WCF / wsHttpBinding / Digital Signature Corruption (!!)

Discussion in 'ASP .Net Web Services' started by Chris Mullins [MVP - C#], Sep 28, 2007.

  1. I've got a WCF Service hosted in IIS running on a Win2k3 machine. The
    service is built with Beta 2 of Orcas.

    The service is configured for Message Security, using the UserNameToken
    provider. Users are authenticated using the ASP.Net Membership provider, and
    authorized using the ASP.NET role provider.
    The server has a self-signed certificate installed and properly configured.
    The Service is configured to find this cert, and all of that seems to be
    working fine.

    All appropiate permissions have been given to the private key file, the
    client configs are configured to not do trust chain validation, and such.

    This service, when hosted on Windows XP running IIS5 works great.

    When a client hits the Service running on the Win2k3 machine, I get an
    authentication error back. The client sees, "The caller was not
    authenticated by the service.", with a callstack of:
    System.ServiceModel.Security.SecurityNegotiationException: The caller was
    not authenticated by the service.
    ---> System.ServiceModel.FaultException: The request for security token
    could not be satisfied because authentication failed.

    [Rest of callstack snipped]

    When I turn on tracing in the Server to try to track this down, I see very
    unexpected cause:

    System.ComponentModel.Win32Exception: The message or signature supplied for
    verification has been altered
    at System.ServiceModel.Security.TlsSspiNegotiation.GetOutgoingBlob(Byte[]
    incomingBlob)

    This error cascades up, causes the authentication to fail (resulting in the
    client error), and makes the Service completly unusable.

    If I disable all security (<security mode="None">) and leave the endpoint as
    wsHttpBinding, then things work better, but this isn't a usable
    configuration.

    I'm not really sure where to go next, in terms of debugging. The fact that
    signature validation is failing is really throwing me for a loop. The fact
    that it works on 2 seperate Windows XP machines is really confusing me...

    Any suggestions?

    The relevant configuration setions are shown below. I've changed some names
    in pasting it in to protect the names of the innocent...:
    [Server config]
    <system.serviceModel>
    <bindings>
    <wsHttpBinding>
    <binding name="MembershipBinding" messageEncoding="Mtom">
    <security mode="Message">
    <message clientCredentialType="UserName"/>
    </security>
    </binding>
    </wsHttpBinding>
    </bindings>
    <behaviors>
    <serviceBehaviors>
    <behavior name="Absolve.MyBehavior">
    <!-- Allow metadata for this service to be pulled by clients -->
    <serviceMetadata httpGetEnabled="true"/>
    <serviceCredentials>
    <userNameAuthentication
    userNamePasswordValidationMode="MembershipProvider"
    membershipProviderName="SqlMembershipProvider"/>
    <!-- Configure the service certificate -->
    <serviceCertificate storeLocation="LocalMachine"
    storeName="My"
    x509FindType="FindByThumbprint"
    findValue="Actual Thumbprint" />
    </serviceCredentials>
    <!--<serviceAuthorization principalPermissionMode="UseAspNetRoles"
    roleProviderName="SqlRoleProvider"/> -->
    <serviceDebug includeExceptionDetailInFaults="true"/>
    </behavior>
    </serviceBehaviors>
    </behaviors>
    <services>
    <service behaviorConfiguration="MyBehavior" name="MyServiceCheck">
    <endpoint address="" binding="wsHttpBinding"
    bindingConfiguration="MembershipBinding"
    contract="MyInterfaces.IRealInterface"/>
    <endpoint address="mex" binding="mexHttpBinding"
    contract="IMetadataExchange"/>
    </service>
    </services>
    </system.serviceModel>

    --
    Chris Mullins, MCSD.NET, MCPD:Enterprise, Microsoft C# MVP
    http://www.coversant.com/blogs/cmullins
     
    Chris Mullins [MVP - C#], Sep 28, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. caldera

    digital signature usage in asp.net

    caldera, Apr 22, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    672
    caldera
    Apr 22, 2004
  2. Scott Allen
    Replies:
    0
    Views:
    515
    Scott Allen
    Sep 20, 2005
  3. =?Utf-8?B?a2VlZnk=?=

    Digital Signature

    =?Utf-8?B?a2VlZnk=?=, Oct 25, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    495
    =?Utf-8?B?TGVvbiBNYXluZQ==?=
    Oct 30, 2006
  4. alan_sec
    Replies:
    0
    Views:
    770
    alan_sec
    Apr 9, 2007
  5. CS ADNT
    Replies:
    1
    Views:
    1,370
    amitjul
    Mar 25, 2010
Loading...

Share This Page