-
Notifications
You must be signed in to change notification settings - Fork 561
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WCF client credentials are not used for proxy authentication #3551
Comments
After some further digging it seems that the "he HTTP request was forbidden with client authentication scheme 'Anonymous", is actually caused by the final endpoint returning "403 Ip forbidden". Which makes sense as it is protected by an IP whitelist. So the custom binding may actually be working, which i will know once i am added to the whitelist. But i would still have expected the BasicHttpBinding to have worked or have some way of specifying proxy credentials since you can specify an actual proxy, but apparently no way to authenticate against it. A separate problem seems to be that the "403 Ip forbidden" error resulting in a "The HTTP request was forbidden with client authentication scheme 'Anonymous" exception. Which definitely led me astray and the exception is quite misleading and provides no way of seeing the actual "403 Ip forbidden" error. |
any updates on this issue? |
This was the code i got working to work around this issue
The pitfall is that the proxy settings on BasicHttpBinding don't seem to be properly implemented as there is no way to get it to use the proper credentials. Which is way a CustomBinding has to be used. |
It looks like there's a line of code missing in HttpTransportSecurity.ConfigureAuthentication where we copy the value from HttpTransportSecurity.ProxyCredentialType. |
There's a fix in code review now |
It's now possible to set the e.g., This assumes the proxy uses basic credentials. The endpoint should in theory still use whatever client credentials you set though I've only tested with and endpoint using basic. var binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.Transport;
var customBinding = new CustomBinding(binding);
var httpElement = customBinding.Elements.Find<HttpTransportBindingElement>();
httpElement.Proxy = HttpClient.DefaultProxy;
// Omitted, constructing client
client.Endpoint.Binding = customBinding; |
When passing a WCF client request through a proxy requiring username/password authentication, the clients ClientCredentials are not used and it results in a "(407) Proxy Authentication Required" error. There does not appear to be any way in dotnet core to set whether to use default credentials or not for the proxy.
A work around exists to get the proxy credentials working by creating a CustomBinding
This results in the SendMessage request throwing an "The HTTP request was forbidden with client authentication scheme 'Anonymous" exception. There does not seem to be a way to configure the CustomBinding to use certificate authentication for the final endpoint.
This makes it seemingly impossible to interact with a WCF service that requires certificate authentication through a proxy requiring username/password authentication.
The text was updated successfully, but these errors were encountered: