Opening an internal http endpoint with WCF ServiceHost/BasicHttpBindings may cause System.Net.HttpListenerException/System.ServiceModel.AddressAccessDeniedException


When using WCF endpoint in Windows Azure it is possible you may
receive the following exception:

 

(bc8.9a0): CLR exception –
code e0434352 (first chance)

CLR exception type:
System.Net.HttpListenerException

   
“Access is
denied”

(bc8.9a0): CLR exception –
code e0434352 (first chance)

CLR exception type:
System.ServiceModel.AddressAccessDeniedException

   
“HTTP could not register URL http://+:20001/WCFEp/.
Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353
for details).”

ModLoad: 000007fe’f4760000
000007fe’f484a000  
D:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll

Exception:
System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL
http://+:20001/WCFEp/. Your process does
not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353
for details). —> System.Net.HttpListenerException: Access is denied

   at
System.Net.HttpListener.AddAllPrefixes()

   at
System.Net.HttpListener.Start()

   at
System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()

   — End of
inner exception stack trace —

   at
System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()

   at
System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener
channelListener)

   at
System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback
selectTransportManagerCallback)

   at
System.ServiceModel.Channels.HttpChannelListener.OnOpen(TimeSpan timeout)

   at
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

   at
System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)

   at
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

   at
System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)

   at
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

   at XSWorker.WorkerRole.Run()
in C:\Azure\WCFWorkerApp\WorkerRole.cs:line 31

 

 


The problems happened because Windows Azure is very specific when
granting listening right on a port. In you run the following command in Windows
Azure VM


>  netsh http
show urlacl


You will see the following:

   Reserved
URL            : http://<Azure_VM_IP_ADDRESS>:20001/

       User: CIS\abb03d2d-12c6-2342-a23b-ae45f1233a21

          
Listen: Yes

          
Delegate: No

          
SDDL: D:(A;;GX;;;S-<GUID>)


In WCF, opening HttpListener for ServiceHost specifies wildcard URL
http://+:20001/<YourService>/,
which is exceeding the limit what is granted by Windows Azure and you received
an exception.


Solution:

When you are creating WCF binding please use HostNameComparisonMode =
HostNameComparisonMode.Exact
option- this way you are letting WCF to
specify complete URL, and not the wildcard when starting the listener. Works
for


There is a catch in this solution as this applies to internal
endpoints only because IP address will be visible for only internal endpoints. A
WCF connection request will be generated from external endpoint will come through
Load Balancer and this request will not know the internal endpoint IP address
so request headers will not match the service’s IP Address & Port exactly
and this will cause WCF to reject connection for external endpoints.


References:

http://social.msdn.microsoft.com/Forums/en/windowsazure/thread/c7d913b0-8485-4acb-b66e-c072877083e0

http://social.msdn.microsoft.com/Forums/en/windowsazure/thread/7a767e63-aca7-4ad2-a5c1-afee8cbe041f



 

Comments (0)