Laurin St

Hi together,
I set up a little try-out solution, all works well, until I try to register a Custom Username Password Validator. I get the following error message (not very helpful): Error: The ChannelDispatcher at 'net.tcp://localhost:8080/service1' with contract(s) '"IServiceContract"' is unable to open its IChannelListener.
Any ideas
My App.config looks like this:

< xml version="1.0" encoding="utf-8" >





<behavior name="Metadata">

<serviceMetadata />


<userNameAuthentication userNamePasswordValidationMode="Custom"

customUserNamePasswordValidatorType="WCFHost.CustomUsernamePasswordValidator, WCFHost" />







<binding name="security">

<security mode="Message">

<message clientCredentialType="UserName"/>






<service behaviorConfiguration="Metadata" name="WCFSample.WCFSampleImplementation">

<endpoint address="net.tcp://localhost:8080/service1" behaviorConfiguration=""

binding="netTcpBinding" bindingConfiguration="security" name="TCPExpose"

contract="WCFSample.IServiceContract" />

<endpoint address="net.tcp://localhost:8080/service1/Metadata"

binding="mexTcpBinding" bindingConfiguration="" name="MetaData"

contract="IMetadataExchange" />





If i delete the line

<message clientCredentialType="UserName"/>

all works well, however without UserName and Password validation..... can anybody help me

thanks in advance

kind regards

Re: Windows Communication Foundation (Indigo) Strange Problem with Custom UsernamePasswordValidator

Christian Weyer

Hm, I have done this several times without seeing this exception. When does it exactly occur

And did you try enbaling tracing in the service with Verbose mode to see what is really going on Can you debug your service and see the point where it breaks

Re: Windows Communication Foundation (Indigo) Strange Problem with Custom UsernamePasswordValidator

Laurin St

Because this is a sample project I host the Service in a Console Application, with the standard MS Hosting source code. This error is thrown immediately when i start the console host, there doesn't happen anything before.
I try to debug and enabeling tracing this evening and will report what i found out.
But isn't it very strange that this error only occurs when I activate this line
<message clientCredentialType="UserName"/>, otherwise the service works very well

Re: Windows Communication Foundation (Indigo) Strange Problem with Custom UsernamePasswordValidator

Matthew Hess

I am having the same problem. And it happens when I configure the service to use the ASP.NET membership provider as well as a custom validator. I also attempted to host this service in IIS and I got a little more from the stack trace there than when hosting via a console app. It seems to indicate that the problem has something to do with the service not specifying a certificate:

[InvalidOperationException: The service certificate is not provided. Specify a service certificate in ServiceCredentials. ]
  System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider() +124
  System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) +92
  System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement) +118
  System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) +159
  System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, Boolean requireClientCertificate, SecurityTokenResolver& sctResolver) +887
  System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, SecurityTokenResolver& outOfBandTokenResolver) +1284
  System.ServiceModel.Security.SessionRenewSecurityTokenManager.CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, SecurityTokenResolver& outOfBandTokenResolver) +142
  System.ServiceModel.Security.SymmetricSecurityProtocolFactory.OnOpen(TimeSpan timeout) +251
  System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +44
  System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +494
  System.ServiceModel.Security.SecurityProtocolFactory.Open(Boolean actAsInitiator, TimeSpan timeout) +51
  System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +112
  System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout) +275
  System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +494
  System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +90

[InvalidOperationException: The ChannelDispatcher at 'http://localhost:8002/DogService' with contract(s) '"IssueAndRenewSession"' is unable to open its IChannelListener.]

I believe this is because, in order to encypt the messages (security mode="message"), the server and client need to share a certificate. Sure enough, when I installed a certificate, the service started. Here's what I did:

Run the following two commands from the VS command line utility (this makes a certificate and copies to the client's CurrentUser store)

makecert.exe -sr LocalMachine -ss MY -a sha1 -n CN=localhost -sky exchange -pe

certmgr.exe -add -r LocalMachine -s My -c -n LocalHost -r CurrentUser -s TrustedPeople

Then add the following to the <serviceCredentials/> node in your config:

<serviceCertificate storeLocation ="LocalMachine"

storeName ="My"

x509FindType ="FindBySubjectName"

findValue ="localhost" />

This was all pretty much cribbed from the "Membership and Role Provider" WCF sample. It appears to go into more detail as to how you would configure this certificate to work accross machines. But it all raises some interesting questions:

Is it really necessary to specify a certificate in the <serviceCredentials/> node in order for any kind of UserName authentication to work

If so, how would one deploy this on the internet where you've got no control over the client machine Is there a preferred mechanism for distributing the public key of the X509 certificate to any client that may happen to connect.

Re: Windows Communication Foundation (Indigo) Strange Problem with Custom UsernamePasswordValidator

Laurin St

Wow! That solves my problem!
Thanks a lot.
But your question is quite interessting and needs a good answer. Perhaps any other guru can say something beloging this problem!

Re: Windows Communication Foundation (Indigo) Strange Problem with Custom UsernamePasswordValidator

Laurin St

Okey... now i run into another problem. Of corse he says that this isn't a valid certificate and cannot be verified at a CA. How did you solve this... in asmx webservices i could overwrite the certificate check policy.... any ideas

Re: Windows Communication Foundation (Indigo) Strange Problem with Custom UsernamePasswordValidator

Matthew Hess

I'm definitely not an expert on certificates (by "not an expert", I mean, I know next to nothing). But I also ran into a problem where the client code was having trouble verifying the validity of the certificate. Here's what I did to fix that (again, cribbing from the WCF sample)

Working in your Client config file:

1. Add a behavior that specifies the "certificatValidationMode" of "PeerOrChainTrust":



<behavior name="ClientBehavior">



<authentication certificateValidationMode="PeerOrChainTrust" />






2. On each endpoint that uses userName authentication, specify this behavior, for example:

<endpoint address="net.tcp://localhost:8001/MyService"






For me, this was enough in my test environment for the client to validate that it was OK to use the certificate. Maybe this will work for you, too.

Note that since your client config file is machine generated (in part) when you import or update the service reference, some of this is going to get zapped every time you update. In particular, I think you'll need to re-do the behaviorConfiguration on each endpoint.

Again, I have many, many questions about how one would best do this in a production environment. Perhaps our friendly moderator MVP will chime in with some advice (he said hopefully)!

Re: Windows Communication Foundation (Indigo) Strange Problem with Custom UsernamePasswordValidator

Laurin St

Thanks that works fine Smile