In my WCF4.5 https web service I want to set authorization to specific users/groups, I.e. I only want certain domain users or groups to be allowed to call my service.
In my web.config I have added the following as a simple test to see if every user is disallowed:
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="*" />
</authorization>
</system.web>
In my bindings section I have a:
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
and a similar entry in my client.
However, when I run my client, it is allowed. So I'm figuring I'm missing something out?
I've read various websites and they either simply mention the above or go into a whole detail about all sorts without a meaningful answer or require hard coding of security in code.
thanks for any help
You need
<allow roles="DOMAIN\Group"/>
Otherwise you deny ALL the users by using <deny users="*" />
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="DOMAIN\Group"/>
<deny users="*" />
</authorization>
</system.web>
Related
It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
</service>
</services>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"
multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
I understand this is a very common and ambiguous error, and that there's a ton of questions about it already, but none of them have solved my issue. So I'll try to be more thorough and specific:
It's a WCFService that I'm publishing to an external IIS server via FTP. I get this error when I try to view the site in my browser at https://www.domain.com/correctdirectory/JobsService.svc
This is my Web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=*token*" requirePermission="false" />
</configSections>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
<customErrors mode="Off"></customErrors>
<httpModules>
</httpModules>
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<protocolMapping>
<add binding="basicHttpsBinding" scheme="https" />
</protocolMapping>
<bindings>
<basicHttpBinding>
<binding name="basicHttpBindingConfiguration">
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="WcfServiceAPI.Services.Validation.ValidationService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBindingConfiguration" contract="WcfServiceAPI.Services.Validation.IValidationService"/>
</service>
<service name="WcfServiceAPI.Services.Jobs.JobsService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBindingConfiguration" contract="WcfServiceAPI.Services.Jobs.IJobsService"/>
</service>
</services>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<remove name="ApplicationInsightsWebTracking" />
<add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />
</modules>
<directoryBrowse enabled="true" />
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
<entityFramework>
<providers>
<provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" />
</providers>
</entityFramework>
</configuration>
And here's the things I've made sure:
Project is cleaned in both Debug and Release mode.
Project is built in Debug mode.
The Web.config in the IIS root does not conflict with this Web.config. It basically just enforces https, and handles different filetype requests.
The service is hosted as an application on the IIS (not just a virtual directory)
It works fine when I publish it to a server on the internal network, that has no other websites or services.
I know there's a lot of other applications on the server I'm trying to publish to, but my application is at the root level, so that shouldn't matter, right?
If it matters, I also know that at least one of those applications is an ASMX web service. The owner of the server doesn't know the problem either.
I've also tried downgrading my project to .NET 4.0, since I know his ASMX service runs on that.
Any ideas?
I had already tried moving the directory to the root of the virtual directory, via an external FTP Client (Total Commander), without success, but when I used Visual Studio's built in publishing tool and made sure to have an empty Site Path, it finally started working.
I'm still not sure why that is, but I guess I'll do some research on it another time, when I get time. If anyone knows, comments would be very much appreciated!
This question already has answers here:
Can't access /elmah on production server with Elmah MVC?
(2 answers)
Closed 5 years ago.
I have included elmah.mvc into an Asp.Net MVC application for logging exceptions and custom error logs. It is working fully as intended and I can view the logs within my ELMAH_Error table using a SQL Server, and as well from the web interface through local host URL(http://localhost:20086/elmah).
My question is: How, if possible, can I view my logs through the web interface on a live site and not "http://localhost:20086/elmah". I want to be able to view the Logging information when necessary from any computer. I have implemented Roles and Authentication, so I should be able to go to the correct URL, login with the appropriate credentials, then view the logs.... right?
Is this possible??
No problem. You can use ASP.NET authentication to secure your logs. Basically you want something like this:
<location path="elmah.axd">
<system.web>
<httpHandlers>
<add verb="POST,GET,HEAD"
path="elmah.axd"
type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="ELMAH"
verb="POST,GET,HEAD"
path="elmah.axd"
type="Elmah.ErrorLogPageFactory, Elmah"
preCondition="integratedMode" />
</handlers>
</system.webServer>
</location>
There's some more details in this ELMAH Tutorial.
