WCF/WS: SSL Mutual Client Cert Authentication 403.16 or 403.7

Problem When attempting to use a certificate to authenticate to an IIS website or self hosted WCF service over SSL/TLS channel, we receive a 403.16 error code. Troubleshooting We can collect server side System.Net Traces or WCF Activity Traces System.Net Tracing collection Steps WCF Tracing Observation from System.Net Traces: You might observe the GetClientCertificate API…

0

WCF Tracing

WCF Tracing can be configured at three different levels. 1. WCF Verbose Traces: Recommended for DEV issue (captures activities and messages). INCLUDE THIS SECTION INSIDE CONFIGURATION FILE OF WCF SERVICE / CLIENT APPLICATION. IF ALREADY A SIMILAR SECTION IS AVAILABLE, THEN DELETE THE EXISTING SECTION FIRST. SET VALUE OF ‘initializeData’ UNDER ‘<sharedListeners>’ TO POINT AT…

0

System.Net Tracing collection Steps

Ask: System.Net Tracing is very helpful to review SSL/TLS and socket level connection/communication failure. To enabled tracing: <?xml version=”1.0″ encoding=”utf-8″ ?> <configuration> <system.diagnostics> <trace autoflush=”true” /> <sources> <source name=”System.Net”> <listeners> <add name=”System.Net”/> </listeners> </source> <source name=”System.Net.HttpListener”> <listeners> <add name=”System.Net”/> </listeners> </source> <source name=”System.Net.Sockets”> <listeners> <add name=”System.Net”/> </listeners> </source> <source name=”System.Net.Cache”> <listeners> <add name=”System.Net”/> </listeners> </source>…

0

ASMX/WS/WCF Web Service: System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

Issue: Intermittent Socket exception seen on client application trying to fetch data from MS web services. Troubleshooting: I recommend collecting application level traces to collect the stack trace information. In addition we can collect the System.Net traces or memory dumps on specific exceptions. Detailed stack from dump: 0:000> !dumpstack OS Thread Id: 0x1708 (0) Current…

0

WCF/WS/TLS: Get .Net Framework 4.0 application use TLS 1.2 as default protocol

Issue: By default, .net application built on framework 4.0 will use SSL3.0 or TLS1.0 as default protocol. Ask: If we need to force it to use TLS1.2 protocol, review below workarounds. Workaround 1: Use below link just before Https call is attempted. ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072; Workaround 2: Migrate the existing application to supported framework 4.6.2….

0

WIF: WIF10201: No valid key mapping found for securityToken:

Issue: WIF10201: No valid key mapping found for securityToken: This exception is observed on a federated application(web app / mvc / asmx / wcf) using WIF pipeline to authenticate the user. Stack: [SecurityTokenValidationException: WIF10201: No valid key mapping found for securityToken: ‘System.IdentityModel.Tokens.X509SecurityToken’ and issuer: ‘LocalSTS’.] System.IdentityModel.Tokens.SamlSecurityTokenHandler.ValidateToken(SecurityToken token) +987 System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +73 System.IdentityModel.Services.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken,…

0

WCF: Federating WCF with WIF

Ask: Federate WCF service via WIF   Traditional approach: For normal web app or MVC app, we follow the concept of FedAuth cookie. Client -> Federated Application, gets redirected to STS Client -> STS, get claims Client -> Federated Application validates claims and issue a Fed Auth Cookie. Client -> This time call made with…

0

WCF: Message Security limitation with TLS 1.2 protocol

Issue: WCF Message Security breaks when using or forced to use TLS 1.1 or TLS 1.2 protocol. Re-pro code: https://1drv.ms/f/s!ArgnWb8iHXB6gqcg43hmT5jjbKJ-IA We can disable SSL 3.0 and TLS 1.0 inside server key and we get below failure stack. Failure Stack: 29 clr!IL_Throw+0x184     2a System_IdentityModel_ni!System.IdentityModel.SspiWrapper.AcquireCredentialsHandle(System.String, System.IdentityModel.CredentialUse, System.IdentityModel.SecureCredential)+0xd71ca     2b System_ServiceModel_ni!System.ServiceModel.Security.TlsSspiNegotiation.AcquireDummyCredentials()+0x73     2c System_ServiceModel_ni!System.ServiceModel.Security.TlsSspiNegotiation..ctor(System.String, Boolean, System.IdentityModel.SchProtocols, System.Security.Cryptography.X509Certificates.X509Certificate2,…

0

SSL/TLS – Decrypt the encrypted network traces

Ask: As we know SSL/TLS is encrypted traffic using symmetric keys created during SSL/TLS handshake. Many a time we might need to decrypt this traffic to observe the request/response packets or client certificates being sent. Tools Needed to decrypt the traffic: 1. Network monitor 3.4 – https://www.microsoft.com/en-in/download/details.aspx?id=4865 2. NMDecrypt 2.3.4 – https://nmdecrypt.codeplex.com/ 3. Server Certificate…

0

SSL/TLS – Introduction To CAPI2 Traces

Introduction:CAPI2 traces are part of windows OS and can be enabled from event viewer section. Very useful when we deal with SSL/TLS connectivity or client certificate validation issues. To enable: 1. Open Event Viewer 2. Navigate to Applications and Services Logs -> Microsoft -> Windows -> CAPI2 3. Now, remember that this utility captures all…

0