Introduction
This topic
will demonstrate how to build and deploy a self-hosted WCF Service.<o:p>
We will use
two ways to solve the WCF Service hosting problem without IIS; Windows Service or
Console Application.<o:p>
Using
Windows Service, you will get the advantage to let the OS controls the Service
lifetime. Moreover, it will provide the administrators with an easier way to
manage the settings in a production environment.<o:p>
Using
a Console Application, you will get the advantage to manage the service lifetime
by yourself.<o:p>
For both,
deploy a self-hosted WCF service is easier than an IIS-hosted WCF Service.<o:p>
Background
The
fundamental difference between deploying a WCF Service in an IIS environment or
in a different one is the WCF authentication.<o:p>
As you probably
know, by default, all the web applications and services run on the IIS user.<o:p>
In a
self-hosted environment it’s obviously not the case. In a general Window
application (Console, Window Service or GUI), the port listening will be
refused if the application runs under an account with administrator privileges.<o:p>
Running WCF Service anyway<o:p>
If you
still want to run an application which is listening on HTTP port, you will
probably get the following error message.<o:p>
Note: If
Visual Studio has been run as Administrator, the following message won’t appear.
Register URL
In a
production environment, the Console application or Window Service should never
be run as Administrator.<o:p>
In order to
register the WCF URL, you just have to open the terminal as Administrator and
run the following command:<o:p>
For a
Console application:<o:p>
netsh http add urlacl url=https://+:8000/
user=domain\username<o:p>
For a
Window service:<o:p>
netsh http add urlacl url=http://+:8000/ sddl=D:(A;;GA;;;NS)<o:p>
Note: The
value for parameter user cannot be a group<o:p>
In that
case, we use the secured HTTP protocol. At this step, the WCF service should
work using the basic HTTP protocol. The second step will secure the connection
using valid certificate.<o:p>
Generate a certificate<o:p>
In order to
work on HTTPS protocol, a valid certificate has to be generated. For this tutorial
we will create a self-signed certificate. <o:p>
It would be
probably better to use a single signed certificate in a production environment.
The single signed certificates are provided by a “Certified Authority”. Those
authorities validate the existence of the referred business and the ownership
of the domain. One of the most famous “Certificate Authority” is Versign.<o:p>
Note: If
your certificate is self-signed and you try to call your WCF service through a
web browser, you will be probably informed that the connection is untrusted.<o:p>
By opening the
Developer command prompt for Visual Studio as Administrator and typing the
following commands, you self-signed certificate will be generated :<o:p>
makecert -r -pe -sr LocalMachine -ss My -n CN=myComputerName
-sky exchange<o:p>
The
parameter CN should match with the name of your computer.<o:p>
Check generated
certificate<o:p>
You can
find the generated certificate by launching mmc.exe and selecting “File->
Add/Remove Snap-in”. Let’s find your certificate at “Certificate -> Computer
account -> Local computer”.
Get the thumbprint<o:p>
Your
certificate contains important fields that provide the port with a way to
“trust” it. Basically, you need to find the “Thumbprint” at the end of details
tab.<o:p>
The “Thumbprint”
is a hash value of 40 hexadecimal characters computed over the certificate
including all its fields. It’s a unique value worldwide for a given
certificate. The “Thumbprint” is also known as the “Fingerprint” of the
certificate.<o:p>
Getting trusted
Finally,
the port needs to be linked to the certificate in order to trust it. First of
all, generate a UUID by typing the following command in Developer command
prompt:<o:p>
uuidgen<o:p>
Note: That
command only generate a unique UUID.<o:p>
In this
case, the result was: c901f928-02ae-4b67-bba6-2824c3c7099c<o:p>
Next, link
the HTTP port to this UUID running the following command:<o:p>
netsh http add sslcert ipport=0.0.0.0:8000
certhash=45ace21524f027b1929115c0918130c868e3202c appid={c901f928-02ae-4b67-bba6-2824c3c7099c
}<o:p>
Note: If
you use HTTPS the security mode MUST be defined in code with the following
lines:
webHttpBinding.Security.Mode = WebHttpSecurityMode.Transport;
That’s it! The
WCF Service is now working and accessible with a self-signed certificate.<o:p>
Resume
A brief
resume regarding the commands you’ll need to launch in several cases:
HTTP
- Console application
- netsh http add urlacl url=https://+:8000/ user=domain\username<o:p>
- Window Service
- netsh http add urlacl url=http://+:8000/ sddl=D:(A;;GA;;;NS)
HTTPS
- Console application
- netsh http
add urlacl url=https://+:8000/ user=domain\username
- makecert -r
-pe -sr LocalMachine -ss My -n CN=myComputerName -sky exchange
- netsh http
add sslcert ipport=0.0.0.0:8000
certhash=45ace21524f027b1929115c0918130c868e3202c appid={
c901f928-02ae-4b67-bba6-2824c3c7099c }
- Define
“webHttpBinding.Security.Mode”
- Window Service
- netsh http
add urlacl url=http://+:8000/ sddl=D:(A;;GA;;;NS)
- makecert -r
-pe -sr LocalMachine -ss My -n CN=myComputerName -sky exchange
- netsh http
add sslcert ipport=0.0.0.0:8000
certhash=45ace21524f027b1929115c0918130c868e3202c appid={
c901f928-02ae-4b67-bba6-2824c3c7099c}
- Define “webHttpBinding.Security.Mode”
References
