Wcf – Problem in Hosting WCF Service using wsHttpBinding in IIS

wcfwcf-bindingwcf-security

I am trying to host my service using following configuration.

<system.serviceModel>
    <services>
        <service name="Test.MyService" behaviorConfiguration="MyServiceBehavior">
            <!--         Service Endpoints -->
            <endpoint address="MyTestService" binding="wsHttpBinding" bindingConfiguration="WebserviceHttpBinding" contract="Test.IMyService"/>
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
        </service>
    </services>
    <bindings>
        <wsHttpBinding>
            <binding name="WebserviceHttpBinding">
                <security mode="Message">
                    <message clientCredentialType="UserName" negotiateServiceCredential="false"/>
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <behaviors>
        <serviceBehaviors>
            <behavior name="MyServiceBehavior">
                <serviceCredentials>
                    <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Test.CredentialValidator, Test"/>
                    <serviceCertificate findValue="RPKey" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
                </serviceCredentials>
                <!--           To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
                <serviceMetadata httpGetEnabled="true"/>
                <!--           To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
                <serviceDebug includeExceptionDetailInFaults="true"/>
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

When I debug this service, I am having no problem. I hosted this service in IIS using Website. When I browse this service from IIS I am getting following exception.

Server Error in '/MyTestService'
Application.

Keyset does not exist

Description: An unhandled exception
occurred during the execution of the
current web request. Please review the
stack trace for more information about
the error and where it originated in
the code.

Exception Details:
System.Security.Cryptography.CryptographicException:
Keyset does not exist

Source Error:

An unhandled exception was generated
during the execution of the current
web request. Information regarding the
origin and location of the exception
can be identified using the exception
stack trace below.

Stack Trace:

[CryptographicException: Keyset does not exist
]
System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) +369
System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) +151
System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() +85
System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) +280
System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() +468
System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +85

[ArgumentException: The certificate 'CN=RPKey' must have a private key that is capable of key exchange. The process must have access rights for the private key.]
System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +15832031
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider() +45
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) +73
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement) +65
System.ServiceModel.Security.SessionRenewSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement) +14
System.ServiceModel.Security.SymmetricSecurityProtocolFactory.OnOpen(TimeSpan timeout) +15334232
System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +23
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563
System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +101
System.ServiceModel.Channels.SecurityChannelListener1.OnOpen(TimeSpan timeout) +203 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +87 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +110 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.OnOpen(TimeSpan timeout) +149 System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +23 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Security.SecurityUtils.OpenCommunicationObject(ICommunicationObject obj, TimeSpan timeout) +24 System.ServiceModel.Security.SecuritySessionServerSettings.OnOpen(TimeSpan timeout) +878 System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +23 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +153 System.ServiceModel.Channels.SecurityChannelListener1.OnOpen(TimeSpan timeout) +203
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563
System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +87
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563
System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +110
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563
System.ServiceModel.HostingManager.ActivateService(String normalizedVirtualPath) +135
System.ServiceModel.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath) +654

[ServiceActivationException: The service '/AtlasServices/Service.svc' cannot be activated due to an exception during compilation. The exception message is: The certificate 'CN=RPKey' must have a private key that is capable of key exchange. The process must have access rights for the private key..]
System.ServiceModel.AsyncResult.End(IAsyncResult result) +15700960
System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result) +15623609
System.ServiceModel.Activation.HostedHttpRequestAsyncResult.ExecuteSynchronous(HttpApplication context, Boolean flowContext) +265
System.ServiceModel.Activation.HttpModule.ProcessRequest(Object sender, EventArgs e) +227
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171

Best Answer

This is propabely because on the IIS the account settings are different from the account that you are using to run a local server.

are you working with an X.509 certificate? If so, are you sure you gave read acces privileges to the account that is running the process (that is running IIS) for the file containing the private key?

So if IIS is running under the account Saghar, does Saghar have read privilesges for the key file ?

@update

ArgumentException: The certificate 'CN=RPKey' must have a private key that is capable of key exchange. The process must have access rights for the private key.

this tells me that your IIS account doesn't have permissions to your private key

Related Solutions

.net – Named pipe not found when using WCF netNamedPipeBinding

The stack trace shows that the client-side WCF channel stack failed when trying to derive from the service URL the actual name of the named pipe being used by the service. The service publishes the pipe name (which is a GUID which changes each time the service restarts) by placing a small structure in a named shared memory section which contains the GUID as one of its fields. The name used for the shared memory section is derived from the service URL by applying an algorithm which is compiled into both the server-side and client-side WCF code for the NetNamedPipeBinding.

The exception reported in the question really means that having applied the algorithm to the service URL to come up with a name, the client side code could not open a handle to a shared memory section of that name. This may mean, as the exception message states, that there is no service listening on the service URL used to derive the name. But it can instead mean that the memory section is there, and so is the service, but the client-side code is not running in a security context which allows it to access the shared memory.

On Windows platforms prior to Vista it is fairly unlikely that a WCF client would ever lack the security permissions to open the shared memory, read the pipe name GUID from it, and then successfully connect to the service's pipe. But on Vista and later platforms there are new security mechanisms which make this a much more common failure scenario.

Vista introduced a concept of different namespaces for named kernel objects: there is a Global (machine-wide) namespace, and a Private namespace for each logon session. The NetNamedPipeBinding client code will try both namespaces when looking for the shared memory section which advertises the pipe name. If the server has created the shared memory using a Global name, or if the service and the client are running in the same logon session, then the client will find what it is looking for. If, though, the service cannot create an object in the Global namespace (it always tries to do this first) then it will fall back to creating it the private session namespace, and then only clients running in the same session will be able to see it. Creating Global namespace kernel objects requires a special privilege in Vista and later platforms, which typically only Windows Service processes and applications running "As Administrator" will have. A common pitfall is to try to create a client in a Windows Service attempting to connect to a WCF NetNamedPipe service hosted in an application running in the interactive user session.

The Vista Mandatory Integrity Mechanism can also prevent a putative client connecting to a WCF NetNamedPipeBinding service, if the client code is running in a lower integrity context (e.g. a browser plug-in) than the code hosting the service.

I would imagine that the symptoms reported in the question, with test clients working but real clients not working, are almost certainly caused by the security context of the real clients being inconsistent with that of the service host, for one or other of these reasons.

WCF service could not be activated

That configuration won't be sufficient for logging those error messages.

What you need is two-fold - first the part inside <system.serviceModel> that you already have, to instruct WCF to do logging.

But you also need a second part - inside <system.diagnostics> - to define where to log that information to! Something like this:

<system.diagnostics>
    <sources>
        <source name="System.ServiceModel.MessageLogging" switchValue="Information, ActivityTracing">
           <listeners>
             <add name="messages"
             type="System.Diagnostics.XmlWriterTraceListener"
             initializeData="c:\logs\messages.svclog" />
          </listeners>
        </source>
    </sources>
    <trace autoflush="true" />
</system.diagnostics>

There are a few different log listeners defined in the System.Diagnostics namespace - this one here will be logging the information to a XML-based *.svclog file, which you can then view and analyze using the Service Trace Viewer Tool.

Read more about Configure Message Logging on MSDN.

Best Answer

@update

Related Solutions

.net – Named pipe not found when using WCF netNamedPipeBinding

WCF service could not be activated

Related Topic