0

I'm trying to write a client against a customer's SOAP webservice, using VS2013 and WCF. The webservice itself is behind their firewall, so they've established a proxy that I'm trying to contact. (The proxy seems to be implemented using MuleSoft's ESB, which may or may not be relevant.)

I've been given an https: url, and a username/password. When I load the url into a browser, I'm prompted for the username/password, and then I see the .wsdl. The .wsdl specifies an internal url that I can't access, but I figure that's for the actual site.

When I create a Service Reference in VS2013, using the proxy URL, I'm prompted for the username/password three times, then I get a proper client, settings in app.config, etc.

The generated bindings in the app.config are for a basicHttpBinding with security mode Transport, and an endpoint address pointing to that inaccessible internal url.

So, from the generated bindings, I:

  1. Replace the inaccessible internal url with the proxy url I've been given.

  2. Change the security mode to "TransportWithMessageCredentials"

    <bindings>
    <basicHttpBinding>
        <binding name="MyCustomersServiceSoapBinding">
            <security mode="TransportWithMessageCredential" >
                <message clientCredentialType="UserName" />
            </security>
        </binding>
        <binding name="MyCustomersServiceSoapBinding1" />
    </basicHttpBinding>
</bindings>

  3. Replace the ClientCredentials with username and password:

    using (var client = new MyCustomersServiceClient()) { var loginCredentials = new ClientCredentials(); loginCredentials.UserName.UserName = "ausername"; loginCredentials.UserName.Password = "apassword";

    var defaultCredentials = client.Endpoint.Behaviors.Find<ClientCredentials>();
client.Endpoint.Behaviors.Remove(defaultCredentials);
client.Endpoint.Behaviors.Add(loginCredentials);

var myData = new MyData
{
};


var result = client.receiveData(myData);

    }

When I run it, I get an exception:

Could not establish secure channel for SSL/TLS with authority 'xxxxx.com'.

Browsing around, most of what I find suggests problems with ssl certificates, but I'm not sure that makes sense. If that were the case, I'd expect to see issues when I view the .wsdl through the browser. And I thought that by removing the default client credentials, I'd be bypassing the certificate check. And I am seeing a few posts about more obscure problems that result in this same error message.

I've turned on SOAP message logging, but that's provided me with no information. It shows the failed outgoing message, but nothing of use.

So I've been looking at the traffic in Fiddler. I see two messages, an HTTP message to "Tunnel to" with Result 200, and an HTTPS message to the proxy url with Result 401.

At this point, I see two possibilities:

  1. I need to install an SSL certificate, the way the error message would suggest, or
  2. the problem is simply that I'm not providing the username/password to the service in a way that it understands, and it's rejecting my attempt to connect.

I'm leaning towards the latter. My problem? I know nothing about the system that's hosting the service. I'm passing username/password in what I thought was the usual mechanism for WCF, and it's not working.

So, finally, the questions:

  • Have I misled myself, and I do need to be messing about with SSL certificates?
  • If not, what do I do in WCF to pass a username/password to an HTTPS webservice, hosted by MuleSoft ESB? (Mule EE Core Extensions/3.5.1, if that helps).
Jeff Dege
  • 11,190
  • 22
  • 96
  • 165
  • Looks that the service certificate is not trusted. Check the url with the browser and see if is a trusted certificate – MiguelSlv Oct 01 '14 at 21:26
  • If it was a problem with the certificate, why do I not see issues when I view the .wsdl in the browser? – Jeff Dege Oct 01 '14 at 21:32
  • That's why i ask to check with the browser. IF the browser says the certificate it is ok, than the problem should be on the application side. Opening the ssl tunnel is done before authentication of the client, so you should focus on that to find the problem. – MiguelSlv Oct 01 '14 at 21:51
  • When I load the webservice into a browser, I see the .wsdl, and when I View Page Info, and look for the certificate, I see "This certificate is OK." So yes, it does look like the error message is misleading. – Jeff Dege Oct 01 '14 at 22:01
  • Just remember a common problem. Is there a proxy between? – MiguelSlv Oct 01 '14 at 22:01
  • Yes, as I said. I'm connecting to a proxy. – Jeff Dege Oct 01 '14 at 22:02
  • Somehow i manage to miss that. The problem is the proxy. Your browser deals with the proxy correctly, but the application don't. The url should point the service. When the application tries to go out, the proxy asks for the credentials. There are several ways to do that. Check this: http://stackoverflow.com/questions/1938990/c-sharp-connecting-through-proxy – MiguelSlv Oct 01 '14 at 22:05
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/62295/discussion-between-byteartisan-and-jeff-dege). – MiguelSlv Oct 01 '14 at 22:14
  • I tried the suggestions from http://stackoverflow.com/questions/1938990/c-sharp-connecting-through-proxy, and I got an error: "The ServicePointManager does not support proxies with the https scheme.". Browsing around for the error message, I think we've got a confusion over the multiple uses of the word "proxy". I don't have a proxy on my end, that outgoing traffic goes through, the customer has a proxy on his. I'm not sure that client-side proxy configuration is appropriate. – Jeff Dege Oct 02 '14 at 13:59
  • Yes, the proxy word was used for different concepts. The proxy server on the client network is not a problem. Since you don't have one server proxy on your enterprise network you don't need a proxy configuration. Your last error points to other kind of problem. What framework are you using? – MiguelSlv Oct 02 '14 at 16:23
  • I'm using VS2013, and WCF. The customer is using MuleSoft. I'm thinking this might be a problem at the server end. – Jeff Dege Oct 02 '14 at 18:10
  • did u solve this problem ? i got it too – TheMuyu Mar 12 '15 at 10:58

2 Answers2

0

Not sure if the issue I encountered shares the same cause as your issue, but just in case I can help someone with this, adding requireClientCertificate=true solved my problem:

<bindings>
  <customBinding>
    <binding name="bindingName">
      ...
      <httpsTransport requireClientCertificate="true"/>
    </binding>
  </customBinding>
</bindings>

I had the same error message, but the web service I'm consuming is over HTTPS and requires a SSL certificate as authentication.

DdW
  • 890
  • 1
  • 18
  • 30
0

Many endpoints have been disabling TLSV1.0 and TLSV1.1 recently

try:

CURL https://<<service host>> -v -TLSV1.0

and

CURL https://<<service host>> -v -TLSV1.2

For instance, https://www.comodo.com doesn't allow TLSV1.0 or TLSV1.1 but does allow TLSV1.2.

Mesh
  • 6,262
  • 5
  • 34
  • 53