473,385 Members | 1,472 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > .net framework > questions > wcf maxclockskew for transportwithmessagecredential security eleme

Join Bytes to post your question to a community of 473,385 software developers and data experts.

WCF MaxClockSkew for TransportWithMessageCredential security eleme

I'm trying to increase the MaxClockSkew for our WCF bindings through code in
my service host and client.

From various forums etc, I have got this far:

public static void InitializeEndpoint(ServiceEndpoint endpoint)
{
CustomBinding customBinding = new CustomBinding(endpoint.Binding);
SecurityBindingElement securityBinding =
customBinding.Elements.Find<SecurityBindingElement >();
securityBinding.LocalServiceSettings.MaxClockSkew =
TimeSpan.FromHours(1);
securityBinding.LocalClientSettings.MaxClockSkew =
TimeSpan.FromHours(1);
endpoint.Binding = customBinding;
}

However, this does not seem to do the trick. Running a client with a clock
out by 10 minutes still results in an error logged on the service and the
message states that the max skew is still the default 5 mins.

Looking at some other forums I can find information about having to set the
skew on a bootstrapper element as well, but that only seems to be for
SymmetricSecurityBindingElements, where as we are using
TransportWithMessageCredential resulting in a TransportSecurityBindingElement.

The configuration on my client is:

<system.serviceModel>
<client>
<endpoint
address="https://localhost/Diligent.Boardbooks.SiteService/SiteService.svc/SiteUN"
binding="wsHttpBinding" bindingConfiguration="WSUsernameMtomBinding"

contract="Diligent.Boardbooks.Services.SiteService .Proxy.ISiteServiceContract"
name="SiteServiceUN" />
</client>
<behaviors />
<bindings>
<wsHttpBinding>
<binding name="WSUsernameBinding" sendTimeout="00:05:00"
maxReceivedMessageSize="1048576">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName"
establishSecurityContext="false" />
</security>
</binding>
<binding name="WSUsernameMtomBinding" sendTimeout="00:05:00"
maxReceivedMessageSize="67108864" messageEncoding="Mtom">
<readerQuotas maxDepth="512" maxStringContentLength="67108864"
maxArrayLength="67108864" maxBytesPerRead="67108864"
maxNameTableCharCount="65536" />
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName"
establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services />
</system.serviceModel>

And on my service is:

<system.serviceModel>
<client>
</client>
<bindings>
<wsHttpBinding>
<binding name="WSMtomBinding" sendTimeout="00:05:00"
maxReceivedMessageSize="67108864"
messageEncoding="Mtom">
<readerQuotas maxDepth="512"
maxStringContentLength="67108864"
maxArrayLength="67108864"
maxBytesPerRead="67108864" maxNameTableCharCount="65536" />
<reliableSession enabled="false" />
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false" />
</security>
</binding>
<binding name="WSUsernameMtomBinding" sendTimeout="00:05:00"
maxReceivedMessageSize="67108864"
messageEncoding="Mtom">
<readerQuotas maxDepth="512"
maxStringContentLength="67108864"
maxArrayLength="67108864"
maxBytesPerRead="67108864" maxNameTableCharCount="65536" />
<reliableSession enabled="false" />
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName"
establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="SiteService">
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceMetadata httpGetEnabled="true"
httpsGetEnabled="true" />
<serviceCredentials>
<serviceCertificate
findValue="Diligent.Boardbooks.Services" x509FindType="FindBySubjectName" />
<issuedTokenAuthentication>
<knownCertificates>
<add
findValue="Diligent.Boardbooks.SecurityTokenServic e"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName" />
</knownCertificates>
</issuedTokenAuthentication>
</serviceCredentials>
<serviceThrottling maxConcurrentCalls="100"
maxConcurrentSessions="100" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="SiteService"
name="Diligent.Boardbooks.Services.SiteService.Imp lementation.SiteService">
<endpoint address="Site" binding="wsHttpBinding"
bindingConfiguration="WSMtomBinding"
name="SiteService"
contract="Diligent.Boardbooks.Services.SiteService .ServiceContracts.ISiteServiceContract" />
<endpoint address="SiteUN" binding="wsHttpBinding"
bindingConfiguration="WSUsernameMtomBinding"
name="SiteServiceUN"
contract="Diligent.Boardbooks.Services.SiteService .ServiceContracts.ISiteServiceContract" />
<endpoint address="InternalSite" binding="wsHttpBinding"
bindingConfiguration="WSMtomBinding"
name="InternalSiteService"
contract="Diligent.Boardbooks.Services.SiteService .ServiceContracts.IInternalSiteServiceContract" />
<endpoint address="InternalSiteUN" binding="wsHttpBinding"
bindingConfiguration="WSUsernameMtomBinding"
name="InternalSiteServiceUN"
contract="Diligent.Boardbooks.Services.SiteService .ServiceContracts.IInternalSiteServiceContract" />
<endpoint address="Test" binding="wsHttpBinding"
bindingConfiguration="WSUsernameMtomBinding"
name="TestService"
contract="Diligent.Boardbooks.Services.SiteService .ServiceContracts.ISiteServiceTestContract" />
</service>
</services>
</system.serviceModel>
Is there anything else I need to set on the binding or endpoint to get the
skew adjusted properly?

