I am trying to grasp endpoint security, or actually more security/certiicates in general, at the moment i am trying to write a distributed service broker app, all the examples i have seen use certificates for the endpoint authentication.
Why must one create a certificate at each endpoint? Why can i not create a single certificate and let all endpoints use it ?
As you can imagine of this app gets distributed to hundreds of places creating a certificate at each one is a mission?
So can i use a single certificate for all endpoints authentication?
I have created an EndPoint in SQL Server 2005 as per the code below.
CREATE ENDPOINT OSTC_LMS_Endpoint
AUTHORIZATION LMSEndPointUsers
STATE = STARTED
AS HTTP(
PATH = '/ostc_sql_endpoint',
AUTHENTICATION = (BASIC),
PORTS = (SSL),
SITE = 'OSTC-DEV-001'
)
FOR SOAP (
WEBMETHOD 'ostc_SQLSoapTester'
(name='OSTC_LMS_06.dbo.ostc_SQLSoapTester',
FORMAT = ROWSETS_ONLY,
SCHEMA=STANDARD),
WSDL = DEFAULT,
LOGIN_TYPE = MIXED,
SCHEMA = STANDARD,
DATABASE = 'OSTC_LMS_06',
NAMESPACE = 'http://tempUri.org/'
)
GO
USE master
GRANT CONNECT ON ENDPOINT::OSTC_LMS_Endpoint
TO [LMSEndPointUsers]
GO
USE master
GRANT CONNECT ON ENDPOINT::OSTC_LMS_Endpoint
TO [ostc-dev-001endPointUsers]
GO
----------------------------------------------------------------------------------------------------------------- The SPROC being exposed as the webmethod: -
The computer in question is our dev server and is running as a workgroup machine with the following: - Win Server 2003 SQL Server 2005 .net Framework 2.0 No firewalls or Proxies are in the way.
The computer has to be as a workgroup machine to reflect our live server.
The user LMSEndPointUsers is a SQL Server Login The user ostc-dev-001endPointUsers is a machine login
We have employed the Security class as per the information given in the SQL Server documentation with the intention of using the WS-Security headers that apparently are to be used when trying to authenticate using a SQL Server login.
I am trying to get my query to pull all the occurances where someone called 411 assistance. It pulls anything that has 411 in it right now, and I just need it to find where the number is just either '411' or '1411' and thats it. Here is what I have so far:
SELECT sum(PaidBalCost), sum(BonusBalCost), sum(ceiling((Cast(DurationSeconds as Decimal)/60))) as Minutes FROM VoiceCallDetailRecord WHERE CallDate >= '02/19/2007' and calldate < '03/19/2007' and (Left(Endpoint,3) = '411' or Left(Endpoint,4) = ('1411')) UNION SELECT sum(PaidBalCost), sum(BonusBalCost), sum(ceiling((Cast(DurationSeconds as Decimal)/60))) as Minutes FROM ZeroChargeVCDRecord WHERE CallDate >= '02/19/2007' and calldate < '03/19/2007' and (Left(Endpoint,3) = '411' or Left(Endpoint,4) = ('1411'))
we've gotten this to work from sqlclr and understand the dependence wcf has on the framework but still feel compelled to ask if somehow t-sql can send a message to a wcf endpoint without getting sqlclr involved. I've moved this question over here from the t-sql forum.
I have created an Endpoint based on a stored procedure that has a parameter of datatype XML. I have added a reference to the endpoint in a web project, I have no problems accessing but I do have a question on how to pass XML or an entire XML file to the XML datatype? How is this done in VB.net? I have loaded the XML file into a vb string but this is not compatible with the sql server xml datatype? Any examples anywhere?
I have two servers both installed sql server.The name of the servers are A and B respectively. The admin of sql server in A is 'domainuserA', and admin of sql server B is 'domainuserB'.
My purpose is create a mirroring for a database in server A, but i can establish endpoint in server A(network address can not be reached or does not exist), i have grant the 'connect to endpoint' permission to each login .
i past my code:
step1
Code Snippet --Server A, principal create database db_test backup database db_test to disk='\sharefolderdb_test.bak' with init
create endpoint endpoint1 as tcp(listener_port=5002) for database_mirroring (role=partner)
alter endpoint endpoint1 state=started
create login [domainuserB] from windows grant connect on endpoint::endpoint1 to [domainuserB]
step2
Code Snippet --Server B, mirror restore database db_test from disk='\sharefolderdb_test2.bak' with norecovery
create endpoint endpoint1 as tcp(listener_port=5002) for database_mirroring (role=partner)
alter endpoint endpoint1 state=started
create login [domainuserA] from windows grant connect on endpoint::endpoint1 to [domainuserA]
alter database db_test set partner='TCP://A.corp.com:5002'
--step3
Code Snippet ----Server A, principal
alter database db_test set partner='TCP://B.corp.com:5002'
this step return a error message:
The server network address "TCP://B.corp.com:5002" can not be reached or does not exist. Check the network address name and that the ports for the local and remote endpoints are operational.
