I am at my wits' end on this one.
FYI, I work in infrastructure, not .net development, so I know very little about WCF and next to nothing about Visual Studio as an environment, but I don't think that's where the problem lies.
We have a WCF service running on a couple of IIS 7.5 servers on our internal network. This is exposed to the outside world via reverse proxy on Apache 2.2.15 on Fedora 11. The reverse proxy handles load balancing between the IIS servers, as well as SSL.
The WCF service is configured to use transport level security, and the IIS servers have self-signed SSL certificates. The reverse proxy does not authenticate the IIS servers, and the only reason we have SSL on the IIS servers in the first place is so the WSDL will present the correct location URL.
We thought we had it working perfectly, but there's one annoying and crucial exception: the WSDL can't be added as a service reference in Visual Studio on machines running Windows Vista or later. On an XP machine, it's fine, but anything later throws the following error:
There was an error downloading
'[URL]'. The operation has timed out
Metadata contains a reference that
cannot be resolved: '[URL]'. An error
occurred while making the HTTP request
to [URL]. This could be due to the
fact that the server certificate is
not configured properly with HTTP.SYS
in the HTTPS case. This could also be
caused by a mismatch of the security
binding between the client and the
server. The underlying connection was
closed: An unexpected error occurred
on a send. Received an unexpected EOF
or 0 bytes from the transport stream.
If the service is defined in the
current solution, try building the
solution and adding the service
reference again.
The WSDL is accessible through a browser, or through regular SOAP, on any machine and without any SSL complaints. It's just Visual Studio that has an issue.
Initial Googling revealed that it might be a problem with the cipher suite that VS used, suggesting that VS on Vista or later would by default attempt to use TLS1.0 in HTTPS connections, and if an intermediary device didn't support that protocol, it would just drop the request. This is definitely not the case, though. The reverse proxy explicitly prefers TLS1.0, and even when viewing the WSDL through a browser, it flags up as using TLS1.0 for the connection.
Having pointed the proxy at other functioning WCF services on different IIS servers, the same error occurs, leading me to assume it revolves around the reverse proxy configuration. The trouble is that it seems to be identically configured to another reverse proxy carrying out the same task elsewhere.
It's presumably some transport level issue around how VS establishes HTTPS connections on different operating systems, but I simply don't know enough about it to hazard a guess about what that might be. Anyone have any suggestions?
Well, that was embarrassing.
I'm sure there's some unwritten cosmic law that results in me finding the incredibly simple solution to a problem I've been grinding away at for days about ten minutes after posting it up on StackOverflow.
The ServerName directive in the virtual host config didn't match the URL. It did match the certificate (which has a Subject Alternative Name, so it didn't throw up any SSL warnings), but that wasn't the name I was accessing it with.
I'm assuming there's some extension of TLS1.0 that VS uses which enforces this, which isn't used by browsers or SOAP clients. This is probably useful information for anyone else trying this with a certificate that has Subject Alternative Names. It wouldn't have come up otherwise.
Related
I am writing a webdav server for embedded system. Everything goes normal until I tested it with windows client, the miniredir.
It became extremely slow when accessing the data with miniredir. I captured the network traffic and found that everytime I made a move, the miniredir tried to connect to the server via SMB first. (SYN package sent to 137,138,139,445) and the expolrer view would not show until the SMB request failed a few times, which takes more than 20s.
I also tried miniredir with Apache+mod_dav, same delay was observed (make sure the server machine disabled SMB service).
Is there anyone solved this problem? or if there's any work around solution for XP?
BTW: After a few days' debugging, now I believe MS Miniredir is not a qualified WebDAV client. A lot of bugs and shorting comings were reported, but MS didn't do much improvement. http://www.greenbytes.de/tech/webdav/webdav-redirector-list.html
Significant delays can be encountered when accessing WebDAV resources if Internet Explorer is configured to auto-detect proxy servers. Try following these instructions for disabling proxy auto-detection and see if that helps.
After a few days' debugging, now I believe MS Miniredir is not a qualified WebDAV client.
I think this is an overstatement. The only documented issue in XP/SP3 is a by-default lack of support for basic auth, and there is a workaround for this. "When you hear hoofbeats, look for horses, not zebras."
We have an existing certificate (global sign) that works fine when a Windows Mobile application (.NET 3.5) tried to consume the web service (also written in .NET 3.5) that is hosted on IIS.
However the when we make the re-issued certificate (global sign) live, the Windows Mobile application is failing to connect to the web service, the error we are getting is "Could not establish trust relationship with remote server". Ive tried searching for this on Google many times and have not found a suitable fix.
We have also tried to copy (and install) the ROOT and intermediate certificate in the chain to the device, but this still does not work.
When we test the new certificate with a PC web browser (IE, Firefox, Opera), a Desktop application that consumes the web service (.NET 3.5), and even Internet Explorer on the Windows Mobile device the .NET web service definitions/documentation page is show without problems (no warnings, or errors), it seems to only be an issue on the windows mobile device when using a compact framework (3.5) application is trying to consume the web service.
We have validated that the certificate is installed correctly on the SSL shopper site, and after our google searches we came across and implemented (as a test) a "trust all" ICertificatePolicy handler, this has resolved the problem, however i was hoping that this problem could be addressed by configuration/setup change rather than a code change and a re-deployment of over 150 windows mobile based devices.
The ICertificatePolicy hander did show up the error that was being returned when trying to validate the certificate: the problem parameter was set to: -2146762481 (0x800B010F in HEX), which i believe is the "CN No MATCH" error, however Ive searched for this in both its numeric, hex and name form and have yet to find a resolution other than the "Trust all" code change.
I thought I would post the answer here in case anyone else runs in to this problem. I've not found a 100% rock solid explanation, but we have managed to make it work and this has made me come up with a hypothesis as to the problem:
It appears that the compact framework seems to be taking the first Common Name (CN) off the "Subject Name Alternative" field of the SSL certificate and only evaluating the certificate against that whilst the full framework, IE and IE on the mobile device seemed to be using both. My reasoning for believing this is below:
The PDA application was accessing the url:
https://AMobileWebService.com/Webservice.asmx
Our old SSL certificate that worked had the following in the "Subject Alternative Name":
DNS Name=AMobileWebService.com
DNS Name=www.AMobileWebService.com
And the new certificate that did not work was contained the following in the same field:
DNS Name=www.AMobileWebService.com
DNS Name=AMobileWebService.com
When we changed the application to use https://www.AMobileSebService.com/Webservice.asmx, the old certificate (that was previously working) failed to establish a trusted relationship, and the new certificate worked (but previously did not).
As I mentioned earlier this leads me to believe that the .NET CF is only retrieving the first name in the SSL certificate and then evaluating the url host name against that, rather than doing it against both as in the full .NET Framework.
We came to this conclusion by implementing a "trust all certificates" work around that we found on stackoverflow:
https://stackoverflow.com/questions/6552598/system-net-webexception-thrown-when-consuming-a-web-service-over-https
The problem parameter on the workaround was returning the value -2146762481. Searching on hex representation of the value (0x800B010F) pointed me to the following information: https://blogs.technet.microsoft.com/rrasblog/2007/09/26/how-to-debug-sstp-specific-connection-failures/
The error turned out to be the constant : CERT_E_CN_NO_MATCH
As part of a ClickOnce deployment I'm running mage.exe
mage.exe -Sign "manifest file" -CertFile Cert.pfx -Password yepit5right -TimeStampUri http://timestamp.verisign.com/scripts/timstamp.dll
the certificate comes from Verisign in the first place so using their timestamping service.
This works fine on some machines but not others, and they come back with the very readable error code of -2147012865 which translates to error 12031 - ERROR_INTERNET_CONNECTION_RESET.
I can connect out through IE on that machine to sites such as stackoverflow.com and so the proxy settings which it needs appear to be correct.
Does mage.exe support authenticating proxies? This used to work, over a year ago now, before we had a major outbound proxy change which I think included changing from non-authenticating to using integrated authentication at the proxy layer.
Thanks
Not a great answer but it turns out that mage.exe cannot authenticate through to a proxy when making the request out to the timestamping service.
To get around this restriction I have added the source machine and the target URL to our outbound proxy's "whitelist" of requests that are allowed out without requiring proxy authentication. As you could imaging doing this within a corporate environment where the security team own that list was not a simple task, I much prefer cracking the technical nut.
As soon as this was added mage.exe started behaving as expected, and as it behaves in our test environments which have a non-authenticating proxy.
I'm using the AJAX Test Server in Rational Application Developer. I'm posting a form to another host for authentication. That host takes a URL to redirect to after authentication. However, it insists on using HTTPS whenever it sends the 302 response. The low hanging fruit would be to just use HTTPS locally.
Looking at the launch configuration, the AJAX Test Server appears to be a custom Apache HttpCore server. I haven't spotted anything in the configuration guide.
Is there a way to access this test server via HTTPS?
This is for demo and local development purposes; not production.
Speaking from working with WAS (WebSphere Application Server) in RAD, I'm pretty sure the answer would be yes. The server (at least with WAS) has both secure and "unsecure" ports.
What I have noticed is that when the server is built with the install (at least with the newer versions of the products 7.5+), the ports used are different per install. This is to help with not conflicting with other applications that may use those ports.
So https is probably fine. You just may have to use it over port 302 or some other port.
If there is no admin console for viewing your ports, you could always try the Window | Preferences option under your menu items. Sometimes IBM hides server config stuff in there.
I am a beginner to webservice concepts. Now I know how to deploy webservice in IIS. I checked the webservice URL
There I can see SOAP protocol contents and WSDL (after url type ?WSDL).
My questions are:
Can I run the webservice by replacing localhost with my IP
address any where outside systems
Do I need to study SOAP and WSDL seperately at any time though both
are generated by visual studio
itself
1: broadly yes, but it depends on your IIS configuration and network topology. Typically, most of the internet won't be able to address your IIS unless you have configured the firewall etc. And DNS would be more typical for public servers. In complex scenarios you may have host-headers, multiple NICs/IPs, or other complications meaning that the IP (by itself) does little.
2: Entirely up to you; it depends largely on the project. If you are only serving your own projects, you can probably ignore the WSDL and rely on VS to do the right thing. If interop/portability is a major concern (to other frameworks/languages), then perhaps write the WSDL first.