WCF Breaking Change

In .NET 3.5 Service Pack 1

Alvin Bruney

October 30, 2009

4 Min Read
ITPro Today logo in a gray background | ITPro Today

asp:feature

 

WCF Breaking Change

In .NET 3.5 Service Pack 1

 

By Alvin Bruney

 

While the .NET 3.5 Service Pack 1 brings a lot of goodies(http://www.asp.net/downloads/3.5-sp1/Readme/),and more than 500 bug fixes, it also introduces a few breaking changes. Let stake a look at the implications of one of those breaking changes. There s alsoa lesson in there for the hotshot programmers who prefer to toss aside themanual and opt for the hands-on approach.

 

If you currently use authentication in your WCF service,applying Service Pack 1 will cause your WCF service to return 401 errors. It sa particularly nasty issue to diagnose because authentication/authorizationissues are typically ugly in nature. There are specific scenarios where thiscan occur, so let s review those first:

  • The WCF service usesClientCredentialType.Windows, which specifies the Negotiate authenticationscheme. For instance, you have something like this in your configuration file:

  • The WCF service uses HTTP, HTTPS, or NET.TCP.

  • The WCF service runs under a domain user account(an account other than the default Network Service account in IIS 6).

 

The exact error message is displayed in Figure 1.

 


Figure 1: Authentication failure inWCF client call.

 

The table in Figure 2 shows the changes that occurred inthe Service Pack from 3.5 to 3.5 SP1.

 

Based on this table, the runtime now requires the serviceprincipal name to be explicitly set. However, notice that it does not validatethe parameter. It simply requires it. So, the fix is easy. You ll need to addthe identity tag for authenticated calls going forward. I recommend making thechange in the configuration file so you can avoid the development cycles toimplement and test the fix. Here s the fix implemented in the clientconfiguration file for the WCF service:

 

     

        

           

              

           

         

    

 

 

At the time of this writing, there are no KB articles onthis. However, if you care to read the Service Pack Readme material(specifically section 2.3.2.2) that accompanied the Service Pack release (http://download.microsoft.com/download/A/2/8/A2807F78-C861-4B66-9B31-9205C3F22252/dotNet35SP1Readme.htm),the change is described in some detail.

 

Note that the actual error message can vary significantlyfrom the Readme documentation, which is why I ve posted some actual examples. Asfar as I m aware, the breaking change does not affect ASP.NET Web services andis specific to WCF services only.

 

I ll venture a guess that most of us (including me) don tread those Service Pack Readme documents. But it s a good idea to start doingso in order to prevent application down time.

 

Options

3.5 SP1

3.5 RTM

Default - specify NO identity

System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme Negotiate . The authentication header received from the server was Negotiate System.Net.WebException: The remote server returned an error: (401) Unauthorized. ComponentModel.Win32Exception: The target principal name is incorrect.

Accepted (no identity required).

Default - specify bad identity

Accepted (identity not checked).

Accepted (identity not checked)

allowNTLM=false - specify NO identity

System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme Negotiate . The authentication header received from the server was Negotiate System.Net.WebException: The remote server returned an error: (401) Unauthorized. System.ComponentModel.Win32Exception: The target principal name is incorrect.

Accepted (no identity required).

allowNTLM=false - specify bad identity

Caught System.ServiceModel.CommunicationException: An error (The request was canceled) occurred while transmitting data over the HTTP channel. System.Net.WebException: The request was canceled - System.Net.ProtocolViolationException: The requirement for mutual authentication was not met by the remote server.

Caught System.ServiceModel.CommunicationException: An error (The request was canceled) occurred while transmitting data over the HTTP channel. ---> System.Net.WebException: The request was canceled ---> System.Net.ProtocolViolationException: The requirement for mutual authentication was not met by the remote server.

Figure 2: Run-timechanges implemented in Service Pack 1.

 

Alvin Bruney is aTechnology Specialist working for Royal Bank of Canada in the .NET Centre ofExcellence program. He is a Microsoft Press author and a long-time ASP.NET MVP.

 

 

 

 

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like