| Groups | Blog | Home |
dotnet web services : ... forbidden with client authentication scheme Anonymous
I have a client / server written in C#/VS2005 that uses WCF. Each
component exposes a secure (https:) endpoint with WCF. httpcfg was used to secure the ports with certificates. (Both system use the same certificate for their endpoints, in case that matters) The client and server are on different physical systems. The applications communicate like so: Request: Client -----> Server's endpoint ( https://172.16.26.30:8283/MyServer ) Response: Server -----> Client's endpoint ( https://172.16.26.31:40201/MyClient ) The client works on every system I've tried it ... but one. On that one system, when the Server tries to respond, the error the server gets is: The HTTP request was forbidden with client authentication scheme 'Anonymous' This appears to be some kind of IIS setup issue on that one client system. I believe I've made sure that Anonymous access is enabled: Control Panel > Administrative Tools > Internet Information Services > Web Services > right click > Properties > Directory Security > Authentication and Access Control > Enable Anonymous Access is checked. What else could be wrong? What am I missing?
Let us know more details, in particular the binding (basicHttpBinding,
wsHttpBinding, netTcpBinding, etc...) and its attributes. We need to know where the security check takes place (transport or message) and how the server/client authenticate. And, you say the "the error the server gets (...)". Isn't the other way around? note: avoid posting to multiple newsgroups please ... Tiago Halm [quoted text, click to view] <mzarlenga@gmail.com> wrote in message news:70e4d74a-a5f7-48b6-b6bc-fafb8ddef0fa@s8g2000prg.googlegroups.com... >I have a client / server written in C#/VS2005 that uses WCF. Each > component exposes a secure (https:) endpoint with WCF. httpcfg was > used to secure the ports with certificates. (Both system use the same > certificate for their endpoints, in case that matters) > > The client and server are on different physical systems. > > The applications communicate like so: > Request: Client -----> Server's endpoint ( > https://172.16.26.30:8283/MyServer > ) > Response: Server -----> Client's endpoint ( > https://172.16.26.31:40201/MyClient > ) > > The client works on every system I've tried it ... but one. On that > one system, when the Server tries to respond, the error the server > gets is: The HTTP request was forbidden with client authentication > scheme 'Anonymous' > > This appears to be some kind of IIS setup issue on that one client > system. > > I believe I've made sure that Anonymous access is enabled: Control > Panel > Administrative Tools > Internet Information Services > Web > Services > right click > Properties > Directory Security > > Authentication and Access Control > Enable Anonymous Access is > checked. > > What else could be wrong? What am I missing? > > Help!
[quoted text, click to view]
On Mar 29, 1:13 pm, "Tiago Halm" <th...@nospam.hotmail.com> wrote: > Let us know more details, in particular the binding (basicHttpBinding, > wsHttpBinding, netTcpBinding, etc...) and its attributes. We need to know > where the security check takes place (transport or message) and how the > server/client authenticate. I'm using .Transport security. Both the client and server use the same classes for WCF. A secure Host/Receiver is created as follows: ------------------------------------------------------------------ private static int MAX_RECEIVED_MESSAGE_SIZE = 128 * 1024; // 128KB public static ServiceHost MakeServiceHost(IPost creator, string endpoint) { receiver = new ServiceHost(...); ... .PostObj = creator; // the creator contains PostMessage() Uri serviceUri = new Uri(endpoint); BasicHttpBinding httpBinding = new BasicHttpBinding(); XmlDictionaryReaderQuotas quota = new XmlDictionaryReaderQuotas(); quota.MaxStringContentLength = MAX_RECEIVED_MESSAGE_SIZE; httpBinding.ReaderQuotas = quota; httpBinding.MaxBufferSize = MAX_RECEIVED_MESSAGE_SIZE; httpBinding.MaxReceivedMessageSize = MAX_RECEIVED_MESSAGE_SIZE; if (endpoint.Contains("https://")) { httpBinding.Security.Mode = BasicHttpSecurityMode.Transport; httpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate; receiver.AddServiceEndpoint(...); return receiver; } .... // non-secure endpoint code not shown } A secure Sender is created as follows: -------------------------------------------------------- public static ... MakeSender(string endpoint, string SSLCertThumbprint) { if (endpoint.Contains("https://")) { BasicHttpBinding secureBinding = new BasicHttpBinding(); secureBinding.Security.Mode = BasicHttpSecurityMode.Transport; secureBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate; EndpointAddress secureEndpointAddress = new EndpointAddress(endpoint); sender = new ... (secureBinding, secureEndpointAddress); sender.