It looks like you're using the Elmah.MVC package. With this package you have another option:
<add key="elmah.mvc.requiresAuthentication" value="true" />
<add key="elmah.mvc.allowedRoles" value="admin" />
Ok, I really need help getting this setup. Currently i have an ssl cert installed. I have a wcf service installed in iis as an application. I have set it to require ssl and i am able to connect to the service. Issue is i want windows authentication. and i want to disable anonymous security. Soon as i disable anonymous and keep windows auth. i get an error:
"the authentication schemes configured on the host ('IntegratedWindowsAuthentication') do not allow those configured on the binding 'BasicHttpBinding' ('Anonymous'). Please ensure that the SecurityMode is set to Transport or TransportCredentialOnly.etc etc...."
When i turn anonymous back on with windows auth. Yes i can access the service but it doesn't use the windows auth.. its weird because other files such as test.html for example still require username/password. i don't know how to properly restrict a webservice for windows auth using ssl... can anyone help me?? please
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.0" />
<customErrors mode="Off"/>
</system.web>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="TransportSecurity">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
<readerQuotas maxDepth="2147483647"
maxStringContentLength="2147483647"
maxArrayLength="2147483647"
maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="WcfConcur.ConcurService">
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="TransportSecurity"
contract="WcfConcur.IConcurService"/>
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpsGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
on the client side, i add a reference to the wcf. and it downloads this automatically. thing is my intial wcf address that is hosted is https://address/whatever.svc and when it downloads it shows http://internal address i don't know if thats the issue
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client" />
</startup>
<system.serviceModel>
<client>
<endpoint address="http://internal address/wcfConcurService/ConcurService.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IConcurService"
contract="wcfConcurRef.IConcurService" name="BasicHttpBinding_IConcurService" />
</client>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IConcurService" />
</basicHttpBinding>
</bindings>
</system.serviceModel>
</configuration>
The error message thrown, when anonymous access is disabled, seems to indicate an issue with the client configuration.
The client configuration appears to be using the basicHttpBinding which is different from the server configuration which is using wsHttpBinding. To resolve the binding issue, you should copy the server binding configuration to the client configuration file and then update the client endpoint to use the new binding configuration.
Your client configuration should look something like:
<system.serviceModel>
<client>
<endpoint address="https://enter-external-address-here/wcfConcurService/ConcurService.svc"
binding="wsHttpBinding" bindingConfiguration="TransportSecurity"
contract="wcfConcurRef.IConcurService" name="BasicHttpBinding_IConcurService" />
</client>
<bindings>
<wsHttpBinding>
<binding name="TransportSecurity">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
I've tried several solutions posted around the net, but none of them appear to work.
The response I get to the web service method is:
404: File or directory not found.
When I visit the http version of the AddressService.svc file, I get a service description. When I visit the method (AddressService.svc/ValidateAddress) I get "GET method not allowed", which is expected because it's a POST method only. When I try the https version of the AddressService.svc page I also get the service description. However, when I try to visit the method (AddressService.svc/ValidateAddress), I get the 404/not found result.
Here is what I've got in my web.config currently:
Binding:
<bindings>
<basicHttpBinding>
<binding name="WebServiceSoap">
<security mode="Transport" />
</binding>
</basicHttpBinding>
</bindings>
Service:
<service name="DefiningVoiceWeb.AddressService" behaviorConfiguration="serviceBehavior">
<endpoint address="" binding="webHttpBinding" contract="DefiningVoiceWeb.IAddressService" behaviorConfiguration="web" />
<host>
<baseAddresses>
<add baseAddress="https://www.definingvoice.com/AdminOnly/AddressService.svc" />
</baseAddresses>
</host>
</service>
Service Behavior:
<serviceBehaviors>
<behavior name="serviceBehavior">
<!-- To avoid disclosing metadata information, set the values below to false before deployment -->
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
And I've also added this for CORS:
<httpProtocol>
<customHeaders>
<clear />
<add name="X-Powered-By" value="ASP.NET" />
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="GET, POST" />
</customHeaders>
</httpProtocol>
Here's my IAddressService declaration:
[ServiceContract]
public interface IAddressService
{
[OperationContract]
[WebInvoke(Method = "POST",
UriTemplate = "/ValidateAddress",
RequestFormat = WebMessageFormat.Json,
ResponseFormat = WebMessageFormat.Json)]
Address ValidateAddress(Address address);
}
And the AddressService.svc:
<%# ServiceHost Language="C#" Debug="true" Service="DefiningVoiceWeb.AddressService" CodeBehind="AddressService.svc.cs" %>
I've tried solutions from these pages, but none of them appear to work for me:
How to convert wcf http web service to https
SVC WebService works over HTTP, fails over HTTPS
WCF Bindings Needed For HTTPS
I'm happy to try one of the solutions above if it's possible I did something wrong. Let me know if I need to supply more details.
