We are using the notification service and it works find when we point it to a server name such as http://myserver/myservice.svc
If we point it to the same server using a DNS record, we then get the following error in the event log on the Select Server: Failed to send SOAP notification '7536'. The caller was not authenticated by the service.
Any idea on how to fix this. We are using an internal ISA/Proxy server in our network and when making calls via DNS to internal web services we usually have to add the following to our config file to bypass the proxy:
<system.net>
<defaultProxy>
<bypasslist>
<add address=".+" />
</bypasslist>
</defaultProxy>
</system.net>
Or, if binding to WCF we simply change the property to bypass proxy in the endpoint.
I've tried adding the above to the Select Server config file, but it didn't help at all. Any ideas? We need to us DNS as we will be running the event notification listerner service on a web farm.
Thanks
Notification Service Authentication to WCF web service
Re: Notification Service Authentication to WCF web service
I hope someone can reply to this soon.
I have got the service to work with the custom DNS name, but had to resort to using basicHttpBinding for my WCF Event Notification service.
When using wsHttpBinding and the DNS record the select server will thrown an error about the Identity for the endpoint
We are running our Applicaition Pool for the WCF as custom domain account. This could be a SPN problem We will try to do setspn on the account for the DNS to see if that helps with authentication.
If you have any ideas please let me know.
I have got the service to work with the custom DNS name, but had to resort to using basicHttpBinding for my WCF Event Notification service.
Code: Select all
<basicHttpBinding>
<binding name="basicHttpBinding_EventListener" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00"
sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="true"
hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="false">
<security mode="None" />
</binding>
</basicHttpBinding>Code: Select all
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_EventListener"
contract="TG.SoftPro.OrderEventListener.IEventNotificationListener">
<identity>
<dns value="localhost" />
</identity>
</endpoint>Code: Select all
<binding name="WSHttpBinding_EventListener" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00"
sendTimeout="00:01:00" bypassProxyOnLocal="true" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="false" allowCookies="false">
<security mode="None" >
<message clientCredentialType="None" negotiateServiceCredential="false" establishSecurityContext="false"/>
<transport clientCredentialType="None"/>
</security>
</binding>We are running our Applicaition Pool for the WCF as custom domain account. This could be a SPN problem We will try to do setspn on the account for the DNS to see if that helps with authentication.
If you have any ideas please let me know.
-
Jon Hussey
Re: Notification Service Authentication to WCF web service
You can try setting the dns identity of the server to the DNS name using the following WCF configuration.
<endpoint address="" binding="wsHttpBinding" contract="IService">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<endpoint address="" binding="wsHttpBinding" contract="IService">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
Re: Notification Service Authentication to WCF web service
We've tried that and get the error:
Failed to send SOAP notification '7963'. Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint.
When the server is sending the notifications via WCF, what is being used for the client credential security type? If I was creating my own client to access our even listener WCF service, I'd be able to set the Security mode=None in the configuration. I'm assuming that Select Server is programmitcally building the client in code so we can't change this setting our self? Also, is the call from Select Server using the credentials of the service account it is running under?
Again, this works fine when going directly to the server name, but once we switch the event subscription to use the DNS name it fails.
Failed to send SOAP notification '7963'. Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint.
When the server is sending the notifications via WCF, what is being used for the client credential security type? If I was creating my own client to access our even listener WCF service, I'd be able to set the Security mode=None in the configuration. I'm assuming that Select Server is programmitcally building the client in code so we can't change this setting our self? Also, is the call from Select Server using the credentials of the service account it is running under?
Again, this works fine when going directly to the server name, but once we switch the event subscription to use the DNS name it fails.
Re: Notification Service Authentication to WCF web service
Also, setting the DNS node value is for setting the name of the domain that matches the certificate. We are not using a certificate with this service, and would expect message security = NONE to bypass this, but Select Server must be setting the sercurity mode in its client to Message or Transport. Can you confirm this?
This is probably the problem, because when using the machine name as the endpoint address, it can validate the security because the machine name probably has a cert be default.
This is probably the problem, because when using the machine name as the endpoint address, it can validate the security because the machine name probably has a cert be default.
-
Mark McKenna
Re: Notification Service Authentication to WCF web service
For SOAP 1.2 we use WSHttpBinding with all default settings (e.g. Message security, use default web proxy, etc.).
Re: Notification Service Authentication to WCF web service
Thanks for the confirmation. We will simply fall back to basicHttpBinding. It would be nice in the future to have more control for the settings for WSHttpBinding in Select.