A fairly common practice with WCF services that are meant purely for internal consumption within the firewall is to use a URL such as http://machineName/serviceName and not bother with creating special DNS entries for the service. And because the hosting servers often have multiple web applications running on them, using different port numbers for each web application or service is also a fairly common practice and you get URLs like http://machineName:nnnn/serviceName (where nnnn equals some port number).
When accessing these services from BizTalk, there’s usually no problem when security is not enabled on the service. However, this simple addition of a port number to the Address can be a bit problematic when configuring the Send Port to access a secure service.
In our scenario, we are calling a WCF service that uses message-based security with Windows authentication. Configuring the send port for this is a pretty straightforward activity. Selecting the Security tab in the Transport Properties allows you to configure the WCF-WSHttp port security to be message-based and use Windows authentication like this:
Note there’s nothing special or crazy here, just a simple selection of “Message” and “Windows Authentication”. We took the defaults for everything else. For a description of all these values and their meanings see http://msdn.microsoft.com/en-us/library/bb226397(v=bts.80).aspx .
Now, we are sort of set up to access the service securely, using the credentials of our BizTalk Host process. But we don’t get very far with this. Sending a message through the port generates this in a suspended message:
A message sent to adapter "WCF-WSHttp" on send port SEND_PORT_NAME with URI http://SERVER_NAME/SERVICE_NAME.svc is suspended.
Error details: System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with http://SERVER_NAME/SERVICE_NAME.svc for target http://SERVER_NAME/SERVICE_NAME.svc failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity host/SERVER_NAME. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.
Note the part of the message where we see host/SERVER_NAME. When Identity is not configured on the Send Port, BizTalk uses this value, based on our address, for the default. Notice, however, that it DOES NOT include the port number in its representation. Unfortunately, we can’t connect to our service this way without the port number. To solve the issue, you have to explicitly set the identity like so:
Note that our DNS value includes the port number. This will allow BizTalk to use the correct host/SERVER_NAME:portNumber notation when attempting to negotiate the security context with the WCF service. Once this is done, the send port can successfully connect and send messages to the service.
Thanks to all the folks who attended my session on “Getting Started with WCF 4.5” at TechFuse 2013! And also thanks to Benchmark Learning for putting on such a great, and well-attended event. It was much fun and an honor to be able to teach in this venue. If you’d like you can download the presentation slides here or the slides and demo code from my SkyDrive.
I’ve been honored with the opportunity to present a session at TechFuse 2013. I’ll be presenting “Getting Started with WCF 4.5“.
Here’s the abstract:
With the newly released Windows Communication Foundation (WCF) 4.5, Microsoft has done much to simplify the creation of services. In this session, we’ll show you how to create a service using WCF 4.5 and Microsoft Visual Studio 2012. Some of topics we’ll discuss are service oriented architecture (SOA) considerations, creating service and data contracts, hosting the service, consuming WCF services and an overview of some of the new features of WCF 4.5.
Thanks to Benchmark Learning for hosting such a great event. If you’re in the Twin Cities and have the time, I hope to see you at the Minneapolis Convention Center on March 21!
We talked primarily about the simplification features of the version 4.5 as that was the primary focus for this release. For fun, we included a bit about what’s next in BizTalk as well.
Check it out here: What’s New in WCF 4.5 .
Please note when looking at the slides that we “borrowed” openly and freely from a number of presentations I saw at TechEd 2012 and elsewhere. Please take special notice of the articles and presentations listed in the reference section at the end of the slide deck. Those guys (Daniel Roth, Bala Sriram, Javed Sikander, Rajesh Ramamirtham, and of course MSDN) deserve most of the credit!
Saturday (Oct 6) I got to present Getting Started with WCF 4.5 to a great group of coders at the Twin Cities Code Camp. For those who attended the session, thank you so much for taking time out of your weekend to see our WCF presentation. I hope it was valuable for you.
You can find the powerpoint slides, code, and a backup of the SQL Server 2012 database here. Please feel free to leave questions or comments.