Opening an internal http endpoint with WCF ServiceHost/BasicHttpBindings may cause System.Net.HttpListenerException/System.ServiceModel.AddressAccessDeniedException
When using WCF endpoint in Windows Azure it is possible you may
receive the following exception:
(bc8.9a0): CLR exception - code e0434352 (first chance) CLR exception type: System.Net.HttpListenerException "Access is denied" (bc8.9a0): CLR exception - code e0434352 (first chance) CLR exception type: System.ServiceModel.AddressAccessDeniedException "HTTP could not register URL https://+:20001/WCFEp/. Your process does not have access rights to this namespace (see https://go.microsoft.com/fwlink/?LinkId=70353 for details)." ModLoad: 000007fe'f4760000 000007fe'f484a000 D:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll Exception: System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL https://+:20001/WCFEp/. Your process does not have access rights to this namespace (see https://go.microsoft.com/fwlink/?LinkId=70353 for details). ---> System.Net.HttpListenerException: Access is denied at System.Net.HttpListener.AddAllPrefixes() at System.Net.HttpListener.Start() at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen() --- End of inner exception stack trace --- at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen() at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener) at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback) at System.ServiceModel.Channels.HttpChannelListener.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at XSWorker.WorkerRole.Run() in C:\Azure\WCFWorkerApp\WorkerRole.cs:line 31
|
The problems happened because Windows Azure is very specific when
granting listening right on a port. In you run the following command in Windows
Azure VM
> netsh http
show urlacl
You will see the following:
Reserved
URL : https://<Azure_VM_IP_ADDRESS>:20001/
User: CIS\abb03d2d-12c6-2342-a23b-ae45f1233a21
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-<GUID>)
In WCF, opening HttpListener for ServiceHost specifies wildcard URL
https://+:20001/<YourService>/,
which is exceeding the limit what is granted by Windows Azure and you received
an exception.
Solution:
When you are creating WCF binding please use HostNameComparisonMode =
HostNameComparisonMode.Exact option- this way you are letting WCF to
specify complete URL, and not the wildcard when starting the listener. Works
for
There is a catch in this solution as this applies to internal
endpoints only because IP address will be visible for only internal endpoints. A
WCF connection request will be generated from external endpoint will come through
Load Balancer and this request will not know the internal endpoint IP address
so request headers will not match the service's IP Address & Port exactly
and this will cause WCF to reject connection for external endpoints.
References:
https://social.msdn.microsoft.com/Forums/en/windowsazure/thread/c7d913b0-8485-4acb-b66e-c072877083e0
https://social.msdn.microsoft.com/Forums/en/windowsazure/thread/7a767e63-aca7-4ad2-a5c1-afee8cbe041f