Well i think I tried all the different combninations of using
Mesasge, Transport and transportwithmessagecredential security.
Above i explained situation of the later and the transport doesnt
fullfill my objective. Using just the Message security could be a
solution but i requires a certificate to be specified in the
web.config. I tried that, and it is working on my localmachine, as
i know the certificate store and location.
If you could supply me with the information of where the
certificate i created in AppHarbor for my wcf service, i think
message security will be sufficient. The only problem i can see is
that the service will still be available using http, which will
bypass the overridden Validate() method, and no authentication will
be done. I am not sure of this as i have been unable to test it in
the AppHarbor environment.
I really need a solution for this either using message or
transportwithmessagecredential. Am I the only one with this issue.
I mean how do other people secure their wcf services in
Support Staff6 Posted by rune on 19 Jul, 2011 12:09 PM
I'm not sure what information about the certificate you're
requesting (seems like the sentence wasn't completed :-))?
However I think the article you referred to yourself describes
the same setup as the one we have (SSL offloaded by a load
balancer). You could always restrict regular http-traffic in your
application, for instance by redirecting to https. You can use the
"HTTP_X_FORWARDED_PROTO" header to determine whether the request
was sent over HTTP or HTTPS (it will be equal to either "https" or
"http". You can retrieve the value of this header with
Now I'm not an expert in WCF, but in ASP.NET MVC I would enforce
the use of HTTPS by using a custom RequireHttpsAttribute as
I'm leaving the discussion open in case someone else wants to
I will try to further explain the problems i am having with WCF
Basically i have to options for using Username / Password
Message Security and transportwithmessagecredential.
Message Security almost works on appharbor, though the problem
is with the certificate as described before. I get the following
"Cannot find the X.509 certificate using the following search
criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType
'FindBySubjectName', FindValue 'xxxxxx'."
The reason for the error message is that microsoft doesnt allow
passing username and password in clear text, and there enforces the
use of a certificate. Basically unless i can specify where the
certificate is located i cannot use the simple Message security. If
i can get this to work, then i can use the method your describe to
Second, using the transportwithmessagecredential gives the
"Could not find a base address that matches scheme https for the
endpoint with binding WSHttpBinding. Registered base address
schemes are [http]." The reason is explained in the first post.
Hope it makes more sense now.
I am curious about if i am the only one with this issue, and how
your other users have come around this.
Support Staff8 Posted by friism on 19 Jul, 2011 10:23 PM
Note that we don't install the certificate you specify for you
application on the servers that host your service (it's only placed
on the load balancer because the certificate is only used for SSL
in most scenarios).
For WCF to use the certificate for Message Security, you will
likely need to push the certificate along with your code and read
it from the filesystem. I haven't actually tried to do this, but it
seems possible .
At moment i dont have the time. We are really busy getting our
Furthermore there is not too much magic to it. Basically i
overrided the .NET messageinspector, and created a custom
endpointbehavior including a custom endpoint configurationelement.
There is many ressources on the web regarding this.