0

I have a .NET 4.0 WCF service hosted in IIS on Windows Server 2008 which is running just fine over HTTP. The WCF service is being consumed by a third party, who is using Appian Process Modeler to configure the WCF client (not that it's relevant, but I thought I'd mention it).

EDIT: So the fact they're using Appian Process Modeler may actually be relevant. It's a Java-based client, so that means we're trying to get a Java client to consume a .NET WCF service using WS-Policy over SSL.

EDIT #2: Since I now know that Java is consuming a .NET service, is this a fix I can do on my end to allow Java to consume my service over SSL, or is there a fix my client can put in place to allow their Java code to consume a .NET service using WS-Policy?

After moving from test, to our production environment, when our client updates their service reference to point to the new production URL, they get the following error:

The endpoint BasicHttpBinding_IInterface contains references to a WS-Policy subject, which is not yet supported. That endpoint is not available for selection. (APNX-2-4041-003)

In comparing the two WSDL documents (non-SSL/test, SSL/production) I found the following two differences, both related to WS-Policy (these are the ONLY two differences, except for URLs, in the WSDL document):

<wsp:Policy wsu:Id="BasicHttpBinding_IInterface_policy">
    <wsp:ExactlyOne>
      <wsp:All>
        <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
          <wsp:Policy>
            <sp:TransportToken>
              <wsp:Policy>
                <sp:HttpsToken RequireClientCertificate="false"/>
              </wsp:Policy>
            </sp:TransportToken>
            <sp:AlgorithmSuite>
              <wsp:Policy>
                <sp:Basic256/>
              </wsp:Policy>
            </sp:AlgorithmSuite>
            <sp:Layout>
              <wsp:Policy>
                <sp:Strict/>
              </wsp:Policy>
            </sp:Layout>
          </wsp:Policy>
        </sp:TransportBinding>
      </wsp:All>
    </wsp:ExactlyOne>
  </wsp:Policy>

And

<wsp:PolicyReference URI="#BasicHttpBinding_IInterface_policy"/>

I attempted to create a static WSDL document in production with those two sections removed, but I can't generate a secure connection to the WCF service if I do that.

So my question is, how do I configure WCF to respond over SSL without the WS-Policy requirements?

Here is the configuration we're using on the server:

<system.serviceModel>
    <bindings>
        <basicHttpBinding>
            <binding name="basicHttps">
                <security mode="Transport">
                    <transport clientCredentialType="None" />
                    <message />
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>
    <client />
    <services>
      <service name="Namespace.API.IInterface_Implementation">
        <endpoint address=""
                  binding="basicHttpBinding"
                  bindingConfiguration="basicHttps"
                  contract="Namespace.API.Interfaces.IInterface"/>
        <endpoint address="mex"
                  binding="mexHttpsBinding"
                  contract="IMetadataExchange"/>

      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
  </system.serviceModel>
Katie Hurley
  • 179
  • 9
Scott
  • 13,735
  • 20
  • 94
  • 152

1 Answers1

1

According to Microsoft, this does not appear to be possible.

See here and here.

The authentication modes and corresponding prefixes and namespaces are discussed in MSDN. This may give you some additional ideas.

competent_tech
  • 44,465
  • 11
  • 90
  • 113
  • Thanks for the reply and the links. I think my question has become more of a "how do I get a Java client to consume my .NET WCF service over SSL", rather than "how can I turn off WS-Policy". I upvoted your answer though for the links which did provide some insight into my original question. – Scott Dec 15 '11 at 17:42
  • @Scott: Here is a really good article on that very subject: http://honga.super6.cz/2011/07/aspnet-forms-authentication-and-java.html – competent_tech Dec 15 '11 at 17:45
  • Thanks, that's helpful. I think this is something that needs to happen on the Java side to get it to work. This article does help though. I'm going to leave the question open for a bit though to see if anyone else has specific suggestions. Thanks again. – Scott Dec 15 '11 at 19:37
  • The URL above is not working any more. It has been moved to: hoonzis.blogspot.com/2011/07/aspnet-forms-authentication-and-java.html On the other hand - I have to say, that your issue seems to particular and you won't be able to find the solution there. – hoonzis May 19 '12 at 13:42
  • you can implement this.. is not that hard.. you just have to know what you have to send :) – Alex Feb 14 '13 at 08:30