WCF MaxClockSkew for TransportWithMe ssageCredential security eleme

=?Utf-8?B?ZDcyZTRk?=

I'm trying to increase the MaxClockSkew for our WCF bindings through code in
my service host and client.

From various forums etc, I have got this far:

public static void InitializeEndpo int(ServiceEndp oint endpoint)
{
CustomBinding customBinding = new CustomBinding(e ndpoint.Binding );
SecurityBinding Element securityBinding =
customBinding.E lements.Find<Se curityBindingEl ement>();
securityBinding .LocalServiceSe ttings.MaxClock Skew =
TimeSpan.FromHo urs(1);
securityBinding .LocalClientSet tings.MaxClockS kew =
TimeSpan.FromHo urs(1);
endpoint.Bindin g = customBinding;
}

However, this does not seem to do the trick. Running a client with a clock
out by 10 minutes still results in an error logged on the service and the
message states that the max skew is still the default 5 mins.

Looking at some other forums I can find information about having to set the
skew on a bootstrapper element as well, but that only seems to be for
SymmetricSecuri tyBindingElemen ts, where as we are using
TransportWithMe ssageCredential resulting in a TransportSecuri tyBindingElemen t.

The configuration on my client is:

<system.service Model>
<client>
<endpoint
address="https://localhost/Diligent.Boardb ooks.SiteServic e/SiteService.svc/SiteUN"
binding="wsHttp Binding" bindingConfigur ation="WSUserna meMtomBinding"

contract="Dilig ent.Boardbooks. Services.SiteSe rvice.Proxy.ISi teServiceContra ct"
name="SiteServi ceUN" />
</client>
<behaviors />
<bindings>
<wsHttpBindin g>
<binding name="WSUsernam eBinding" sendTimeout="00 :05:00"
maxReceivedMess ageSize="104857 6">
<security mode="Transport WithMessageCred ential">
<message clientCredentia lType="UserName "
establishSecuri tyContext="fals e" />
</security>
</binding>
<binding name="WSUsernam eMtomBinding" sendTimeout="00 :05:00"
maxReceivedMess ageSize="671088 64" messageEncoding ="Mtom">
<readerQuotas maxDepth="512" maxStringConten tLength="671088 64"
maxArrayLength= "67108864" maxBytesPerRead ="67108864"
maxNameTableCha rCount="65536" />
<security mode="Transport WithMessageCred ential">
<message clientCredentia lType="UserName "
establishSecuri tyContext="fals e" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services />
</system.serviceM odel>

And on my service is:

<system.service Model>
<client>
</client>
<bindings>
<wsHttpBindin g>
<binding name="WSMtomBin ding" sendTimeout="00 :05:00"
maxReceivedMess ageSize="671088 64"
messageEncoding ="Mtom">
<readerQuotas maxDepth="512"
maxStringConten tLength="671088 64"
maxArrayLength= "67108864"
maxBytesPerRead ="67108864" maxNameTableCha rCount="65536" />
<reliableSessio n enabled="false" />
<security mode="Transport WithMessageCred ential">
<message establishSecuri tyContext="fals e" />
</security>
</binding>
<binding name="WSUsernam eMtomBinding" sendTimeout="00 :05:00"
maxReceivedMess ageSize="671088 64"
messageEncoding ="Mtom">
<readerQuotas maxDepth="512"
maxStringConten tLength="671088 64"
maxArrayLength= "67108864"
maxBytesPerRead ="67108864" maxNameTableCha rCount="65536" />
<reliableSessio n enabled="false" />
<security mode="Transport WithMessageCred ential">
<message clientCredentia lType="UserName "
establishSecuri tyContext="fals e" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehavio rs>
<behavior name="SiteServi ce">
<serviceDebug includeExceptio nDetailInFaults ="true" />
<serviceMetadat a httpGetEnabled= "true"
httpsGetEnabled ="true" />
<serviceCredent ials>
<serviceCertifi cate
findValue="Dili gent.Boardbooks .Services" x509FindType="F indBySubjectNam e" />
<issuedTokenAut hentication>
<knownCertifica tes>
<add
findValue="Dili gent.Boardbooks .SecurityTokenS ervice"
storeLocation=" LocalMachine"
storeName="My"
x509FindType="F indBySubjectNam e" />
</knownCertificat es>
</issuedTokenAuth entication>
</serviceCredenti als>
<serviceThrottl ing maxConcurrentCa lls="100"
maxConcurrentSe ssions="100" />
</behavior>
</serviceBehavior s>
</behaviors>
<services>
<service behaviorConfigu ration="SiteSer vice"
name="Diligent. Boardbooks.Serv ices.SiteServic e.Implementatio n.SiteService">
<endpoint address="Site" binding="wsHttp Binding"
bindingConfigur ation="WSMtomBi nding"
name="SiteServi ce"
contract="Dilig ent.Boardbooks. Services.SiteSe rvice.ServiceCo ntracts.ISiteSe rviceContract" />
<endpoint address="SiteUN " binding="wsHttp Binding"
bindingConfigur ation="WSUserna meMtomBinding"
name="SiteServi ceUN"
contract="Dilig ent.Boardbooks. Services.SiteSe rvice.ServiceCo ntracts.ISiteSe rviceContract" />
<endpoint address="Intern alSite" binding="wsHttp Binding"
bindingConfigur ation="WSMtomBi nding"
name="InternalS iteService"
contract="Dilig ent.Boardbooks. Services.SiteSe rvice.ServiceCo ntracts.IIntern alSiteServiceCo ntract" />
<endpoint address="Intern alSiteUN" binding="wsHttp Binding"
bindingConfigur ation="WSUserna meMtomBinding"
name="InternalS iteServiceUN"
contract="Dilig ent.Boardbooks. Services.SiteSe rvice.ServiceCo ntracts.IIntern alSiteServiceCo ntract" />
<endpoint address="Test" binding="wsHttp Binding"
bindingConfigur ation="WSUserna meMtomBinding"
name="TestServi ce"
contract="Dilig ent.Boardbooks. Services.SiteSe rvice.ServiceCo ntracts.ISiteSe rviceTestContra ct" />
</service>
</services>
</system.serviceM odel>
Is there anything else I need to set on the binding or endpoint to get the
skew adjusted properly?

Many thanks,
Greg Jackman

Apr 8 '08 #1

Subscribe Reply

6645

=?Utf-8?B?ZDcyZTRk?=

Thanks for the quick reply.

My initial testing did include creating the same binding on the client as
well. And we were still seeing the problem.

As you can see from the dump of the xml:
<localClientSet tings cacheCookies="t rue"
detectReplays=" false"
replayCacheSize ="900000" maxClockSkew="0 1:00:00"
maxCookieCachin gTime="Infinite "
replayWindow="0 0:05:00"
sessionKeyRenew alInterval="10: 00:00"
sessionKeyRollo verInterval="00 :05:00"
reconnectTransp ortOnFailure="f alse"
timestampValidi tyDuration="00: 05:00"
cookieRenewalTh resholdPercenta ge="60" />
<localServiceSe ttings detectReplays=" false"
issuedCookieLif etime="10:00:00 "
maxStatefulNego tiations="128"
replayCacheSize ="900000" maxClockSkew="0 1:00:00"
negotiationTime out="00:01:00"
replayWindow="0 0:05:00" inactivityTimeo ut="00:02:00"
sessionKeyRenew alInterval="15: 00:00"
sessionKeyRollo verInterval="00 :05:00"
reconnectTransp ortOnFailure="f alse"
maxPendingSessi ons="128"
maxCachedCookie s="1000"
timestampValidi tyDuration="00: 05:00" />

the code I have is setting both the client and service settings
MaxClockSkew, and I was running the same method on the client and service
bindings.

Hope that helps.

