WCF what is wrong with this

Question

In short: I cannot get my console client connected to an https endpoint of the WCF service which is hosted on another PC in the same network. It pops up an error at debug time at: Object loginObject = client.Login(password, username); and says:Unable to automatically step into this server machine domain.Connecting to the server machine failed. Logon failure:unknown user name or bad password.

I am not hosting this on IIS, i just host the service from visual studio

-----for more details check below-----

I have a wcf service hosted in console on a computer, the config file with only the binding, endpoint and behaviour, looks like this:

<bindings>
  <wsHttpBinding>
    <binding
    name="HighQuotaWSHttpBinding"
    receiveTimeout="00:10:00"
    sendTimeout="00:10:00"
    bypassProxyOnLocal="true"
    maxBufferPoolSize="2147483647"
    useDefaultWebProxy="false"
    maxReceivedMessageSize="2147483647">
      <security mode="Transport">
        <transport clientCredentialType="Certificate" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

<services>
  <!-- WebDataService -->
  <service
  behaviorConfiguration="WebDataServiceBehaviour"
  name="ANameSpace">
    <endpoint
    address="WebDataService"
    binding="wsHttpBinding" bindingConfiguration="HighQuotaWSHttpBinding"
    contract="AContract"
    name="WebDataServiceHttpBinding">
      <!--<identity>
<dns value="" />
</identity>-->
    </endpoint>
    <endpoint
    address="mex"
    binding="mexHttpsBinding"
    contract="IMetadataExchange"
    name="mexManagement" />
    <host>
      <baseAddresses>
        <add baseAddress="http://mylocalip:9650/" />
        <add baseAddress="https://mylocalip:9651/" />
      </baseAddresses>
    </host>
  </service>
</services>

<!-- Definition of WebDataService behaviour -->
<behaviors>
  <serviceBehaviors>
    <!-- Behavior for WebserviceData interface -->
    <behavior name="WebDataServiceBehaviour">
      <!-- Set throttling of (concurrent) cals -->
      <serviceThrottling
      maxConcurrentCalls="100"
      maxConcurrentSessions="100"
      maxConcurrentInstances="100"/>
      <!-- To avoid disclosing metadata information, 
set the value below to false and remove the metadata endpoint above before deployment -->
      <serviceMetadata httpsGetEnabled="True"/>
      <serviceCredentials>
        <!--certificate storage path in the server -->
        <serviceCertificate findValue="localhost" x509FindType="FindBySubjectName" storeLocation="LocalMachine"  storeName="My"/>
        <issuedTokenAuthentication allowUntrustedRsaIssuers="true"/>
        <!--certificate storage path in the client -->
        <clientCertificate>
          <certificate findValue="localhost" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
        </clientCertificate>
        <userNameAuthentication userNamePasswordValidationMode="MembershipProvider"/>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>

  <endpointBehaviors>
    <behavior name="WebDataServiceBehaviour">
      <clientCredentials>
        <!--certificate storage path in the client -->
        <clientCertificate findValue="localhost" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My"/>
        <serviceCertificate>
          <authentication certificateValidationMode="PeerOrChainTrust"/>
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>

I made my own root and server certificate by doing this:

Root: makecert.exe -sv SignRoot.pvk -cy authority -r signroot.cer -a sha1 -n "CN=AuthorityName" -ss my -sr localmachine

Server: makecert.exe -iv SignRoot.pvk -ic signroot.cer -cy end -pe -n CN="localhost" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

Then with a program called httpconfig.exe i added this cert to the ports 9651..

Now on another pc in the same network I try to make a simple C# console client.. The program.cs is as follows:

class Program
{
    static void Main(string[] args)
    {


        System.Net.ServicePointManager.ServerCertificateValidationCallback += (se, cert, chain, sslerror) =>
        {
            return true;
        };
        wcf1.WebDataServiceClient client = new wcf1.WebDataServiceClient();



        string username = "A";
        string password = "A";
        Object loginObject = client.Login(password, username);
        Console.WriteLine("bla");
        Console.ReadLine();
        client.Close();
    }
}

and the config is generated as follows:

  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="WebDataServiceHttpBinding" closeTimeout="00:01:00"
            openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
            bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
            maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
            messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
            allowCookies="false">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
              maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00"
              enabled="false" />
          <security mode="Transport">
            <transport clientCredentialType="Certificate" proxyCredentialType="None"
                realm="" />
            <message clientCredentialType="Windows" negotiateServiceCredential="true" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
      <endpoint address="https://Theipfromthepc:9651/WebDataService" binding="wsHttpBinding"
          bindingConfiguration="WebDataServiceHttpBinding" contract="wcf1.IWebDataService"
          name="WebDataServiceHttpBinding">
        <!--<identity>
<dns value="" />
</identity>-->

      </endpoint>
    </client>
  </system.serviceModel>

Tung · Accepted Answer · 2012-04-24T12:01:57.463

1

clientCredentialType="Certificate" means that the client will authenticate itself using a client certificate, but you have not provided a client certficate. You have only created a server certificate. Depending on how you have configured your server, chances are you want either:

clientCredentialType = "None"

or

clientCredentlaType = "Windows"

edited Apr 24 '12 at 12:01

answered Apr 24 '12 at 11:55

Tung

5,334
1
34
41

I am not hosting this on IIS, i just host the service from visual studio – user1350954 Apr 24 '12 at 11:56
Same idea applies. You're telling your client that it should authenticate with a client cert, but you're not providing one – Tung Apr 24 '12 at 11:57
If i do None, then it give an error and say that I need to remove the firewall or something else from the remote pc. I did that, now it says logon failure: unknown username or bad password – user1350954 Apr 24 '12 at 12:01
Did you also set the clientCredentialType to `None` on both server and client web.config? – Tung Apr 24 '12 at 12:21
it says :Unable to automatically step into this server machine domain.Connecting to the server machine failed. Logon failure:unknown user name or bad password. – user1350954 Apr 24 '12 at 12:43
Try removing the credentials that you are passing in your code, and get rid of ``. At least we're now pass the certificate exception. Could you paste your hosting code? – Tung Apr 24 '12 at 12:50
I think it works but i cannot debug it because wcf service is on another pc... Oh yes, do i need to have the certificate on my client also??? because i need to have SSL secured connection.. – user1350954 Apr 24 '12 at 12:54
You **are** using ssl, but it's at the transport layer. See the difference between [Transport vs Message](http://msdn.microsoft.com/en-us/library/ff647370.aspx). Your client just needs the CA cert so that it trusts the server's self-signed certificate. Anyway, glad I was able to help. Good luck on your project – Tung Apr 24 '12 at 12:56
Tung, how can i use the Certificate on the client so it trusts the server?? – user1350954 Apr 24 '12 at 13:00
[link](http://www.cs.virginia.edu/~gsw2c/GridToolsDir/Documentation/ImportTrustedCertificates.htm). I am linking this one because it at least has a screenshot for those who have never seen the MMC. Some more screenshots [here](http://stackoverflow.com/questions/9982865/sslstream-example-how-do-i-get-certificates-that-work/10053894#10053894). I have to head to bed because I have work in a few hours, but I'll check back later. If you do have further questions, post it as a new question instead of abusing the comments section :-p – Tung Apr 24 '12 at 13:10

WCF what is wrong with this

1 Answers1