Thanks in advance.
After reading through the link provided by #pepo I found the problem. Here are the sections I edited with the final working configuration:
Service:
<service name="DefiningVoiceWeb.AddressService" behaviorConfiguration="serviceBehavior">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpTransportSecurity" contract="DefiningVoiceWeb.IAddressService" behaviorConfiguration="webHttpBehavior" />
<host>
<baseAddresses>
<add baseAddress="https://www.definingvoice.com/AdminOnly/" />
</baseAddresses>
</host>
</service>
Binding:
<bindings>
<webHttpBinding>
<binding name="webHttpTransportSecurity">
<security mode="Transport">
</security>
</binding>
</webHttpBinding>
</bindings>
Well, why do you edit basicHttp binding configuration when you are using weHttpBinding?
This SO answer might help you (I didn't test it though). There is a nice article referenced explaining how to set up https with webHttpBinding.
I have 2 WCF service working together. One is Class Library and another one in webservice.
Its working fine until now. But if i try to send large amount of data it throw me 413 error...
An exception was thrown: The remote server returned an error: (413) Request Entity Too Large.
Below is web.config file-
For Class Library-
<add key="SMTP" value ="dummy"/>
<add key="BookingEmailFrom" value ="dummy"/>
<add key="BookingEmailToWBD" value ="dummy"/>
</appSettings>
<connectionStrings/>
<system.web>
<compilation debug="true" targetFramework="4.0"/>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Windows"/>
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.
<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>
-->
<pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID"/>
</system.web>
<!--
The system.webServer section is required for running ASP.NET AJAX under Internet
Information Services 7.0. It is not necessary for previous version of IIS.
-->
<system.serviceModel>
<services>
<service name="JSONWebService.Service1" behaviorConfiguration="JSONWebService.Service1Behavior">
<endpoint address="../Service1.svc" binding="webHttpBinding" contract="JSONWebService.IService1"
behaviorConfiguration="webBehaviour"/>
For web service client-
<?xml version="1.0"?>
<configuration>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\vx.x\Config
-->
<configSections>
</configSections>
<appSettings>
<add key="ConnectionString" value="Server=dummy;uid=sa;pwd=dummy;database=dummy"/>
---------------------- -->
section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.
<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>
-->
<pages>
<controls>
<add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=31BF3856AD364E35"/>
<!--
Upon deployment, the following identity element should be removed or replaced to reflect the
identity under which the deployed service runs. If removed, WCF will infer an appropriate identity
automatically.
-->
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
<endpoint address="basic" binding="webHttpBinding" contract="JSONWebService.IService1"
behaviorConfiguration="webBehaviour"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior" >
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before
deployment -->
</bindings>
</system.serviceModel>
</configuration>
Any help would be really appreciated.
Thanks
You are encountering a WCF default limit on the message size. To raise the limit, use the maxReceivedMessageSize attribute in your web.config file (server side).
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding maxReceivedMessageSize="10000000">
</basicHttpBinding>
</bindings>
</system.serviceModel>
This is probably really late, but for anyone else that is also stuck.
The initial problem is solved by what BilalAlam described (increase the maxRecievedMessageSize) but your issue is the bindings need to be tied to the endpoint via the bindingConfiguration in the endpoint and the name in the binding.
Example
<bindings>
<webHttpBinding>
<binding maxReceivedMessageSize="2147483647" name="NAMETOTIEENDPOINT">
<readerQuotas maxStringContentLength="2000000"/>
</binding>
</webHttpBinding>
</bindings>
<services>
<service>
<endpoint address="basic" bindingConfiguration="NAMETOTIEENDPOINT" binding="webHttpBinding" contract="JSONWebService.IService1" />
</service>
</services>