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, SSLCertThumbprint); ServicePointManager.ServerCertificateValidationCallback += new System.Net.Security.RemoteCertificateValidationCallback(customXertificateValidation); return sender; } .... // non-secure endpoint code not shown } We also have a custom validation method: ------------------------------------------------------------- private static bool customXertificateValidation(object sender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error) { if ((error == System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch) || (error == System.Net.Security.SslPolicyErrors.None)) return true; // Logger is a thread-safe log-to-file method Logger.Write("ERROR: " + error.ToString()); return false; } [quoted text, click to view] > And, you say the "the error the server gets (...)". Isn't the other way > around? The architecture uses dual-channel communications. On a request, the client posts to the server's endpoint. This works for the server's secured and non-secured endpoints. On a response, the server posts to the client's endpoint. This works only for a non-secured client endpoint. When the client is using a secured endpoint, and the server tries to respond to that endpoint, the server gets the "forbidden with client authentication scheme 'Anonymous' error). Here are some other items which may or may not be important: The server is running on Windows Server 2003 Standard Edition Service Pack 2, the client is on Windows XP Professional Version 2002 Service Pack 2. When the client system was initially set up, IIS was not installed. Once the problem with secure endpoints was discovered, I installed IIS from an XP SP2 CD. It was not the same CD that was used for the original XP install. Both client and server are using the same certificate to secure their endpoints.
[quoted text, click to view]
On Mar 30, 1:13 pm, "Tiago Halm" <th...@nospam.hotmail.com> wrote: > Finally, if you want to maintain the architecture you have, you need both > services to be setup on IIS with secure channel setup (HTTPS) and seems that > the service that is acting as the client is not setup as such. Remember, the client works as-is on every other system in our lab, even other XP systems/ This problem is isolated to *one* *system*. I'm 99% certain this is a Windows / IIS *setup* issue on the one PC where it doesn't work ... but I've checked everything in IIS that I can find am don't know where to look next. For some reason, which I'm unable to pinpoint, Anonymous connections
I may be wrong here, but you say "dual-channel communications", and MSDN
refers that duplex service contracts (WSDualHttpBinding) must use SOAP security and you're using transport security and you're also using the standard basicHttpBinding. From what I can tell (I may be wrong) you're setting a dual channel manually where both the client and server are both services. It would be useful to gather more info on what WCF offers for true dual communication scenarios. http://msdn2.microsoft.com/en-us/library/system.servicemodel.wsdualhttpbinding.aspx Finally, if you want to maintain the architecture you have, you need both services to be setup on IIS with secure channel setup (HTTPS) and seems that the service that is acting as the client is not setup as such. let me know if this helps Tiago Halm [quoted text, click to view] "mzarlenga" <mzarlenga@gmail.com> wrote in message news:d42a875c-9fc0-4814-9e75-0b759012b1eb@s19g2000prg.googlegroups.com... > On Mar 29, 1:13 pm, "Tiago Halm" <th...