Cheers,
Greg

Apr 10 '08 #2

=?Utf-8?B?ZDcyZTRk?=

Hi Tiago.

Thanks for your help on this one. I've used the code you supplied and the
problem is now solved. I've actually taken out the part about Symmetric
bindings as we never get those (as we use TransportWithMe ssageCredential s
security mode).

I'm not sure how its different from my original code. I'm thinking I may
have done a bad job of testing it first time round. Apologies for wasting
your time if thats the case.

Anyway, thanks for your help with it.

Cheers,
Greg
"ti********@gma il.com" wrote:

It is a bit strange you get those results. I've did a bit of testing
and it worked for me. Anyhow, let me give you the steps I did.

The testing was done with wsHttpBinding, securityMode="M essage",
clientCredentia lType="Windows" . The establishSecuri tyContext="..." can
be set "true" or "false" as needed. The code below that sets
maxClockSkew takes care of both scenarios.

I've also enabled failure auditing with:
<serviceSecurit yAudit
auditLogLocatio n="Applicatio n"
messageAuthenti cationAuditLeve l="Failure"
serviceAuthoriz ationAuditLevel ="Failure"
suppressAuditFa ilure="false" />

This auditing setting helps to look into the EventLog and find the
current maxClockSkew setting on the service side when an error
happens.

Both the client and server share the same code snippet when adjusting
the maxClockSkew as below:
Binding AdjustClockSkew (Binding binding)
{
CustomBinding customBinding = new CustomBinding(b inding);
SecurityBinding Element bindingElement =
customBinding.E lements.Find<Se curityBindingEl ement>();
bindingElement. LocalServiceSet tings.MaxClockS kew =
TimeSpan.FromHo urs(2);
bindingElement. LocalClientSett ings.MaxClockSk ew =
TimeSpan.FromHo urs(2);

//
// Check if secure conversation is enabled
//

SecurityTokenPa rameters tokenParameters =

((SymmetricSecu rityBindingElem ent)bindingElem ent).Protection TokenParameters ;
if (tokenParameter s is SecureConversat ionSecurityToke nParameters)
{
SecureConversat ionSecurityToke nParameters sct =
tokenParameters as SecureConversat ionSecurityToke nParameters;
bindingElement = sct.BootstrapSe curityBindingEl ement;
bindingElement. LocalServiceSet tings.MaxClockS kew =
TimeSpan.FromHo urs(2);
bindingElement. LocalClientSett ings.MaxClockSk ew =
TimeSpan.FromHo urs(2);
}

return customBinding;
}

Obviously, the LocalServiceSet tings is only needed in the service code
and LocalClientSett ings is only needed in the client code, but for
simplification purposes I've decided to change both settings in both
the service code and the client code.

The client code:
CalcClient channel = new CalcClient();
channel.Endpoin t.Binding =
AdjustClockSkew (channel.Endpoi nt.Binding);
channel.Hello() ;
channel.Close() ;

The service code:
[ServiceBehavior]
public class Calc : ICalc
{
string ICalc.Hello()
{
return "Hello";
}
}

[ServiceContract]
interface ICalc
{
[OperationContra ct]
string Hello();
}

class CustomServiceHo st : ServiceHost
{
public CustomServiceHo st(object singletonInstan ce, params Uri[]
baseAddresses)
: base(singletonI nstance, baseAddresses)
{ }

public CustomServiceHo st(Type serviceType, params Uri[]
baseAddresses)
: base(serviceTyp e, baseAddresses)
{ }

protected override void ApplyConfigurat ion()
{
base.ApplyConfi guration();

foreach (ServiceEndpoin t endpoint in Description.End points)
{
endpoint.Bindin g = AdjustClockSkew (endpoint.Bindi ng);
}
}
}

class Program
{
static void Main(string[] args)
{
CustomServiceHo st host = new CustomServiceHo st(typeof(Calc) );
host.Open();
Console.WriteLi ne("Listening ...");
Console.ReadLin e();
}
}
Tiago Halm

Jun 27 '08 #3

Similar topics

5651

row level security

by: robert | last post by:

well, talk about timely. i'm tasked to implement a security feature, and would rather do so in the database than the application code. the application is generally Oracle, but sometimes DB2. Oracle has what it calls package DBMS_RLS, which implements application ignorant row level security. scanning this group yielded "you can't do that; use views". then i dug out DB2Mag qtr 1 2004, and there is MLS for v8/390. from this article,...

