søndag den 4. september 2011

Web services and wildcard certificate

I’m fiddling with web services that uses claims based authentication, and spend a few hours banging my head against the wall with this scenario.

Image you have the following code


Code Snippet
  1. Dim binding = New WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential)
  2. binding.Security.Message.EstablishSecurityContext = False
  3. binding.Security.Mode = WSFederationHttpSecurityMode.Message
  4. Dim factory As New ChannelFactory(Of wsClaimsCloudAPI.ClaimsCloudAPIChannel)(binding, "http://admin.wingu.dk/CloudAPI/ClaimsCloudAPI.svc")
  5. factory.ConfigureChannelFactory()   '(Of wsClaimsCloudAPI.ClaimsCloudAPIChannel)()
  6. factory.Credentials.SupportInteractive = False
  7. Dim channel = factory.CreateChannelWithIssuedToken(Token)
  8. Dim s = channel.getToken
  9. MsgBox(s)
and get this error back

Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'admin.wingu.dk' but the remote endpoint provided DNS claim 'wingu.dk'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'wingu.dk' as the Identity property of EndpointAddress when creating channel proxy.

m using a wildcard certificate on the webserver and I guess that’s what confusing things. Some people claim you can fix this by setting the host identity on the web service binding on the server, but that didn’t seem to work for me. but doesn’t matter, the error it self explains what to do. Explicitly specify the identity. so the code becomes

Code Snippet
  1. Dim EndpointURI As New Uri("http://admin.wingu.dk/CloudAPI/ClaimsCloudAPI.svc")
  2. Dim EndpointIdentity As EndpointIdentity = EndpointIdentity.CreateDnsIdentity("wingu.dk")
  3. Dim remoteAddress As New EndpointAddress(EndpointURI, EndpointIdentity, New System.ServiceModel.Channels.AddressHeaderCollection)
  4. Dim factory As New ChannelFactory(Of wsClaimsCloudAPI.ClaimsCloudAPIChannel)(binding, remoteAddress)

And everything works like a charm.

Note if using CreateChannelWithIssuedToken() and supply nothing or an illegal token, you will get back.

The address of the security token issuer is not specified. An explicit issuer address must be specified in the binding for target 'http://admin.wingu.dk/CloudAPI/ClaimsCloudAPI.svc' or the local issuer address must be configured in the credentials.

So make sure the token your testing with is valid.

Ingen kommentarer:

Send en kommentar