Consuming a WCF Service with an unmanaged C++ client with credential passing

After much hassle I eventually got this working. This post explains how I got it to work and will try and pull together several information sources I found during the investigation.

Service, Step 1 – Bindings and Security

To maximize the interoperability of the WCF service, whilst maintaining credential flow, the WCF service needs to be setup in a particular way. The most critical issue is choosing the correct bindings and security settings; I spent ages trying to get a basicHttpbinding with security mode “TransportWithMessageCredentials” to work. This turned out to be the wrong way to do it (in our scenario). The eventual security mode was “Transport” with the transport clientCredentialType set to “Windows”

<basicHttpBinding>
<binding name="basic">
 <security mode="Transport">
  <transport clientCredentialType="Windows" />
 </security>
</binding>
</basicHttpBinding>

This basically says that the security should be provided by the transport layer (SSL with http – https), with windows credentials being passed at the transport layer (http headers – I think). The next problem is getting the service hosted in IIS.

Service, Step 2 – IIS setup

The credentials in IIS must match the service’s binding configuration. In this case this means setting the security settings to disable anonymous access and enable Windows authentication. Note that the service must be hosted on a SSL site (see this post for how to set this up). Try to build and view the service

If you see an error message saying that the service requires anonymous access this probably means there is something wrong with your bindings. In my case this was due to the fact that I had a mex endpoint for the service (as it was automatically generated), but as this was not using the same bindingconfiguration it was causing problems later on as it demanded anonymous access (in IIS). It is important that all the endpoints for the service have compatible security settings.

If you see an error message saying that the service requires windows authentication this may be due to an error with IIS. (See this blog entry for a possible resolution – note that in my case due to a complex IIS setup the instructions weren’t quite right, basically make sure that for the <IISWebService> section that relates to your site, the line ‘NTAuthenticationProviders=”Negotiate,NTLM” ‘ is included.

By this point you should be able to view the service in your web browser and view the wsdl.

Service, Step 3 – Improving WSDL interoperability 

The default behaviour of WCF allows for wsdl documents and xsd schemas to be imported into the overall wsdl (using the wsdl=wsdl0, xsd=xsd0 syntax). Some client side proxy generation tools are unable to handle these imports. Therefore to improve the interoperability you can do the following:

Use a WSDLExportExtension to include XSD inline
WCF behaviours allow services to override how WSDLs are generated. A custom behaviour can remove all imported xsds and place them inline. Details can be found at http://www.winterdom.com/weblog/2006/10/03/InlineXSDInWSDLWithWCF.aspx

Make all WSDLs appear inline
It may also be possible to use a custom behaviour to inline and imported wsdls, however as far as I am aware no-one has created this. On the plus side as long as all contract types (data, fault, service) share the same xml namespace then no wsdls are imported anyway.

 

Client, Step 1 – Prepare the WSDL for consumption

Even with the improvements to WSDL interoperability the C++ proxy generation tool (sproxy) will fail with the current WSDL due to the security settings being included using ws-policy sections. To get around this, take a local copy of the wsdl by saving the wsdl from your web browser. Then remove any mentions to policy as detailed here 

Client, Step 2 – Generate a C++ proxy using sproxy 

Open a visual studio command prompt (note you should be able to do this from Visual Studio using “Add Web Reference” however in practice there seems to be some differences). Navigate to the location where you stored your modified wsdl, and type the following command:

>sproxy /wsdl wsdlfileLocation.wsdl

Client, Step 3 – Include the proxy in your C++ project

Simply take the contents of the file generated in the previous step and paste into a standard C++ header file.

Client, Step 4 – Make the call to the web service

The standard sproxy generated proxies use CSoapSocketClientT, to make the web service calls. However you can specify a different type (as long as it conforms to the ATL SOAP Client Archetype), this means that we can use CSoapWininetClient, this type has built in capabilities to using secured communication and so the client credentials will be automatically included.  As yet my client is a simple console app, and at the moment it crashes (I’m not a C++ expert!), it does, however, successully call the service and receives a response.

int _tmain(int argc, _TCHAR* argv[])
{
    CoInitialize(NULL);
	{
	CTestInterfaceT<CSoapWininetClient> cli;
	int te;
	HRESULT res= cli.MyOperation(&te);
	cli.Cleanup();
	}
	Uninitialize();
	return 0;
}

And there we have it ladies and gentlemen!  An unmanaged C++ client calling a WCF service with transport level security and authentication.

