WCF UserName authentication

Hello MuZzy,

For your WCF username secured service, I've performed some test on my local
environment and comparing the standard username(custom validator) service
configuration with yours. I found that what you've missed here is
configuring the service identity(server certificate for your
ServiceCredentials behavior). You can see it when you use the declartive
means(through app.config)

==========app.config===========
<system.serviceModel>
<services>
<service name="ServerApp.CalculatorService"
behaviorConfiguration="CalculatorServiceBehavior" >
<host>
<baseAddresses>

<add baseAddress ="http://localhost:8888/ServerApp"/>
</baseAddresses>
</host>

<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="Binding1"
contract="ServerApp.ICalculator" />
</service>
</services>

<bindings>
<wsHttpBinding>

<binding name="Binding1">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="CalculatorServiceBehavior"
includeExceptionDetailInFaults="True">
<serviceCredentials>

<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="ServerApp.Cus tomUserNameValidator,
ServerApp" />

<serviceCertificate findValue="localhost"
storeLocation="LocalMachine" storeName="My"
x509FindType="FindBySubjectName" />
</serviceCredentials>

<serviceMetadata
httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
====================================

Here is my test code which programmatically configure the service
application conforms to the above app.config file

===========code ===================
static void RunCode()
{
Uri baseuri = new Uri("http://localhost:8888/ServerApp");
ServiceHost host = new ServiceHost(typeof(CalculatorService),
baseuri);
//configure endpoint and binding
WSHttpBinding wsbd = new WSHttpBinding(SecurityMode.Message);
wsbd.Security.Message.ClientCredentialType =
MessageCredentialType.UserName;
//add endpoint for Icalculator
host.AddServiceEndpoint(typeof(ICalculator), wsbd, "");
// configure service behavior

ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
host.Description.Behaviors.Add(smb);

ServiceCredentials scb = new ServiceCredentials();
scb.UserNameAuthentication.UserNamePasswordValidat ionMode =
System.ServiceModel.Security.UserNamePasswordValid ationMode.Custom;
scb.UserNameAuthentication.CustomUserNamePasswordV alidator =
new CustomUserNameValidator();

scb.ServiceCertificate.SetCertificate(StoreLocatio n.LocalMachine,
StoreName.My, X509FindType.FindBySubjectName, "localhost");
host.Description.Behaviors.Add(scb);

try
{
host.Open();

Console.WriteLine("The service is ready.");
Console.WriteLine("The service is running in the following
account: {0}", WindowsIdentity.GetCurrent().Name);
Console.WriteLine("Press <ENTERto terminate service.");
Console.WriteLine();
Console.ReadLine();
}
catch (Exception ex)
{

}
finally
{
host.Close();
}
}
=======================================

Hope this helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Steven Cheng[MSFT] wrote:

Hello MuZzy,

For your WCF username secured service, I've performed some test on my local
environment and comparing the standard username(custom validator) service
configuration with yours. I found that what you've missed here is
configuring the service identity(server certificate for your
ServiceCredentials behavior). You can see it when you use the declartive
means(through app.config)

==========app.config===========
<system.serviceModel>
<services>
<service name="ServerApp.CalculatorService"
behaviorConfiguration="CalculatorServiceBehavior" >
<host>
<baseAddresses>

<add baseAddress ="http://localhost:8888/ServerApp"/>
</baseAddresses>
</host>

<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="Binding1"
contract="ServerApp.ICalculator" />
</service>
</services>

<bindings>
<wsHttpBinding>

<binding name="Binding1">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="CalculatorServiceBehavior"
includeExceptionDetailInFaults="True">
<serviceCredentials>

<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="ServerApp.Cus tomUserNameValidator,
ServerApp" />

<serviceCertificate findValue="localhost"
storeLocation="LocalMachine" storeName="My"
x509FindType="FindBySubjectName" />
</serviceCredentials>

<serviceMetadata
httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
====================================

Here is my test code which programmatically configure the service
application conforms to the above app.config file

===========code ===================
static void RunCode()
{
Uri baseuri = new Uri("http://localhost:8888/ServerApp");
ServiceHost host = new ServiceHost(typeof(CalculatorService),
baseuri);
//configure endpoint and binding
WSHttpBinding wsbd = new WSHttpBinding(SecurityMode.Message);
wsbd.Security.Message.ClientCredentialType =
MessageCredentialType.UserName;
//add endpoint for Icalculator
host.AddServiceEndpoint(typeof(ICalculator), wsbd, "");
// configure service behavior

ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
host.Description.Behaviors.Add(smb);

ServiceCredentials scb = new ServiceCredentials();
scb.UserNameAuthentication.UserNamePasswordValidat ionMode =
System.ServiceModel.Security.UserNamePasswordValid ationMode.Custom;
scb.UserNameAuthentication.CustomUserNamePasswordV alidator =
new CustomUserNameValidator();

scb.ServiceCertificate.SetCertificate(StoreLocatio n.LocalMachine,
StoreName.My, X509FindType.FindBySubjectName, "localhost");
host.Description.Behaviors.Add(scb);

try
{
host.Open();

Console.WriteLine("The service is ready.");
Console.WriteLine("The service is running in the following
account: {0}", WindowsIdentity.GetCurrent().Name);
Console.WriteLine("Press <ENTERto terminate service.");
Console.WriteLine();
Console.ReadLine();
}
catch (Exception ex)
{

}
finally
{
host.Close();
}
}

But for that you have to have a SSL certificate installed on your
system, right?

Hi MuZZy,

Yes, when you use message security with the WSHttpBinding, it require the
service side to authenticate itself(to client) also. Therefore, you need to
provide a server certifricate for the service. At development time, you
can use a test service as the WCF username security sample does. At
production & deployment scenario, you need to purchase a server
certificate(such as SSL certificate) from some trust authority(like
verisign).

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.