@nospam.hotmail.com> wrote: >> Let us know more details, in particular the binding (basicHttpBinding, >> wsHttpBinding, netTcpBinding, etc...) and its attributes. We need to know >> where the security check takes place (transport or message) and how the >> server/client authenticate. > > I'm using .Transport security. > > Both the client and server use the same classes for WCF. > > A secure Host/Receiver is created as follows: > ------------------------------------------------------------------ > > private static int MAX_RECEIVED_MESSAGE_SIZE = 128 * 1024; // 128KB > public static ServiceHost MakeServiceHost(IPost creator, string > endpoint) > { > receiver = new ServiceHost(...); > ... .PostObj = creator; // the creator contains PostMessage() > Uri serviceUri = new Uri(endpoint); > > BasicHttpBinding httpBinding = new BasicHttpBinding(); > > XmlDictionaryReaderQuotas quota = new XmlDictionaryReaderQuotas(); > quota.MaxStringContentLength = MAX_RECEIVED_MESSAGE_SIZE; > httpBinding.ReaderQuotas = quota; > httpBinding.MaxBufferSize = MAX_RECEIVED_MESSAGE_SIZE; > httpBinding.MaxReceivedMessageSize = MAX_RECEIVED_MESSAGE_SIZE; > > if (endpoint.Contains("https://")) > { > httpBinding.Security.Mode = BasicHttpSecurityMode.Transport; > httpBinding.Security.Transport.ClientCredentialType = > HttpClientCredentialType.Certificate; > receiver.AddServiceEndpoint(...); > return receiver; > } > ... // non-secure endpoint code not shown > } > > > A secure Sender is created as follows: > -------------------------------------------------------- > > public static ... MakeSender(string endpoint, string > SSLCertThumbprint) > { > if (endpoint.Contains("https://")) > { > BasicHttpBinding secureBinding = new BasicHttpBinding(); > secureBinding.Security.Mode = BasicHttpSecurityMode.Transport; > secureBinding.Security.Transport.ClientCredentialType = > HttpClientCredentialType.Certificate; > EndpointAddress secureEndpointAddress = new > EndpointAddress(endpoint); > > sender = new ... (secureBinding, secureEndpointAddress); > > sender.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, > StoreName.My, X509FindType.FindByThumbprint, SSLCertThumbprint); > > ServicePointManager.ServerCertificateValidationCallback += new > System.Net.Security.RemoteCertificateValidationCallback(customXertificateValidation); > return sender; > } > ... // non-secure endpoint code not shown > } > > We also have a custom validation method: > ------------------------------------------------------------- > > private static bool customXertificateValidation(object sender, > X509Certificate cert, X509Chain chain, > System.Net.Security.SslPolicyErrors error) > { > if ((error == > System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch) || > (error == System.Net.Security.SslPolicyErrors.None)) > return true; > > // Logger is a thread-safe log-to-file method > Logger.Write("ERROR: " + error.ToString()); > return false; > } > > >> And, you say the "the error the server gets (...)". Isn't the other way >> around? > > The architecture uses dual-channel communications. > > On a request, the client posts to the server's endpoint. This works > for the server's secured and non-secured endpoints. > > On a response, the server posts to the client's endpoint. This works > only for a non-secured client endpoint. When the client is using a > secured endpoint, and the server tries to respond to that endpoint, > the server gets the "forbidden with client authentication scheme > 'Anonymous' error). > > Here are some other items which may or may not be important: > > The server is running on Windows Server 2003 Standard Edition Service > Pack 2, the client is on Windows XP Professional Version 2002 Service > Pack 2. > > When the client system was initially set up, IIS was not installed. > Once the problem with secure endpoints was discovered, I installed IIS > from an XP SP2 CD. It was not the same CD that was used for the > original XP install. > > Both client and server are using the same certificate to secure their > endpoints. > > > Thanks for helping!
[quoted text, click to view]
On Mar 30, 1:41 pm, mzarlenga <mzarle...@gmail.com> wrote: > I'm 99% certain this is a Windows / IIS *setup* issue on the one PC > where it doesn't work ... but I've checked everything in IIS that I > can find am don't know where to look next. > > For some reason, which I'm unable to pinpoint, Anonymous connections > are not working on that one PC. Update: I uninstalled IIS, renamed C:\Inetpub then reinstalled IIS. And it's working fine now. I have no idea what was wrong with the previous installation of IIS. Everything looked just fine. Anyway, problem solved, thanks for your feedback, Tiago.
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |