Windows Vista Forums
Vista Forums Home Join Vista Forums Windows 7 Forum Vista Tutorials Tags
Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks.

Go Back   Vista Forums > Misc Newsgroups > Indigo

Vista - WCF / wsHttpBinding / Digital Signature Corruption (!!)

 
 
Old 09-28-2007   #1 (permalink)
Chris Mullins [MVP - C#]


 
 

WCF / wsHttpBinding / Digital Signature Corruption (!!)

I've got a WCF Service hosted in IIS running on a Win2k3 machine. The
service is built with Beta 2 of Orcas.

The service is configured for Message Security, using the UserNameToken
provider. Users are authenticated using the ASP.Net Membership provider, and
authorized using the ASP.NET role provider.
The server has a self-signed certificate installed and properly configured.
The Service is configured to find this cert, and all of that seems to be
working fine.

All appropiate permissions have been given to the private key file, the
client configs are configured to not do trust chain validation, and such.

This service, when hosted on Windows XP running IIS5 works great.

When a client hits the Service running on the Win2k3 machine, I get an
authentication error back. The client sees, "The caller was not
authenticated by the service.", with a callstack of:
System.ServiceModel.Security.SecurityNegotiationException: The caller was
not authenticated by the service.
---> System.ServiceModel.FaultException: The request for security token
could not be satisfied because authentication failed.

[Rest of callstack snipped]

When I turn on tracing in the Server to try to track this down, I see very
unexpected cause:

System.ComponentModel.Win32Exception: The message or signature supplied for
verification has been altered
at System.ServiceModel.Security.TlsSspiNegotiation.GetOutgoingBlob(Byte[]
incomingBlob)

This error cascades up, causes the authentication to fail (resulting in the
client error), and makes the Service completly unusable.

If I disable all security (<security mode="None">) and leave the endpoint as
wsHttpBinding, then things work better, but this isn't a usable
configuration.

I'm not really sure where to go next, in terms of debugging. The fact that
signature validation is failing is really throwing me for a loop. The fact
that it works on 2 seperate Windows XP machines is really confusing me...

Any suggestions?

The relevant configuration setions are shown below. I've changed some names
in pasting it in to protect the names of the innocent...:
[Server config]
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="MembershipBinding" messageEncoding="Mtom">
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="Absolve.MyBehavior">
<!-- Allow metadata for this service to be pulled by clients -->
<serviceMetadata httpGetEnabled="true"/>
<serviceCredentials>
<userNameAuthentication
userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="SqlMembershipProvider"/>
<!-- Configure the service certificate -->
<serviceCertificate storeLocation="LocalMachine"
storeName="My"
x509FindType="FindByThumbprint"
findValue="Actual Thumbprint" />
</serviceCredentials>
<!--<serviceAuthorization principalPermissionMode="UseAspNetRoles"
roleProviderName="SqlRoleProvider"/> -->
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="MyBehavior" name="MyServiceCheck">
<endpoint address="" binding="wsHttpBinding"
bindingConfiguration="MembershipBinding"
contract="MyInterfaces.IRealInterface"/>
<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange"/>
</service>
</services>
</system.serviceModel>

--
Chris Mullins, MCSD.NET, MCPD:Enterprise, Microsoft C# MVP
http://www.coversant.com/blogs/cmullins



My System SpecsSystem Spec
 

Thread Tools


Similar Threads
Thread Forum
ATI Digital Signature Sound & Audio
Digital signature Vista mail
signature verification missing (digital Signature) on the Vista Vista security
No Digital Signature Vista hardware & devices
digital signature Vista installation & setup


Vista Forums is an independent web site and has not been authorized,
sponsored, or otherwise approved by Microsoft Corporation.
"Windows Vista", the Start Orb, and related materials are trademarks of Microsoft Corp.
© Designer Media Ltd

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46