Self Hosted WCF accross machine boundaries using certificates for authintication

Question

I've got some sample code I've written trying to get a WCF Client talking to a WCF Server. I can't seem to get it work, I have tried different idea. Is this even possible with netTcpBinding all the examples I have seen are wshttpbinding. I have created certificates for both client and server and placed them in each others Trusted Root stores. The WCFClient is set to Client Authentication and the WCFServer is set to Server Auth.

Client config file

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
    <client>
      <endpoint kind="discoveryEndpoint" address="net.tcp://localhost:8005/Probe" binding="netTcpBinding" bindingConfiguration="RequestReplyNetTcpBinding">
      </endpoint>
      <endpoint binding="netTcpBinding" bindingConfiguration="RequestReplyNetTcpBinding" contract="Test2ServLib.IService1" behaviorConfiguration="LargeEndpointBehavior">
        <identity>  
          <dns value="WCFServer" />  
        </identity>  
      <!--The behaviorConfiguration is required to enable WCF deserialization of large data sets -->
      </endpoint>
    </client>
    <behaviors>
      <serviceBehaviors>
        <behavior name="announcementBehavior">
          <!--The following behavior attribute is required to enable WCF serialization of large data sets -->
          <dataContractSerializer maxItemsInObjectGraph="2147483647" />
          <serviceDiscovery>
            <announcementEndpoints>
              <endpoint kind="announcementEndpoint" address="net.tcp://localhost:8005/Announcement" binding="netTcpBinding" bindingConfiguration="RequestReplyNetTcpBinding" />
            </announcementEndpoints>
          </serviceDiscovery>
          <serviceThrottling maxConcurrentCalls="1500" maxConcurrentSessions="1500" maxConcurrentInstances="1500" />
          <clientCredentials>
            <clientCertificate findValue="WCFClient"
                               storeLocation="LocalMachine"
                               storeName="TrustedPeople"
                               x509FindType="FindBySubjectName" />
                        <serviceCertificate >  
                           <authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck"/>  
                        </serviceCertificate>  
          </clientCredentials>
        </behavior>
        <behavior name="LargeEndpointBehavior">
          <!--The behavior is required to enable WCF deserialization of large data sets -->
          <dataContractSerializer maxItemsInObjectGraph="2147483647" />
          <clientCredentials>
            <clientCertificate findValue="WCFClient"
                               storeLocation="LocalMachine"
                               storeName="TrustedPeople"
                               x509FindType="FindBySubjectName" />
                        <serviceCertificate >  
                            <authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck"/>
                        </serviceCertificate> 
          </clientCredentials>
        </behavior>
      </serviceBehaviors>
      <endpointBehaviors>
        <behavior name="disableEndpointDiscovery">
          <endpointDiscovery enabled="false" />
          <!--The behavior is required to enable WCF deserialization of large data sets -->
          <dataContractSerializer maxItemsInObjectGraph="2147483647" />
          <clientCredentials>
            <clientCertificate findValue="WCFClient"
                               storeLocation="LocalMachine"
                               storeName="TrustedPeople"
                               x509FindType="FindBySubjectName" />
                        <serviceCertificate >  
                            <authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck"/>
                        </serviceCertificate> 
          </clientCredentials>
        </behavior>
        <behavior name="LargeEndpointBehavior">
          <!--The behavior is required to enable WCF deserialization of large data sets -->
          <dataContractSerializer maxItemsInObjectGraph="2147483647" />
            <clientCredentials>
              <clientCertificate findValue="WCFClient"
                                 storeLocation="LocalMachine"
                                 storeName="TrustedPeople"
                                 x509FindType="FindBySubjectName" />
                        <serviceCertificate >  
                            <authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck"/>
                        </serviceCertificate> 
            </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <bindings>
      <netTcpBinding>
        <binding name="RequestReplyNetTcpBinding" receiveTimeout="05:00:00" openTimeout="00:00:59" closeTimeout="00:00:59" maxBufferPoolSize="524288" maxBufferSize="25000000" maxConnections="50" maxReceivedMessageSize="25000000" sendTimeout="00:05:00" listenBacklog="1500">
          <reliableSession ordered="false" inactivityTimeout="00:01:00" enabled="true" />
          <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
          <security>
            <message clientCredentialType="Certificate"/>
          </security>
        </binding>
      </netTcpBinding>
    </bindings>
  </system.serviceModel>
</configuration>

Service Config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
<behaviors>
  <serviceBehaviors>
    <behavior name="announcementBehavior">
      <!--The following behavior attribute is required to enable WCF serialization of large data sets -->
      <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
      <serviceDiscovery>
        <announcementEndpoints>
          <endpoint kind="announcementEndpoint"
        address="net.tcp://localhost:8005/Announcement"
        binding="netTcpBinding"
        bindingConfiguration="RequestReplyNetTcpBinding"/>
        </announcementEndpoints>
      </serviceDiscovery>
      <serviceThrottling
              maxConcurrentCalls="1500"
              maxConcurrentSessions="1500"
              maxConcurrentInstances="1500"/>
      <serviceCredentials>
        <serviceCertificate findValue="WCFServer"
                            storeLocation="LocalMachine"
                            storeName="TrustedPeople"
                            x509FindType="FindBySubjectName" />
        <clientCertificate>
          <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" revocationMode="NoCheck" mapClientCertificateToWindowsAccount="false" />
        </clientCertificate>
      </serviceCredentials>
    </behavior>

