Rory Primrose

Learn from my mistakes, you don't have time to make them yourself

View project on GitHub

ASMX interoperability with WCF

If you have an ASMX client, you can get it to call a WCF endpoint with some restrictions. You have to use the basicHttpBinding on the WCF service and the service implementation (or contract) needs to be decorated with the XmlSerializerFormat attribute.

I have encountered a problem under SSL though. I am wanting to use username/basic authentication with the service over SSL. This article makes the following reference:

The easiest straightforward way for a successful interoperability scenario is to leverage on transport-layer security. This also means that a properly configured WCF implementation can interoperate with a Basic Profile 1.0 compliant ASP.NET Web Service (ASMX) that is currently deployed via SSL / HTTPS as well as with a WSE 2.0 service or client and likewise.

WCF has a standard binding called “<basicHttpBinding>” which derives its name from the Basic Profile specifications. There is a security mode within this binding called “TransportWithMessageCredential”. You can choose either a transport or a message credentials in this security mode. Setting it to <message clientCredentialType=”UserName”/> uses Transport-Level Security (SSL / HTTPS) with SOAP-Level Username token security credentials. This is in accordance with the WSS SOAP Message Security Username Token Profile 1.0 and it implements WSS SOAP Message Security 1.0 specification for username/password (for client authentication) over HTTPS (for privacy).

My WCF client consumes the endpoint correctly as the authenticated user. However, when using an ASMX web reference, I end up with the following error:

System.Web.Services.Protocols.SoapHeaderException: An error occurred when verifying security for the message.

So far, I haven’t got a solution.

Update:

Still no solution, but I have read in more places that indicate this should be fine. The following articles refer to the same kind of setup I am running. The only difference I that my client is an asmx client, but with a basicHttpBinding, this should be fine.

MSDN Library - Bindings and Security:

BasicHttp

In code, use BasicHttpBinding; in configuration, use the basicHttpBinding Element. This binding is designed to be used with a range of existing technologies, such as the following:

  • ASMX (version 1) Web services.
  • Web Service Enhancements (WSE) applications.
  • Basic Profile as defined in the WS-I specification (http://www.ws-i.org).
  • _Basic security profile as defined in WS-I. By default, this binding is not secure. It is designed to interoperate with ASMX services. When security is enabled, the binding is designed for seamless interoperation with IIS security mechanisms, such as Basic authentication, Digest, and Integrated Windows security. For more information, see Transport Security Overview. This binding supports the following:
    • HTTPS transport security.
    • HTTP Basic authentication.
    • WS-Security.

William Tay - Enterprise .NET Community: Securing your WCF ServiceMichele Leroux Bustamante - Fundamentals of WCF Security

Written on April 20, 2007