Many thanks,
Greg Jackman
Apr 8 '08 #1
2 6608
Thanks for the quick reply.

My initial testing did include creating the same binding on the client as
well. And we were still seeing the problem.

As you can see from the dump of the xml:
<localClientSettings cacheCookies="true"
detectReplays="false"
replayCacheSize="900000" maxClockSkew="01:00:00"
maxCookieCachingTime="Infinite"
replayWindow="00:05:00"
sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="false"
timestampValidityDuration="00:05:00"
cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="false"
issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128"
replayCacheSize="900000" maxClockSkew="01:00:00"
negotiationTimeout="00:01:00"
replayWindow="00:05:00" inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="false"
maxPendingSessions="128"
maxCachedCookies="1000"
timestampValidityDuration="00:05:00" />

the code I have is setting both the client and service settings
MaxClockSkew, and I was running the same method on the client and service
bindings.

Hope that helps.

Cheers,
Greg
Apr 10 '08 #2
Hi Tiago.

Thanks for your help on this one. I've used the code you supplied and the
problem is now solved. I've actually taken out the part about Symmetric
bindings as we never get those (as we use TransportWithMessageCredentials
security mode).

I'm not sure how its different from my original code. I'm thinking I may
have done a bad job of testing it first time round. Apologies for wasting
your time if thats the case.

Anyway, thanks for your help with it.

Cheers,
Greg
"ti********@gmail.com" wrote:
It is a bit strange you get those results. I've did a bit of testing
and it worked for me. Anyhow, let me give you the steps I did.

The testing was done with wsHttpBinding, securityMode="Message",
clientCredentialType="Windows". The establishSecurityContext="..." can
be set "true" or "false" as needed. The code below that sets
maxClockSkew takes care of both scenarios.

I've also enabled failure auditing with:
<serviceSecurityAudit
auditLogLocation="Application"
messageAuthenticationAuditLevel="Failure"
serviceAuthorizationAuditLevel="Failure"
suppressAuditFailure="false" />

This auditing setting helps to look into the EventLog and find the
current maxClockSkew setting on the service side when an error
happens.

Both the client and server share the same code snippet when adjusting
the maxClockSkew as below:
Binding AdjustClockSkew(Binding binding)
{
CustomBinding customBinding = new CustomBinding(binding);
SecurityBindingElement bindingElement =
customBinding.Elements.Find<SecurityBindingElement >();
bindingElement.LocalServiceSettings.MaxClockSkew =
TimeSpan.FromHours(2);
bindingElement.LocalClientSettings.MaxClockSkew =
TimeSpan.FromHours(2);

//
// Check if secure conversation is enabled
//

SecurityTokenParameters tokenParameters =

((SymmetricSecurityBindingElement)bindingElement). ProtectionTokenParameters;
if (tokenParameters is SecureConversationSecurityTokenParameters)
{
SecureConversationSecurityTokenParameters sct =
tokenParameters as SecureConversationSecurityTokenParameters;
bindingElement = sct.BootstrapSecurityBindingElement;
bindingElement.LocalServiceSettings.MaxClockSkew =
TimeSpan.FromHours(2);
bindingElement.LocalClientSettings.MaxClockSkew =
TimeSpan.FromHours(2);
}

return customBinding;
}

Obviously, the LocalServiceSettings is only needed in the service code
and LocalClientSettings is only needed in the client code, but for
simplification purposes I've decided to change both settings in both
the service code and the client code.

The client code:
CalcClient channel = new CalcClient();
channel.Endpoint.Binding =
AdjustClockSkew(channel.Endpoint.Binding);
channel.Hello();
channel.Close();

The service code:
[ServiceBehavior]
public class Calc : ICalc
{
string ICalc.Hello()
{
return "Hello";
}
}

[ServiceContract]
interface ICalc
{
[OperationContract]
string Hello();
}

class CustomServiceHost : ServiceHost
{
public CustomServiceHost(object singletonInstance, params Uri[]
baseAddresses)
: base(singletonInstance, baseAddresses)
{ }

public CustomServiceHost(Type serviceType, params Uri[]
baseAddresses)
: base(serviceType, baseAddresses)
{ }

protected override void ApplyConfiguration()
{
base.ApplyConfiguration();

foreach (ServiceEndpoint endpoint in Description.Endpoints)
{
endpoint.Binding = AdjustClockSkew(endpoint.Binding);
}
}
}

class Program
{
static void Main(string[] args)
{
CustomServiceHost host = new CustomServiceHost(typeof(Calc));
host.Open();
Console.WriteLine("Listening ...");
Console.ReadLine();
}
}
Tiago Halm
Jun 27 '08 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
row level security
by: robert | last post by:
well, talk about timely. i'm tasked to implement a security feature, and would rather do so in the database than the application code. the application is generally Oracle, but sometimes DB2. ...
DB2 Database
116
Security - more complex than I thought
by: Mike MacSween | last post by:
S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data...
Microsoft Access / VBA
4
Error using WS-Security
by: Ashish | last post by:
Hi Guys I am getting the following error while implementing authentication using WS-security. "Microsoft.Web.Services2.Security.SecurityFault: The security token could not be authenticated...
C# / C Sharp
0
Error while executing .NET remoing security dlls
by: prithvi g via .NET 247 | last post by:
Hi I am a newbie to .NET remoting, I am trying to implementauthorization using SSPI example provided by Michael Barnett. Ihave included the required dll(Microsoft.Samples.Security.SSPI.dll...
C# / C Sharp
1
Design Issue: Separating Application Security Model from the Application (Custom or User) Controls
by: Earl Teigrob | last post by:
Background: When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is...
ASP.NET
7
IIS / Web Services Security threats
by: Magdelin | last post by:
Hi, My security team thinks allowing communication between the two IIS instances leads to severe security risks. Basically, we want to put our presentation tier on the perimeter network and the...
.NET Framework
0
Referenced security token could not be retrieved
by: Jay C. | last post by:
Jay 3 Jan. 11:38 Optionen anzeigen Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements Von: "Jay" <p.brunm...@nusurf.at> - Nachrichten dieses Autors suchen Datum: 3 Jan...
.NET Framework
3
FxCop App Security
by: Velvet | last post by:
I ran FxCop on one of the components for my web site and the security rules what me to add " tags like the ones listed below: This breaks my ASP.NET application. So my question is,...
ASP.NET
1
security mode="TransportWithMessageCredential"
by: =?Utf-8?B?TWFuanJlZSBHYXJn?= | last post by:
Hi I am creating a web service PreprocessingService with IIS Hosting and transport layer security with user name and password. I created a self-signed certificate IISHost in IIS which is issued...
ASP.NET
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
isladogs
Access Europe: Command bars, the Access Shortcut Tool and a simple Audit Log - Wed 3 April
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
General
0
One-click Importing Excel Data into a*Database
by: ryjfgjl | last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
Microsoft Excel
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!