My company is developing a WCF Service that will run in a web-farm environment. We are using Microsoft’s Web Farm Framework (WFF) for the farm. So far we have been unable to get it to work as we would like.
Our service is using a WSHttp binding and message security. If we disable the security, then the service works fine, and we can see the calls properly distributed across the farm nodes. However, once security is enabled, the calls fail with the following exception:
“Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint.”
Here is the setup:
• WSHttpBinding
• Message Security
• Three servers: one is the web-farm controller, and the other two are web-farm nodes
• OS: Windows Server 2008 R2
• IIS v7.5
• WFF v2.2
• ARR v2.5
I have read the WCF Load Balancing guidelines (here: http://msdn.microsoft.com/en-us/library/ms730128.aspx). It indicates that the WSHttp binding can be used in a load-balanced environment. It also says to set the EstablishSecurityContext property to false and to not use reliable sessions. We are following both of these recommendations.
Also of note: We find that if we setup server affinity on the web farm to use ‘hostname’ affinity, that everything will work. However, we would prefer to not pin client systems to a particular node in the farm. Our service is designed to be stateless, and we would like the service to be load-balanced on a per-call basis. We would prefer to use ‘client’ affinity, or no affinity at all, but we get the above error trying either or those options.
If I turn off hostname affinity, and remove all nodes from the farm down to a single node, then everything works ok even with message security enabled. This (coupled with the fact that hostname affinity works) leads me to believe that when there may be something in the security negotiation at the beginning of a call where it is hitting different servers in the farm, and that is this is causing the issue. However, I would expect client affinity to prevent this, but that does not seem to have any affect.
Viewing the network, it seems that it is indeed breaking down in the security negotiation. The client POSTs a security token request. The server ends up returning a 500 error, “The request for security token has invalid or malformed elements.”
Other possible factors to consider: For now, this server is setup in a test lab environment. Because of this we are using a self-signed certificate for security. Also, the web-farm servers are not connected to a Windows domain. Instead of using a domain user for the AppPool identity, each server has a local user with the exact same username and password that we use for the identity.
So I guess the question is: Is it even possible to use a WCF Service with WSHttpBinding and Message security using WFF? And if so, any insight on what I am missing to get this to work?