WCF Service Binding using allowInsecureTransport=true causes Update Service Reference in Client to fail

.net wcf exception-handling wcf-security wcf-configuration
Oliver Weichhold picture Oliver Weichhold · Sep 18, 2010 · Viewed 7.8k times · Source

This is my service configuration in web.config:

<binding name="statefulSessionWithUsernameOverTransport">
  <security authenticationMode="SecureConversation"
    requireSecurityContextCancellation="False" allowInsecureTransport="True">
    <secureConversationBootstrap authenticationMode="UserNameOverTransport"/>
  </security>
  <binaryMessageEncoding />
  <httpTransport />
</binding>

<service name="com.example.FooService"
  behaviorConfiguration="usernamePasswordAuthBehavior">
  <endpoint contract="com.example.FooService.IFooService"
    address="custom" binding="customBinding"
    bindingConfiguration="statefulSessionWithUsernameOverTransport" />
</service>

I am setting allowInsecureTransport=True because in Production the Service will be running behind an SSL Terminating Load Balancer. Calling the Service from my .Net 4.0 Client works without any problems but trying to update the service reference in VS2010 always results in an error:

System.ServiceModel.Channels.TransportSecurityBindingElement Error: Security Policy Export failed. The Binding contains a TransportSecurityBindingElement but no transport security binding element that implements ITransportTokenAssertionProvider. Policy export for such a policy export is not supported.*

I understand what it is trying to tell me - which is basically that I've disabled transport security on a binding that requires it to avoid compromising the credentials travelling over the wire. But - that is the whole point of allowInsecureTransport. Could it be that the proxy generator is simply not aware of this attribute?

Update:

It looks like the wsdl generator is indeed unable to deal with the attribute. I had to go back to Message Level Security and a Self-Signed Certificate for development. Using Message Security had the advantage of being able to stick to Cassini for Development instead of going full blown IIS.

<wsHttpBinding>
    <binding name="wshttpDevelopmentBinding">
      <security mode="Message">
        <message clientCredentialType="UserName" />
      </security>
    </binding>
</wsHttpBinding>

Answer

Shawn Hubbard picture Shawn Hubbard · Oct 13, 2010

I ran into this same issue. The problem seems to be the http transport because it doesn't implement the ITransportTokenAssertionProvider interface, but https does. I was able to get around this two ways: switch my custom binding to use https transport, which implements the interface, and add enableUnsecuredResponse="true" to the security element in the config, or write a custom binding deriving from HttpTransportBindingElement but implementing the necessary interface.

Related questions

Service has zero application (non-infrastructure) endpoints

I recently created a WCF service (dll) and a service host (exe). I know my WCF service is working correctly since I am able to successfully add the service to WcfTestClient. However, I seem to be running into an issue …

Read More
WCF Web Service error: "Service endpoint binding not using HTTP protocol"?

I've got a simple WCF service that has worked fine while I've been testing on my dev machine. Now I've moved the web service to a web server, and I'm running the service (in debug mode) at http://mydomain.com:8005. …

Read More
ServiceHost only supports class service types

I have a service named WcfService2 (original i know) which has an IService.cs file with a public interface: namespace WcfService2 { [ServiceContract] public interface IService1 { [OperationContract] [WebGet(UriTemplate = "/{value}")] string GetData(string value); } } I then have my public class Service1.…

Read More