  <endpointBehaviors>
    <behavior name="disableEndpointDiscovery">
      <endpointDiscovery enabled="false"/>
      <!--The behavior is required to enable WCF deserialization of large data sets -->
      <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
      <serviceCredentials>
        <serviceCertificate findValue="WCFServer"
                            storeLocation="LocalMachine"
                            storeName="TrustedPeople"
                            x509FindType="FindBySubjectName" />
        <clientCertificate>
          <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" revocationMode="NoCheck" mapClientCertificateToWindowsAccount="false" />
        </clientCertificate>
      </serviceCredentials>
    </behavior>
    <behavior name="LargeEndpointBehavior">
      <!--The behavior is required to enable WCF deserialization of large data sets -->
      <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
      <serviceCredentials>
        <serviceCertificate findValue="WCFServer"
                            storeLocation="LocalMachine"
                            storeName="TrustedPeople"
                            x509FindType="FindBySubjectName" />
        <clientCertificate>
          <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" revocationMode="NoCheck" mapClientCertificateToWindowsAccount="false" />
        </clientCertificate>
      </serviceCredentials>
    </behavior>
  </endpointBehaviors>
 </behavior>  
 </serviceBehaviors>  
 <service name="Test2ServLib.IService1"
   behaviorConfiguration="announcementBehavior">
    <host>
      <baseAddresses>
        <add baseAddress="net.tcp://localhost:8006/Service1"/>
      </baseAddresses>
    </host>
    <endpoint binding="netTcpBinding"
              bindingConfiguration="RequestReplyNetTcpBinding"
              contract="Test2ServLib.IService1"
              behaviorConfiguration="LargeEndpointBehavior" />
<bindings>  
            <netTcpBinding>  
                <binding RequestReplyNetTcpBinding>  
                    <security>  
                        <message clientCredentialType="Certificate" />  
                    </security>  
                </binding>  
            </netTcpBinding>  
        </bindings>  

  </system.serviceModel>
</configuration>

`Nettcpbinding` supports authenticating the client with a certificate. There is no difference with the below settings. https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/message-security-with-a-certificate-client What are the error details that the client-side received after sending a call to the service? — Abraham Qian, Jan 16 '20 at 09:50
403 errors. But sometimes there is no errors but the service doesn't work — user173092, Jan 16 '20 at 21:28
this not helps. I think that there is something wrong with the trust relationship and the issued certificates. Could you complete the above-linked sample of message security mode with authenticating the client with a certificate? this virtually is the same as your code snippets except for the service discovery behavior. — Abraham Qian, Jan 17 '20 at 06:33
I have this error, The communication object, System.ServiceModel.Channels.ServiceChannel, cannot be used for communication because it is in the Faulted state. — user173092, Jan 17 '20 at 20:54
Authenticating the client with a certificate is an advanced topic. The above link (official sample) is a good start to complete this task. As I said, it should be something wrong with the certificates. Given that “the faulted state” error occurred, please try to re-adding service reference and call the service again. — Abraham Qian, Jan 20 '20 at 05:55
I got it working on debug mode but once, I move to production mode I get a Bad Gateway error — user173092, Jan 20 '20 at 14:36
On debug mode, WCF is hosted by IIS Express, which doesn’t allow the request from another machine. Are you calling the service on the same machine? Please post the error detail. I will try my best to reproduce your issue. If indeed, we had better install the service/client certificate in the LocalCA(Trusted Root Certification Authorities). — Abraham Qian, Jan 21 '20 at 03:20
Yes I'm calling the service on the same machine. I was able to get pasted the Bad Gateway by increasing the timeout times. However, when I call the service nothing happens no errors are shown but the service isn't working. — user173092, Jan 21 '20 at 16:56
I'm using self-signed certificates, is that an issue? I have two certificates a WCFClient and WCFSever, is there anything else I would need? Is there something I need to do in my hoster app? — user173092, Jan 21 '20 at 17:20
I'm getting a Unhandled Exception: System.Runtime.CallbackException: Async Callback threw an exception. ---> System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied. — user173092, Jan 23 '20 at 00:19
Since you use nettcpbinding, have you enabled Nettcpbinding support in IIS, such as certain windows feature, please refer to the below discussion. https://stackoverflow.com/questions/3188618/enabling-net-tcp-in-iis7 https://www.c-sharpcorner.com/article/enable-other-protocols-tcp-pipe-msmq-etc-in-iis/ — Abraham Qian, Jan 23 '20 at 09:45
I'm still getting I'm getting a Unhandled Exception: System.Runtime.CallbackException: Async Callback threw an exception. ---> System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied. — user173092, Jan 23 '20 at 23:35
I have no idea, I advise you to complete the official sample first in order to verify the availability of the certificates. — Abraham Qian, Jan 24 '20 at 08:58

Self Hosted WCF accross machine boundaries using certificates for authintication

0 Answers0