开发者

connecting to wcf service hosted on domain from a client that is not on the domain

I would like an example or explanation of how to connect a client to a wcf service when the client is not on the domain.

I imagine there is a way to specify domain credentials with the client and the wcf service could talk to the authority (dc) to see if the client is secure.

I followed the examples on the开发者_JAVA技巧 msdn and can connect to see the metadata (methods available) but when using wshttpbinding I get "An unsecured or incorrectly secured fault was received from the other party".

Thanks in advance!


By default, wsHttpBinding will use Windows credentials - this only works if both your service and your calling client are member of the same domain (or member of domains with a mutual trust relationship).

If you want to authenticate using username/password, there's a number of things you need to do:

  • the service needs a certificate to authenticate itself to the caller, and to provide an encryption mechanism for the exchange of username/passwords and messages. So you will need to create a security certificate and install it on the server machine, and configure it:

    <system.serviceModel>
      <behaviors>
         <serviceBehaviors>
            <behavior name="Internet">
                <serviceCredentials 
                     findValue="MyServiceCertificate"
                     storeLocation="LocalMachine"
                     storeName="My"
                     X509FindType="FindBySubjectName" />
            </behavior>
         <serviceBehaviors>
      <behaviors>
      <services>
          <service name="MyService" behaviorConfiguration="Internet">
             ......
         </service>
      </services>
    </system.serviceModel>
    
  • the client needs to set up a config that defines wsHttpBinding with message security, and username/password client credentials

    <system.serviceModel>
      <bindings>
         <wsHttpBinding>
            <binding name="UserNameWS">
                <security mode="Message">
                    <message clientCredentialType="UserName" />
                </security>
            </binding>
         <wsHttpBinding>
      <bindings>
      <client>
          <endpoint name="Default"
              address="........."
              binding="wsHttpBinding" bindingConfiguration="UserNameWS"
              contract="........." />
      </client>
    </system.serviceModel>
    
  • on the server side, you need to set up a mechanism to authenticate those username/passwords - typically, the easiest way is to use the ASP.NET membership system

    <system.serviceModel>
      <behaviors>
         <serviceBehaviors>
            <behavior name="Internet">
                <userNameAuthentication
                    userNamePasswordValidationMode="MembershipProvider" />
                <serviceCredentials 
    
       .....
    </system.serviceModel>
    
  • before each call from the client, you need to set the username/password on your client-side proxy (this is one of the few things you cannot do in config - works only in code).

    proxy.ClientCredentials.UserName.UserName = "YourUserName";
    proxy.ClientCredentials.UserName.Password = "Top$Secret";
    

Read all about WCF security at the WCF Security Guidance site on Codeplex.


The error message "An unsecured or incorrectly secured fault was received from the other party" is a rather misleading one. A common cause is a difference in the bindings configuration between the client and the server. Check the system.serviceModel section of the web.config at the service side, and modify your client settings to match.


The reason why you can access metadata and cannot call service is that you are using WsHttpBinding probably with default configuration. It uses message security wich is involved only for service usage - not service metadata. It uses Windows credentials and Windows security to encrypt and sign message. Because of Windows security it works only when both client and server are on the same domain.

Your client is not part of domain - you can send windows credentials either with message security or transport security. In case of message security you will have to use clientCredentialType="UserName", default password validator and you will have to configure X509 certificate in service behavior to support encryption and signing. In case of transport security will either use HTTPS (X509 certificate configured in http.sys/IIS) or TransportCredentialOnly mode which will send windows user name and password as a plain text over HTTP (this is bad solution). In case of transport security set clientCredentialType="Basic".

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