WCF Breaking Change

In .NET 3.5 Service Pack 1

asp:feature

 

WCF Breaking Change

In .NET 3.5 Service Pack 1

 

By Alvin Bruney

 

While the .NET 3.5 Service Pack 1 brings a lot of goodies (http://www.asp.net/downloads/3.5-sp1/Readme/), and more than 500 bug fixes, it also introduces a few breaking changes. Let s take a look at the implications of one of those breaking changes. There s also a lesson in there for the hotshot programmers who prefer to toss aside the manual and opt for the hands-on approach.

 

If you currently use authentication in your WCF service, applying Service Pack 1 will cause your WCF service to return 401 errors. It s a particularly nasty issue to diagnose because authentication/authorization issues are typically ugly in nature. There are specific scenarios where this can occur, so let s review those first:

  • The WCF service uses ClientCredentialType.Windows, which specifies the Negotiate authentication scheme. For instance, you have something like this in your configuration file:




  • The WCF service uses HTTP, HTTPS, or NET.TCP.
  • The WCF service runs under a domain user account (an account other than the default Network Service account in IIS 6).

 

The exact error message is displayed in Figure 1.

 


Figure 1: Authentication failure in WCF client call.

 

The table in Figure 2 shows the changes that occurred in the Service Pack from 3.5 to 3.5 SP1.

 

Based on this table, the runtime now requires the service principal name to be explicitly set. However, notice that it does not validate the parameter. It simply requires it. So, the fix is easy. You ll need to add the identity tag for authenticated calls going forward. I recommend making the change in the configuration file so you can avoid the development cycles to implement and test the fix. Here s the fix implemented in the client configuration file for the WCF service:

 

     

        

           

              

           

         

    

 

 

At the time of this writing, there are no KB articles on this. However, if you care to read the Service Pack Readme material (specifically section 2.3.2.2) that accompanied the Service Pack release (http://download.microsoft.com/download/A/2/8/A2807F78-C861-4B66-9B31-9205C3F22252/dotNet35SP1Readme.htm), the change is described in some detail.

 

Note that the actual error message can vary significantly from the Readme documentation, which is why I ve posted some actual examples. As far as I m aware, the breaking change does not affect ASP.NET Web services and is specific to WCF services only.

 

I ll venture a guess that most of us (including me) don t read those Service Pack Readme documents. But it s a good idea to start doing so in order to prevent application down time.

 

Options

3.5 SP1

3.5 RTM

Default - specify NO identity

System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme Negotiate . The authentication header received from the server was Negotiate System.Net.WebException: The remote server returned an error: (401) Unauthorized. ComponentModel.Win32Exception: The target principal name is incorrect.

Accepted (no identity required).

Default - specify bad identity

Accepted (identity not checked).

Accepted (identity not checked)

allowNTLM=false - specify NO identity

System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme Negotiate . The authentication header received from the server was Negotiate System.Net.WebException: The remote server returned an error: (401) Unauthorized. System.ComponentModel.Win32Exception: The target principal name is incorrect.

Accepted (no identity required).

allowNTLM=false - specify bad identity

Caught System.ServiceModel.CommunicationException: An error (The request was canceled) occurred while transmitting data over the HTTP channel. System.Net.WebException: The request was canceled - System.Net.ProtocolViolationException: The requirement for mutual authentication was not met by the remote server.

Caught System.ServiceModel.CommunicationException: An error (The request was canceled) occurred while transmitting data over the HTTP channel. ---> System.Net.WebException: The request was canceled ---> System.Net.ProtocolViolationException: The requirement for mutual authentication was not met by the remote server.

Figure 2: Run-time changes implemented in Service Pack 1.

 

Alvin Bruney is a Technology Specialist working for Royal Bank of Canada in the .NET Centre of Excellence program. He is a Microsoft Press author and a long-time ASP.NET MVP.

 

 

 

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish