guess!) I'm trying to access the private key on my SSL certificate I just bought, and this moderator at the MS WCF Forum suggests somebody at DASP should fiddle at the server side to do this (see the thread above). PJ
I've updated http://community.discountasp.net/showthread.php?p=42927 and http://community.discountasp.net/showthread.php?p=42925 with a few more details.
