0

I have a WCF service that creates its own secondary IP (using netsh) upon startup and listens on that IP. Sometimes it just so happens that the when server starts listening clients from the same machine can't connect (client credentials are rejected). From other machines, however, there are no such connection problems.

When starting service on the original IP, connection problems don't seem to occur, but the non-deterministic behavior of the previous scenario prevents me from making any conclusions.

This is what is used for credentials and protection level:

TcpClientCredentialType clientCredentialType = TcpClientCredentialType.Windows;
ProtectionLevel protectionLevel = ProtectionLevel.EncryptAndSign;

I would like to know what is happening here. Any suggestions/insights are welcome.

sstefan
  • 385
  • 4
  • 15
  • you need to enable network tracing for those clients to determine if the Network stack is rejecting those calls and on the WCF server side enable tracing to capture where in the call flow they get rejected, if at all. – rene Sep 03 '19 at 07:35
  • Which transport security mode you use in the serve-side? Do you manually provide a credential on the client-side for the authentication? It seems that you are using Nettcpbinding to create the service. Have you enabled the windows feature for Nettcpbinding? – Abraham Qian Sep 03 '19 at 09:42
  • sorry for the late response. @rene AcceptSecurityContext is returning `SEC_E_LOGON_DENIED`. I have never encountered the problem when using main IP address. – sstefan Sep 04 '19 at 05:49
  • @AbrahamQian it's `EncryptAndSign`. I don't think credentials are manually provided. It's actually a custom TcpBinding with, if I'm not wrong, same security settings as NetTcpBindign. – sstefan Sep 04 '19 at 06:02
  • Under what credential is that WCF Service running? I can only imagine your service doesn't have access to the (correct) SAM database. – rene Sep 04 '19 at 07:29
  • @rene I'm not specifing any credentials. The user is admin on that machine. The main thing that bugs me is that sometimes it is successfull, more often then not, and I can't understand the reason... – sstefan Sep 04 '19 at 07:38
  • Every process and with that service runs under some credentials. That you didn't specify one makes it more likely it could be related. Is that service hosted in IIS? – rene Sep 04 '19 at 07:46
  • @rene It is just a standalone exe. In fact it is needed that server initalizes few client connections, so those clie ts should have same credentials, right? I'm still not convinced as to why it works without specifing credentials with the main IP... – sstefan Sep 04 '19 at 08:11
  • Maybe the firewall or virusscanner is lazy? – rene Sep 04 '19 at 08:13
  • @rene https://stackoverflow.com/questions/13720556/acceptsecuritycontext-random-sec-e-logon-denied this is kind of similar problem (only not hosted on IIS) but I'm not sure how I can see the content of the context? – sstefan Sep 04 '19 at 12:32

0 Answers0