DB2 Database

116

7593

Security - more complex than I thought

by: Mike MacSween | last post by:

S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data and some who couldn't but that it wasn't important right now. And I said, 'sure, we can do that later'. So now I've developed an app without any thought to security and am trying to apply it afterwards. Doh!, doh! and triple doh!

Microsoft Access / VBA

7989

Error using WS-Security

by: Ashish | last post by:

Hi Guys I am getting the following error while implementing authentication using WS-security. "Microsoft.Web.Services2.Security.SecurityFault: The security token could not be authenticated or authorized ---> System.Exception: WSE565: The password provided the SecurityTokenManager does not match the one on the incoming token. at Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.VerifyPlainText

C# / C Sharp

1525

Error while executing .NET remoing security dlls

by: prithvi g via .NET 247 | last post by:

Hi I am a newbie to .NET remoting, I am trying to implementauthorization using SSPI example provided by Michael Barnett. Ihave included the required dll(Microsoft.Samples.Security.SSPI.dll andMicrosoft.Samples.Runtime.Remoting. Security in both my clientand server. I have have defined my config files as follows for client <?xml version="1.0" encoding="utf-8" ?> <configuration> <system.runtime.remoting> <application> <channels>...

C# / C Sharp

3396

Design Issue: Separating Application Security Model from the Application (Custom or User) Controls

by: Earl Teigrob | last post by:

Background: When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is comprised of a DataGrid may have separate permissions for adding, deleting and updating a news item. Problem Up until now, I have been implementing security directly inside the control. I will test directly against the security model to see if...

ASP.NET

1989

IIS / Web Services Security threats

by: Magdelin | last post by:

Hi, My security team thinks allowing communication between the two IIS instances leads to severe security risks. Basically, we want to put our presentation tier on the perimeter network and the business tier inside the fire wall or internal network. The biz tier will be developed and deployed as web services on IIS. I know microsoft recommends this architecture but I am not able to convince my security team. They say IIS is vulnerable...

.NET Framework

4360

Referenced security token could not be retrieved

by: Jay C. | last post by:

Jay 3 Jan. 11:38 Optionen anzeigen Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements Von: "Jay" <p.brunm...@nusurf.at> - Nachrichten dieses Autors suchen Datum: 3 Jan 2006 02:38:30 -0800 Lokal: Di 3 Jan. 2006 11:38 Betreff: Referenced security token could not be retrieved Antworten | Antwort an Autor | Weiterleiten | Drucken | Einzelne Nachricht | Original anzeigen | Entfernen | Missbrauch melden

.NET Framework

2257

FxCop App Security

by: Velvet | last post by:

I ran FxCop on one of the components for my web site and the security rules what me to add " tags like the ones listed below: This breaks my ASP.NET application. So my question is, what should these

ASP.NET

3202

security mode="TransportWithMessageCredential"

by: =?Utf-8?B?TWFuanJlZSBHYXJn?= | last post by:

Hi I am creating a web service PreprocessingService with IIS Hosting and transport layer security with user name and password. I created a self-signed certificate IISHost in IIS which is issued to and issued by the local host. When I run the service from IIS (https) it is running fine but when I call it from the client it is throwing the following exception: An unhandled exception of type

ASP.NET

9706

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

9584

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...

Windows Server

10583

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

10337

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...

Online Marketing

9160

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

5525

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration

5654

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

3822

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP

2995

Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy

by: bsmnconsultancy | last post by:

In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

General