Both security mode with WSHttpBinding?

[Dave Gustafson]

Is there any way to create a WCF client that can accomplish the effect of
the "Both" security mode with WSHttpBinding ?
We need to create a client that will connect to a service that requires SSL
transport, signing, and message encryption.
The service is built on Java using the Spring framework, and we have been
unable to configure a WCF client that can interoperate.
It appears that NetMsmqSecurityMode is the only enum that offers the "Both"
transfer mode...
Any help on how we can configure our client would be appreciated.

[Steven Cheng]

Hi Dave,

Nice to hear from you again.

Regarding on the issue you described, my understanding is that you want to
establish a binding which will support both transport security via HTTS/SSL
and message layer security(like those default ones supported by
wsHttpBinding), correct?

Based on my understanding, for those built-in predefined bindings(such as
basicHttp or wsHttp..), it is not quite easy to change its binding
stack(for security related ones). My first thought is to define a custom
Binding which manually adopt the https transport channel and message layer
security binding elememts. Here is what I've tried in my service:

========customBinding which uses both message and transport security========

<customBinding>
<binding name="sslWSBinding" >

<security authenticationMode="UserNameForCertificate" >
<localClientSettings maxClockSkew="00:30:00"/>
<localServiceSettings maxClockSkew="00:30:00"/>
</security>
<textMessageEncoding messageVersion="Soap11"
></textMessageEncoding>
<httpsTransport requireClientCertificate="false"
authenticationScheme="Anonymous" />
</binding>
</customBinding>
==============================================

As you can see, I added "httpsTransport" to enable https at transport
layer, and "UserNameForCertificate" to enable username+certificate
authentication security at message layer. However, at runtime, when I view
the WSDL metadata page, it report the following error:

========Exception from wcf security policy generation=========

An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true,
whose value is:
System.InvalidOperationException: An exception was thrown in a call to a
policy export extension.
Extension: System.ServiceModel.Channels.SymmetricSecurityBindingElement
Error: Security policy export failed. The binding contains both a
SymmetricSecurityBindingElement and a secure transport binding element.
Policy export for such a binding is not supported. ---->
System.InvalidOperationException: Security policy export failed. The
binding contains both a SymmetricSecurityBindingElement and a secure
transport binding element. Policy export for such a binding is not
supported.
......................

=====================

I think this probably means binding with security at both layer is not
supported with the current WCF bindings. Meanwhile, I'll try performing
some further research to see whether there is anything else we can try,
I'll update you if I get any new info.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "Dave Gustafson" <msne...@nospam.nospam>
Subject: Both security mode with WSHttpBinding?
Date: Mon, 2 Mar 2009 13:59:33 -0700

[Dave Gustafson]

Thanks Steven,

I've been scouring the WCF Security Guide.

p.89 says: "The following security modes are available across the standard
bindings."

but then p. 99 says about "Both security": "Note that this is not a common
scenario, and only bindings that support the Microsoft Message Queuing
(MSMQ) protocol support this security mode."

p. 126 says: "In WCF, you have two primary choices for providing security:
either you provide the transfer security on the transport level, or on the
message level"
p. 127 table claims: "... This is far more than is needed in most
scenarios."

Unfortunately we are not creating the server, we must act as a client to
interoperate with the system created by the USDOL. Even though this may be
far more than is needed in most scenarios, we can't make that decision.
So-far we are the only state that is at the point of implementation testing
that is using a Microsoft platform. All of the states that are implementing
on various Java platforms are not running into this problem.

In our initial development we were not able to configure WCF to encrypt only
the content of an element inside the payload. We were able to have them
change to encrypting the entire content of the body, but when they moved
their development URL to an HTTPS transport, we can't get the message to
encrypt at all.

At this point any option that will work would be welcome.

Thanks!
Dave

""Steven Cheng"" <stc...@online.microsoft.com> wrote in message
news:1oT8MB7m...@TK2MSFTNGHUB02.phx.gbl...

[Steven Cheng]

Hi Dave,

After some further investigation, I've got some progress on this. Actually,
the error I encountered last time is reported by the WSDL/metadata
generation behavior which doesn't quite support generation service policy
for such binding(use both transport and message layer security).

However, I tried directly call the service(manually define the app.config
at client) without using "Add ServiceReference" to generate the proxy and
it works. My test scenario is using "UsernameForCertificate" authentication
at message layer(and also sign the message) and use HttsTransportElement
for transport transmitting. I have built a solution to demonstrate this,
if you feel necessary, I can send you my test solution package. You can
reach me at the following address:

"stcheng" + @ + "microsoft.com"

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

--------------------
From: "Dave Gustafson" <msne...@nospam.nospam>

References: <eXhVKn3m...@TK2MSFTNGP05.phx.gbl>
<1oT8MB7m...@TK2MSFTNGHUB02.phx.gbl>
Subject: Re: Both security mode with WSHttpBinding?
Date: Tue, 3 Mar 2009 08:08:11 -0700

[Dave Gustafson]

We have finally achieved some success with our Java and WCF interoperability
issue. It took some adjustments at both ends of the conversation, but we
were able to finally get it to work with both transport and message
encryption.

Along the way, the information on interoperability being developed by the
Australian government was very helpful. If anyone is running into
interoperability issues, I would suggest reviewing the documentation on
secure messaging found at:

http://203.110.153.105/index.php?option=com_docman&task=cat_view&gid=129&Itemid=139
"NEHTA is working to define national standards and shared infrastructure to
ensure that the electronic exchange of clinical information between
healthcare providers is reliable and secure.

NEHTA has recommended that a broad set of interoperability standards be
adopted. A key feature of the work is to develop strategies to support the
transition of existing messaging approaches towards a more interoperable
future. "

Thanks for all your help!

Dave Gustafson

[Steven Cheng]

Thanks for your followup Dave,

I'm really glad to hear the good news on your progress. Also, I think this
is really valuable info for other guys who are also working on
WCF/webservice interop between different platform. If possible, I'd
recommend you publish this case study in a blog entry so that more
community members can benifit from it.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

--------------------
From: "Dave Gustafson" <msne...@nospam.nospam>
References: <eXhVKn3m...@TK2MSFTNGP05.phx.gbl>

Subject: Re: Both security mode with WSHttpBinding?

Date: Sun, 5 Apr 2009 08:45:05 -0600

[dhirend...@gmail.com]

On Monday, April 6, 2009 9:44:59 AM UTC+5:30, "Steven Cheng" wrote:
> Thanks for your followup Dave,
>
> I'm really glad to hear the good news on your progress. Also, I think this
> is really valuable info for other guys who are also working on
> WCF/webservice interop between different platform. If possible, I'd
> recommend you publish this case study in a blog entry so that more
> community members can benifit from it.
>
> Sincerely,
>
> Steven Cheng
>
> Microsoft MSDN Online Support Lead
>

Hi Steven,

I tried the custom binding sample above however it did not worksk for scenario where we wanted to support two level of authentication

1. X509 client certificate at IIS level ( Mutual authentication) https + client certificate
2. X509 certificate for Message level security. ( server certificate + client certificate)

I only see that netmsmq binding supports authentication at ransport level and message level.
Do you have any sample to support authentication at transport level and message level.