Support security mode TransportWithMessageCredential

[iamjasonp]

Message level security is not currently supported.
Attempting to use it will throw PlatformNotSupportedException

[fdsprod]

Currently cannot move our Windows 8.1 store application to Windows 10 because this is not implemented.

[oscar55]

Is there any progress related with this topic, Please i need it to work in it.

[ctolkien]

Just got burned by this one too.

[bc3tech]

getting burned by lack of wsHttpBinding here now as well.

[zhenlan]

This is currently still blocked by the lack of message security feature.

[havheg]

I need this too!

[ctolkien]

This has become more pressing for us with the announcement to ASP.NET Core 2 will not target NetStandard2. We need this in to move forward!

They are still going to target NetStandard2, this is however what is holding us to full framework.

[Oosterbosch]

Any news wether this is on the short term roadmap?

[uwbadgerdev]

Any update on the status of fixing this?

[nickcoad]

This has been an issue now for 2 and a half years, why is this basic functionality still not supported?

[kevin-osborne]

I ended up sidestepping WCF altogether to solve this: https://stackoverflow.com/a/48818293

[AliNazar1991]

WSHttpBinding and BasicHttpBinding support for TransportWithMessageCredential with Username and Certificate credentials now merged to master. Next up, support for NetTcpBinding. We have some problems with publishing development packages right now so if you want to test, you will need to build the code yourself until that's resolved.
I would appreciate everyone testing as soon as possible as this area of functionality has many knobs and I only implemented the ones necessary for specific scenarios. If your scenario isn't supported yet, mentioning it early will increase the chance of it being fixed before 3.0 release.

@mconnew In which release of .net core 3.0 will these changes that you have made be available? I have tried with .net core 3 preview 5 but i still get:
The value 'TransportWithMessageCredential' is not supported in this context for the binding security property 'securityMode'.

[mconnew]

@AliNazar1991, I have a PR open right now with changes to implement it for NetTcp. We have a deadlock somewhere in the new codebase that is only showing up on our test infrastructure that I need to resolve before I can merge. But if you want to clone that PR locally and build it, it should work. The deadlock is only related to using a non-default synchronization context, and specifically xunit won't complete the test unless all operations going through the sync context that are started are also completed. If that doesn't mean anything to you, don't worry. It's an edge case that needs to be fixed before RTM but won't affect 99.999% of people. If you are just looking for timing, I would expect it to be in the next preview release.

[cristicatalan]

I can see secure wsHttpBinding with TransportWithMessageCredential is on the way to .Net Core 3.0. Will there also be support for consuming WCF services having wsHttpContextBinding in .Net Core 3.0?

If service Web.config has endpoint such as:

<endpoint address="" binding="wsHttpContextBinding" bindingConfiguration="MyService_Secured" contract="IMyService" />

With binding:

   <bindings>      
      <wsHttpContextBinding>
        <binding name="MyService_Secured" ...>
          <readerQuotas ... />
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="None" />
            <message clientCredentialType="UserName" establishSecurityContext="false" />
          </security>
        </binding>
      </wsHttpContextBinding>
   </binding>

[mconnew]

WSHttpContextBinding won't be in .NET Core 3.0. The context feature is a whole other set of classes that would need to be ported in addition to WSHttpBinding. The context feature was designed to be used with Workflow to enable connecting to a Workflow service host and picking up where you were previously for long running workflows. Are you using this outside of Workflow? If so, could you describe your scenario briefly? To be honest with you, this is the first time I've even heard of someone actually using the feature.

[cristicatalan]

@mconnew I don't use Workflow. Thanks for this clarification. The project is part of some legacy code and I suspect WSHttpContextBinding was used unintentionally instead of WSHttpBinding.
I changed the WCF service configuration to use WSHttpBinding, downloaded this repo code, compiled it locally and referenced it in my .NET Core project and it works fine.

[mconnew]

NetTcp, BasicHttp and WSHttpBinding now support TransportWithMessageCredential checked in to master. I would appreciate if anyone needing this feature could try it out for their scenario as it would be best to know what sub-features people need that aren't there sooner rather than later.

[sutaro]

@mconnew Will TransportWithMessageCredential be available in .net core 2?

[mconnew]

We are not moving our dependencies forward to require .NET Core 3.0 as there are no new api's that we need. If you want to stay on .NET Core 2, because of changes to HttpClient, I would recommend using .NET Core 2.2. We still only require netstandard 2.0 so we should still work back to .NET Core 2.0 but there's some behavior differences with HTTP client certificate authentication which might cause you problems if you are using client certs. In earlier releases we have a best effort mitigation because of lack of Continue-100 support in earlier versions of .NET Core which we've now removed. It's only a possible, so you might be fine. If you aren't using client certs, it just becomes a performance issue.

[CumpsD]

@mconnew Any feedback on @crodeheaver question about supporting WS2007FederationHttpBinding?

[mconnew]

@CumpsD, we're in the process of adding support for WS-Federation. We're waiting on another team to provide an implementation of a WS-Trust client which can get the federation token to then communicate with the server. That's then used by WSHttpBinding to communicate with the server. I took a look at WS2007FederationHttpBinding to see how it's different than WSFederationHttpBinding and the difference is that it uses WS2007HttpBinding which we don't have as a specific binding. I checked the protocols used by WS2007HttpBinding and it looks like we probably have most if not all the implementation required to implement it. Can you open an issue specifically for WS2007FederationHttpBinding?

[CumpsD]

Thanks for the quick follow up @mconnew! I've gone ahead and opened a new issue to track it. I'll let it up to you to properly label it according to the repo's standards.

[nmarun]

Hi,

I'm trying to connect to a WCF service which has the below settings:

<binding name="Binding" hostNameComparisonMode="StrongWildcard"> <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"/> <security mode="TransportCredentialOnly"> <transport clientCredentialType="Ntlm" proxyCredentialType="None" realm="" /> <message clientCredentialType="UserName" algorithmSuite="Default" /> </security>

My API is in .net core 2.2. I'm not seeing Default as the algorithm suite. Is this not supported? If so, is there a workaround?

Thanks,
Arun

[OpenSpacesAndPlaces]

@nmarun

I'm not 100% sure on your specific use case, but for some potential workarounds, see some of the hidden comments on this thread. There are options for code configuration/massaging of the raw requests.

[nmarun]

I was able to get this working. I added
AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false);
to the constructor of my service proxy.
Thanks @OpenSpacesAndPlaces.

[OpenSpacesAndPlaces]

@nmarun

Whenever it's time for you to migrate - it looks like your problem may be fixed in 3.0?
https://github.com/dotnet/corefx/issues/32328
dotnet/corefx#33426
https://github.com/dotnet/corefx/issues/32328#issuecomment-438301134
(also in-case this helps anybody else)

[flacidsnake]

Please, see #1257
Hope this can help