Hi, we're configuring our stocktrade application, as we want to deploy the order processor service via wsHttpBinding.

We thought we had finished the configuration following the instruction. But on the SOA status map, we found the status of "Order Processor Async-Http w/Message Security" still failed(with red alarm)

Bellow is the error message from the Order Processor Self Host Console.
/////
Request for SOA Node Map receieved
-----> Getting SOA Node Map.

Failed Online Status check for endpoint: http://stocktrader:8000/orders. Please examine the failure message following, likely,
(1) A firewall issue blocking communication on a port -- inbound or outbound on this node or remote node(s);
(2) You forgot to include a <client> definition for your service within your *HOSTS* .config file
(each host must define clients in the .config file to its own services for intra-node checking of endpoints);
(3) a binding configuration issue--check the servicemodel client definition in .config to ensure the binding configuration name exists
and this binding config is appropriate for the service (transport, security, etc.); or
(4) The host is not running, is in the process of shutting down, or network connectivity has been lost...
The service connection check exception is: The caller was not authenticated by the service.

Inner Exception is: The request for security token could not be satisfied because authentication failed.
////////////////
From it, we can see the exception is caused by the authentication failure.

We tried to browse the url 'http://localhost:8000/Orders', and we could see the content 'svcutil.exe net.tcp://stocktrader:8001/orders/mex' (stocktrader is the name of the server).
We used the command generating the .cs file and the .config file, created a simple client and used the former files to access the web service. We used the following code to access the endpoints:

OrderProcessorServiceClient client = new OrderProcessorServiceClient();
client.Open();

There's no problem to access the endpoints with the net.tcp and msmq protecols with the client code, but caught exception in accessing the endpoint with http protecol.

|| The client certificate is not provided. Specify a client certificate in ClientCredentials.

So we added the certificate part like bellow:

OrderProcessorServiceClient client = new OrderProcessorServiceClient();
client.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.TrustedPeople,
X509FindType.FindBySubjectName, "BSL.Com");
client.Open();

Then we got the current exception:

|| The caller was not authenticated by the service.

We thought maybe it's the problem relevant to the authenticationbehaviour part in the Trade.OrderProcessorServiceHost.exe.config file

<behavior name="OPS_M_Security_Behavior">
<serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true" />
<serviceThrottling maxConcurrentInstances="400" maxConcurrentCalls="400" maxConcurrentSessions="100"/>
<serviceCredentials>
<serviceCertificate
findValue="OPS.Com"
x509FindType="FindBySubjectName"
storeLocation="LocalMachine"
storeName="TrustedPeople" />
<clientCertificate>
<authentication certificateValidationMode="Custom" customCertificateValidatorType="Trade.OrderProcessorImplementation.CustomCertValidator, Trade.OrderProcessorImplementation"
revocationMode="Online"
trustedStoreLocation="LocalMachine" />
</clientCertificate>
</serviceCredentials>
</behavior>


We are using windows server 2003, IIS 6.0 and stocktrader2.04. Does anyone have any ideas?

Thanks



Jin Ming, ThoughtWorks

This works for me, I just checked it again. Make sure you have installed the OPS cert (.pfx file) in the Trusted People, local computer cert directory using MMC (per the tutorial for reconfiguring stocktrader). The OPS service, when pulling the SOA map, uses the following client definition:

<

endpoint address=http://configserver binding="wsHttpBinding" bindingConfiguration="Client_WsHttpBinding_M_Security_OPS" contract="Trade.OrderProcessorContract.IOrderProcessor" behaviorConfiguration="OPS_ClientCertificateBehavior" name="Client_WsHttpBinding_M_Security_OPS">

<

identity>

<

certificate encodedValue="AwAAAAEAAAAUAAAA+g9Yu2BfpDNp4nno+QiIcv3gmUMgAAAAAQAAAPQBAAAwggHwMIIBWaADAgECAhDUQtaRqC0hpkD6saVDQMH8MA0GCSqGSIb3DQEBBAUAMBIxEDAOBgNVBAMTB09QUy5Db20wHhcNMDgwNTIxMDQ0NTAxWhcNMzkxMjMxMjM1OTU5WjASMRAwDgYDVQQDEwdPUFMuQ29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHCT2agc1venAAV2iWxWs1ELKlr0wAf005uUYlFbpq/3ewLmi5t+NvN8iBRHJxWA5igj/obcBmKMQ0L/+1HwKI27B9zffyPiAYkJhAwoXzR/S/7Cw4KFtYD+NIyZbRd5naa2fbyRTNnAE35q4r6JS6tiZR9mU0IjMuszj0oqotEwIDAQABo0cwRTBDBgNVHQEEPDA6gBAYaG6w3pziP/tZKe+J5ExsoRQwEjEQMA4GA1UEAxMHT1BTLkNvbYIQ1ELWkagtIaZA+rGlQ0DB/DANBgkqhkiG9w0BAQQFAAOBgQBnzFXGKgK8by3yILHlfLsmBTIZWdODFWE/f64wZJxrS7XCqd+g962FeTKQ+QI/lkRhJLlKgEt0IqGfUeogJ1MGRHabR5ujnQKhdPWUDL7kwQt3OVHxIf0pXqeiTAI8BbdFRGTWG5oOLcU7WgUNWbrXjqsAHJmsb8+MN7fD4xRoeA==" />

</

identity>

</

endpoint>

which thenreferences the endpoint behavior that tells it where to find the cert to use. That behavior is:

<

behavior name="OPS_ClientCertificateBehavior">

<

clientCredentials>

<

clientCertificate

findValue="OPS.Com"

x509FindType="FindBySubjectName"

storeLocation="LocalMachine"

storeName="TrustedPeople" >

</

clientCertificate>

</

clientCredentials>

</

behavior>



The endpoint identity is important. Also, the custom cert validator, provided as an example, validates the incoming certificate based on its thumbprint. It only accepts either the OPSHost cert or the BSLClient cert.

-Greg

---

Greg Leake, Microsoft