I have the need to have a client application connect to a remote database server for retrieval of large datasets (~13000 rows at time) and am trying to leverage existing technologies to build my solution.
To test the difference in retrieval times I created 2 test apps - testA and testB. I created an HTTP endpoint in SQL Server (2005) that exposes one web method corresponding to a sproc that executes one select query and configured testA to execute query and bind the results to a data grid. I exposed my SQL Server so that I could connect directly to the SQL Server using a connection string and configured testB to execute the same SQL statement in an ad-hoc fashion, binding the results to a data grid.
On average, the HTTP endpoint would take ~ 34 seconds to return the 13,000 row data set whereas the direct connection returned that same result set in 4 seconds or less.
I have a bunch of questions: * Why would I be seeing such a dramatic difference in the retrieval times? * How is SQL Server communicating when there is a direct connection? * What are the immediate disadvantages to connecting directly to the remote SQL Server? * If I were to consider allowing my client application to communicate directly with the SQL Server, is there any way to secure the communication without VPN? * In addition, is it even possible to create a SQL login that has all of these requirements? ** select and update only ** cannot view schema (cannot connect to the SQL Server using SQL Server Management Studio) ** cannot view any system tables ** cannot retrieve any information about the schema of the database whatsoever
I guess I'm wondering if there is a way to overcome the obvious serialization overhead that comes with the HTTP endpoint to get the speed of the direct connection while being secure at the same time. Is that being greedy? :P
Anyhow, what are your opinions? I'm very interested to hear experiences and/or advice.
Problem: Connections to SOAP endpoints never close even if app initiating call was shutdown several days earlier. Create Endpoint statement included at bottom
Questions: 1 Why? 2. Is there a configuration option I need to set?
[1] Client side: Multiple clients from XMLSpy running on XP Pro to WebSphere Process Server running on AIX
[2] Server side:
What is the MS SQL version? SQL Server 2005 SP2
What is the SKU of MS SQL? Enterprise
What is the SQL Server Protocol enabled? Shared Memory | and TCPIP
Does the server start successfully? YES If SQL Server is a named instance, is the SQL browser enabled? YES
What is the account that the SQL Server is running under? Domain Account Do you make firewall exception for your SQL server TCP port if you want connect remotely through TCP provider? NO
Do you make firewall exception for SQL Browser UDP port 1434? In SQL2000, you still need to make firewall exception for UDP port 1434 in order to support named instance. NO [2a] Tool Used to Connect: Multiple clients from XMLSpy running on XP Pro to WebSphere Process Server running on AIX
[3] Platform:
What is the OS version?Windows 2003 SP2 Do you have third party antivirus, anti-spareware software installed? McAfee. Exceptions have been set in accordance with MS SQL Server documentation
ENDPOINT:
CREATE ENDPOINT [TestEndpoint]
AUTHORIZATION [AuthID]
STATE=STARTED
AS HTTP (PATH=N'/SqlSSL/testEndpoint', PORTS = (SSL), AUTHENTICATION = (BASIC),
I'd like to know how can I setup the SSL so I can secure my HTTP Endpoint.
I saw in the documentation that some settings such as SSL_PORT and PORTS should be set to SSL port number and SSL but I did not find out anywhere where they explain how to enable SSL.
Do we enable SSL the same way we enable it or SQL Server 2005 or does that have to be done through the MMC - Certificates.
I don't have any IIS server running on this server, so I was wondering if IIS is a requirement to generate and import the certificate.
I am unable to create endpoint in the Windows 2003 server using SQL 2005. I also tried reserving the namespace before CREATE but i still end up with this error
Msg 7806, Level 16, State 1, Line 1 The URL specified by endpoint 'zzzzzz' is already registered to receive requests or is reserved for use by another service.
Msg 7807, Level 16, State 1, Line 1 An error ('0x800700b7') occurred while attempting to register the endpoint zzzzzz.
My code looks loke this:
IF EXISTS ( SELECT name from sys.http_endpoints WHERE name = 'zzzzzz' ) DROP ENDPOINT zzzzzz GO
CREATE ENDPOINT zzzzzz
STATE = STARTED AS HTTP ( site='servername', path='/sql/zzzzzz', AUTHENTICATION=(INTEGRATED), PORTS = (CLEAR) ) FOR SOAP( WEBMETHOD 'http://servername/' . 'sp1' (NAME = 'dbName.dbo.sp1'), WEBMETHOD 'http://servername/' . 'sp2' (NAME = 'dbName.dbo.sp2'), WSDL = DEFAULT, BATCHES=ENABLED) GO -- End of Script --
The script that I use is correct and it works fine on my local machine (Windows XP). The user that I used to crete an endpoint on the server has 'sysadmin' level. The IIS was already turned off. Also I run the script by using the RemoteDesktop to connect to the server (Windows 2003) that has SQL Server 2005. If anyone has an idea about my problem, please help me !!! Thank You Zee.
can rs get xml data from a netTcp, wsHttp, or netPipe binding? I assume it can get it from basicHttp bindings since theyre are ws1.1.
Thanks!
oh also, if your return type for an operation contract is System.Data.DataSet, do you need to create a datacontract for DataSet and how? or is it automatically serialized into soap like the .net 2.0 webservices do?
I met some problems when I walk through a example for Native Http SOAP in SQL Server 2005 for Developers. after I create the HTTP EndPoint in the Management Studio using following code:
USE AdventureWorks GO
CREATE PROCEDURE EmployeePhoneList AS SELECT C.LastName, C.FirstName, C.Phone FROM Person.Contact AS C INNER JOIN HumanResources.Employee AS E ON C.ContactID = E.ContactID ORDER BY C.LastName, C.FirstName GO
DROP ENDPOINT HRService; GO
CREATE ENDPOINT HRService STATE = STARTED AS HTTP ( PATH='/HumanResources', AUTHENTICATION=(INTEGRATED), PORTS=(CLEAR) ) FOR SOAP ( WEBMETHOD 'EmployeePhoneList'(name='AdventureWorks.dbo.EmployeePhoneList'), DATABASE='AdventureWorks', WSDL=DEFAULT )
then I can see the web service is indeed created by using following cmnd,
SELECT * FROM sys.endpoints
SELECT * FROM sys.soap_endpoints;
SELECT * FROM sys.endpoint_webmethods;
but when I want to use the web service in the VS2005, I can't find it and add the web reference. Any help will be greatly appreciated. and could you please tell me how to check web services in the local computer? Thanks.
When i type http://localhost/sql/provideinfo?wsdl into internet explorer, i just get a 404 page cannot be found error.
When i type http://server/sql/provideinfo?wsdl in to the browser i get a Page cannot be displayd error.
I get the same when i type http://myServerName/sql/provideinfo?wsdl
I get the same when i type http://sitename/sql/provideinfo?wsdl
Sql server is running under an account with admin access to the box and sa access to the sql server. what am i doing wrong here that i cannot view my wsdl. oh, the OS is vista.
Could it be a configuration issue that im not seeing?
I just want to be 100% sure about something. Certificates generated for use with service broker endpoints must be generated in the maste database, correct?
What are the implecations of the master key is changed for the master database ?
The problem here is that although the script executes successfully, the site is not created within IIS and thus the endpoint is not deployed. Im using windows vista, and have IIS installed. does anyone know what im doing wrong?
I am trying to use a SQL Endpoint I created in SQL Server 2005 that returns XML in a Reporting Services report. I've posted the error message at the bottom of this post. Has anyone attempted this before? I don't really know why its getting an error. I went through the tutorial Microsoft provides about connecting to the Reporting Services ASMX and was able to actually get data.
Any help would be appreciated!
Graham
TITLE: Microsoft Report Designer ------------------------------
An error occurred while executing the query. Failed to execute web request for the specified URL.
I created my SOAP endpoint in SQL 2005 sp 2, I worte an ASP.NET 2.0 app to consume the exposed webmethod but how do you add the soap headers in the asp.net app? Basically I want to expose the application name property to set it to determine the actual caller in SQL Profiler. Can it be done without modifying the generated proxy code in ASP.net or is there a workaround ?
How can I access my endpoint output set of values/xml using internet explorer? I am able to access the wsdl file now I need to access the actual value returned from sql server 2005. Now i need to display it on my Internet Explorer. All the examples of microsoft leads to access using CLR. Please let me know also the difference between Get/Post with respect to EndPoints.
Hello. I have set up an SQL Endpoint using NTLM authentication. When I try to retrieve the WSDL file I am prompted for credentials. I put in username/password (this user has Connect access to the Endpoint) but its not accepted. The dialog reappears. The SQL error log shows an HTTP authentication failed error. I've triple checked that the username/password is correct.
Now here's the strange part: the same endpoint (exact same code for setting up endpoint, permissions, user, etc.) works just fine on another box (username/password is accepted and WSDL is shown). This leads me to believe that the problem isn't with SQL or the endpoint, but someplace else. I really don't know how to debug this one.
I appologise that incarnations of this topic have been posted several times on this forum, however I cannot find a scenario that is the same as my own so I've resorted to starting a new thread.
I can successfully create and connect remotely to an HTTP EndPoint on my Windows 2003 machine using Integrated security, the administrator username and password via my static IP address.
I have read that Windows XP SP2 supports HTTP EndPoints, and it would be much more convenient for me to be able to create EndPoints in XP, and connect remotely.
I have created the endpoint like so...
CREATE ENDPOINT sql_tvr10 STATE = STARTED AS HTTP( PATH = '/sql/tvr10', AUTHENTICATION = (INTEGRATED), PORTS = (CLEAR))
In visual studio I can retrive a list of services running at http://localhost/sql/tvr10?WSDL absolutely fine. However, in Visual Studio on the remote machine, I cannot connect to http://194.106.11.11/sql/tvr10?WSDL - it prompts me for a username and password, however I cannot select the username - it is set to "Athlon64Guest" (Athlon64 is my server computer name). I have no passwords on any of my windows accounts (except administrator), and I have no database passwords set.
Could someone please tell me how I should go about accessing the HTTP EndPoint?
Just so it is clear, I am running a small LAN with no domain, just a workgroup. I need the client application to be able to connect via http regardless of which network it is on. I am using VS2005 and SQL Server 2005 Dev Ed.
I am ending conversations properly for a dialog, the end conversation at the target properly marks the conversation as closed in sys.conversation_endpoints and sends the EndDialog message to the initiator.
The initiator get the EndDialog message from the target and ends the conversation and it clears out of sys.conversation_endpoints.
I know that to avoid reply attacks that the conversation at the target will only clear out in 30 minutes.
However it has been a day now and the conversation is still sitting in sys.conversation_endpoints as CLOSED at the target.
How do i troubleshoot this ? Why is the conversation not clearing?
I am testing using Web Services from SQL Server 2005 and am having problems with IE Authentication when I try to retreive the WSDL.
The basic scenario is:
I create the Web Service and initially can view the WSDL using Http:ServernamePath?wsdl and also can consume the Web Service in a DotNet app. However after a period of 2 hours or more the the WSDl starts asking for authentication but I cannot determine what authentication or rights are required
In an earlier post http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1175161&SiteID=1 Jimmy Wu mentions "IE prompted me for my user credentials and after entering the information I was able to retrieve the WSDL doc".
What are the user credentials required and how do you set permissions to avoid these. This forum post is the only place I have seen where any mention is made of some additional credentials being needed.
I posted this in the Sharepoint Designer forum, but did'nt get an answer...so trying here...Below is my soap endpoint in sql2005...works fine for InfoPath to consume the service...but when SharePoint Designer attempts to retieve data I get
"The server returned a non-specific error when trying to get data from the data source."
In SPD I can connect to the service and see the methods and parameters...but never get any data returned...wondering if it's in my endpoint setup. BTW-using Windows security by default in SQL2005...I've tried different types of logins without success...
I try to consume a SSL Endpoint that is locate in localhost, but i get the follow error msg:
The underlying connection was closed: An unexpected error occurred on a receive.
m_safeCertContext is an invalid handle.
I do not know what gone wrong with my VS2005, i tried in IE with https://localhost/test?wsdl, and it was okay and display the wsdl document successfully. Beside i also tried with CLEAR port, everything is ok and i managed to consume the web service too.
I need to enable digest authorization on an HTTP endpoint, because the integration tools for some java code that needs to connect to it does not support NTLM or kerberos - only digest and basic. I setup a test endpoint in order to test only digest authorization (as opposed to the final endpoint which needs both digest and integrated), but I can't even get that to work - when I point my browser to it to see the wsdl it pops up with the login box, but the login always fails.
I have the feeling I'm missing some very minor piece that will just make the whole thing work. Below are some log entries as well as the script to create the test endpoint I'm hitting. Any ideas are very welcome, I've banged my head on this one for far too long.
SQL Server error logs shows a "Error: 26026, Severity: 14, State: 1" entry followed by a "HTTP authentication failed" entry.
Event Log Security entry on the server:
Logon Failure:
Reason: An error occurred during logon
User Name: MyUserName
Domain: mydomain
Logon Type: 3
Logon Process: WDIGEST
Authentication Package: WDigest
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC00000FE
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
Test endpoint script:
CREATE ENDPOINT [DigestTest]
STATE=STARTED
AS HTTP (PATH=N'/DigestTest', PORTS = (CLEAR), AUTHENTICATION = (DIGEST), SITE=N'SRV001',
Each webmethod will be accessed thru a multiview on the page.
It would seem to me that I can describe the webmethods using a fully qualified stored proc name and that wouldn't cause a big problem. But, my question is what does that DATABASE=N'fadb' clause do?
Does anybody see a problem with using a single endpoint to access multiple databases?
Any advice would be greatly appreciated as this is my first web app using this data access method.
