Monday, January 18, 2010

Moving from basicHttpBinding to customBinding

We’ve been having a few issues with some users that cannot authenticate to Genexus Server. Logging the server side, thanks to SvcConfigEditor, I found that the probles had nothing to do with the user credentials themselves but with some WCF configuration that prevent packages “from the future” to reach the server.

How did that happen, and most important, how do I change it?  It happened because of daylight saving (global warming is everywhere). WCF has a under the hood feature that prevents your server to be reached by packages with a timestamp away 5 minutes (default value) from the server’s time (taken to UTC). Apparently, not everybody has its computer set up correctly with the correct date/time setting, so when one of them changed (the client or the server) the server would not validate the client.

So, how do you change that with your existante basicHttpBinding? you can’t! :( What you have to do is creating a customBinding and modify the maxClockSkew attribute of the security tag. And how do you do that? Well, lucky us there’s a tool that does that for us. It’s called WcfBindingBox (hopefully will stay there for a while) and you simply paste your current binding configuration and when you click ‘Convert to CustomBinding!’ well… it does just that!

After using that new config on my dev server I had the following error while authenticating:

“A supporting token that satisfies parameters 'System.ServiceModel.Security.Tokens.UserNameSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False' and attachment mode 'SignedEncrypted' was not provided.”

And the problem was exactly what the message says (unbelievable). All I did to fix it was creating an instance of the UserNameSecurityTokenParameters class, configure the properties mentioned on the message and add it to my TransportSecurityBindingElement.

I lost a whole with this so I hope it will be useful to someone else.

No comments: