WCF Breaking Change
In .NET 3.5 Service Pack 1
October 30, 2009
asp:feature
WCF Breaking Change
In .NET 3.5 Service Pack 1
By Alvin Bruney
While the .NET 3.5 Service Pack 1 brings a lot of goodies(http://www.asp.net/downloads/3.5-sp1/Readme/),and more than 500 bug fixes, it also introduces a few breaking changes. Let stake a look at the implications of one of those breaking changes. There s alsoa lesson in there for the hotshot programmers who prefer to toss aside themanual and opt for the hands-on approach.
If you currently use authentication in your WCF service,applying Service Pack 1 will cause your WCF service to return 401 errors. It sa particularly nasty issue to diagnose because authentication/authorizationissues are typically ugly in nature. There are specific scenarios where thiscan occur, so let s review those first:
The WCF service usesClientCredentialType.Windows, which specifies the Negotiate authenticationscheme. For instance, you have something like this in your configuration file:
The WCF service uses HTTP, HTTPS, or NET.TCP.
The WCF service runs under a domain user account(an account other than the default Network Service account in IIS 6).
The exact error message is displayed in Figure 1.
Figure 1: Authentication failure inWCF client call.
The table in Figure 2 shows the changes that occurred inthe Service Pack from 3.5 to 3.5 SP1.
Based on this table, the runtime now requires the serviceprincipal name to be explicitly set. However, notice that it does not validatethe parameter. It simply requires it. So, the fix is easy. You ll need to addthe identity tag for authenticated calls going forward. I recommend making thechange in the configuration file so you can avoid the development cycles toimplement and test the fix. Here s the fix implemented in the clientconfiguration file for the WCF service:
At the time of this writing, there are no KB articles onthis. However, if you care to read the Service Pack Readme material(specifically section 2.3.2.2) that accompanied the Service Pack release (http://download.microsoft.com/download/A/2/8/A2807F78-C861-4B66-9B31-9205C3F22252/dotNet35SP1Readme.htm),the change is described in some detail.
Note that the actual error message can vary significantlyfrom the Readme documentation, which is why I ve posted some actual examples. Asfar as I m aware, the breaking change does not affect ASP.NET Web services andis specific to WCF services only.
I ll venture a guess that most of us (including me) don tread those Service Pack Readme documents. But it s a good idea to start doingso in order to prevent application down time.
Options | 3.5 SP1 | 3.5 RTM |
---|---|---|
Default - specify NO identity | System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme Negotiate . The authentication header received from the server was Negotiate System.Net.WebException: The remote server returned an error: (401) Unauthorized. ComponentModel.Win32Exception: The target principal name is incorrect. | Accepted (no identity required). |
Default - specify bad identity | Accepted (identity not checked). | Accepted (identity not checked) |
allowNTLM=false - specify NO identity | System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme Negotiate . The authentication header received from the server was Negotiate System.Net.WebException: The remote server returned an error: (401) Unauthorized. System.ComponentModel.Win32Exception: The target principal name is incorrect. | Accepted (no identity required). |
allowNTLM=false - specify bad identity | Caught System.ServiceModel.CommunicationException: An error (The request was canceled) occurred while transmitting data over the HTTP channel. System.Net.WebException: The request was canceled - System.Net.ProtocolViolationException: The requirement for mutual authentication was not met by the remote server. | Caught System.ServiceModel.CommunicationException: An error (The request was canceled) occurred while transmitting data over the HTTP channel. ---> System.Net.WebException: The request was canceled ---> System.Net.ProtocolViolationException: The requirement for mutual authentication was not met by the remote server. |
Figure 2: Run-timechanges implemented in Service Pack 1.
Alvin Bruney is aTechnology Specialist working for Royal Bank of Canada in the .NET Centre ofExcellence program. He is a Microsoft Press author and a long-time ASP.NET MVP.
Read more about:
MicrosoftAbout the Author
You May Also Like