Monday, March 2, 2015

challenges in getting a UserNamePasswordValidator implementation working for a WCF web service

I was seeing the following error when I tried to push code beyond my local environment for the UserNamePasswordValidator stuff I had written.

Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'localhost'.

 
 

This stems from the following line of the Web.config which got put in Web.config for me (lucky me) when I added the WCF web service into a Visual Studio project in my local environment:

<serviceCertificate findValue="localhost" storeLocation="LocalMachine"
      storeName="My" x509FindType="FindBySubjectName" />

 
 

Alas, the thing that this references did not exist in other environments and hence this line of the Web.config had to be removed outright. The removal caused this error to appear instead:

The service certificate is not provided. Specify a service certificate in ServiceCredentials.

 
 

That meant that the following blob of Web.config would also have to be replaced:

<wsHttpBinding>
   <binding name="Binding">
      <security mode="Message">
         <message clientCredentialType="UserName" />
      </security>
   </binding>
</wsHttpBinding>

 
 

This substitute would allow for the error to go away when one hit the .svc endpoint at a browser...

<wsHttpBinding>
   <binding name="Binding">
      <security mode="None" />
   </binding>
</wsHttpBinding>

 
 

...but would not allow for the UserNamePasswordValidator sanity check to occur. The real fix looked like so:

<wsHttpBinding>
   <binding name="Binding">
      <security mode="TransportWithMessageCredential">
         <transport clientCredentialType="None" />
         <message clientCredentialType="UserName" />
      </security>
   </binding>
</wsHttpBinding>

 
 

...and it now requires an endpoint to be hosted at an https:// address! Once a certificate was set up at the hosting, I tried to consume the .svc endpoint at a dummy ASP.NET application I had, and hit an error proclaiming:

The security certificate was issued by a company you have not chosen to trust.

 
 

To trust a certificate in Internet Explorer on Windows 2012 R2, first go to "Internet Options" under the "Tools" menu and then navigate to the "Security" tab where you should add the site to "Trusted sites" for beginners. Next type "mmc" at the search field at the charm bar to bring up "Console1 - [Console Root]" and then add the "Certificates" snap-in while picking "Computer account" when faced with a choice between:

  1. My user account
  2. Service account
  3. Computer account

Finally, import a certificate. That should be all. If you see this error:

An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.

 
 

...or this error:

An error occurred when verifying security for the message.

 
 

It just means that you are trying to authenticate with credentials that won't work. I had a user that was jacked up when I saw this. I just made a new user to sidestep the problem.

No comments:

Post a Comment