How to make a visual studio web reference pass message credentials

As part of my investigation into interoperability of our services I have spent some time trying to consume one of a sample web services without using “Add Service Reference” (part of .net 3.0).  The standard way of consuming a service in .net is to add a “Web reference”, which, behind the scenes, uses wsdl.exe to generate a proxy. The problem with this proxy is that it doesn’t support ws-* standards, and so we have to stop using wshttpbinding and rever to basic http binding. However this means that we lose the security context passing (user credentials in the message).

To solve this initial problem you can specify TransportWithMessageCredentials (see previous post), this places the credentials in the message and makes sure that the transport level is secured (using ssl). The next problem I encountered is that a web reference does not have the ability to pass message credentials. (There is a real gotcha here: the proxy class has a property called Credentials, this is the credentials to use for transport level security, not message level).

The way around this is detailed at  How to: Add Security Credentials to a SOAP Message
basically this involves installing  Web Services Enhancements (tested with 2.0 SP3). Version 2.0 of WSE is compatible with .net 1.1 (backwards compatibilty requirement). Once installed take the following steps:

1. Add references to your client project to Microsoft.Web.Services2 and System.Web.Services
2. Modify a web reference’s Reference.cs file so that the class inherits from Microsoft.Web.Services2.WebServicesClientProtocol
3. Where a service call is made to the proxy first create a UsernameToken, specifying the required username, password and that the password is sent in plain text (ssl will secure it)
4. Add the token to the client’s RequestSoapContext.Security.Tokens
5. Call the web service

WebRef.Interface webClient = new WebRef.Interface();

UsernameToken user = new UsernameToken("username", "password", PasswordOption.SendPlainText);

webClient.RequestSoapContext.Security.Tokens.Add(user);

webClient.RequestSoapContext.Security.Timestamp.TtlInSeconds = 60;

string response=webClient.Operation("request");

How to setup a WCF service using basic Http bindings with SSL transport level security

In the .net 3.0 world you can use WS Http Bindings for your web services. Where your service has to be interoperable with other clients you can also expose a basic Http binding. This works fine, but you don’t automatically get things like security and passing of user credentials. To enhance the basic binding you can take advantage of different security settings; one of which is TransportWithMessageCredentials, this means that the transport of the messages is secured and so the message can include plain text credentials without compromising security. This requires a secure transport method, in this case https (SSL).

Setting up a Windows 2003 machine to use SSL (in IIS)
There are several ways of doing this, each with their own frustrations. The method below is the one which actually worked for me (after some methods that didn’t!).

• Control Panel | Add or Remove Programs | Add/Remove Windows Components
• Select Certificate Services
• Install as a root
• Open IIS
• Right click on the default web site and select properties
• Directory Security | Server Certificate
• ‘Assign an existing Certificate’
• Choose the certificate with the name that matches your machine name

Make Visual Studio use an SSL enabled host for the WCF Service
It does not appear to be possible to convert an existing Visual Studio website to an SSL one (and allow it to be debugged with SSL). Therefore you should:

• “add existing website” to your solution.
• Choose Local IIS
• Create a new web application where desired
• check the box to enable SSL (Use Secure Sockets Layer)
• Right click the generated website project and select properties
• Add a reference to your implementation project
• Copy any existing web.config and *.svc files to your new website.

Now right click on the host project and select browse. (note: if the address does not include the filename you may need to manually add this in your browser) If you can see the service/wsdl and the address is https you have succeeded!

Modify your web.config to include a basic binding with transport level security
Use the following binding (play around with the different transport/message security modes if you like):

<basicHttpBinding>
<binding name=”basicHttp”>
<security mode=”TransportWithMessageCredential” >
<transport/>
<message clientCredentialType=”UserName”/>
</security>
</binding>
</basicHttpBinding>

Now in your <service> reference the new binding configuration

When is interoperability not interoperable?

Having spent the past few days ‘proving our web service interoperability’ I have found that interoperability is all very well, but it can be a right royal pain. Our web services are WCF services using all the latest .net bells and whistles and custom extensions. What I have found is that yes, our services are probably interoperable at a low level, so if you are happy playing about with SOAP messaging you can work with our web services, and in some cases happy working with even lower level abstractions. However the tooling just doesn’t seem to exist for the majority of platforms to automatically generate client proxies for our kinds of services.  Oh well, at least they’re interoperable at some level I suppose