WCF through ARR: Disappearing cookie

Question

After deploying a WCF service library to a new webfarm using ARR and IIS on windows 2012, I've run into a bit of an issue.

Trying to call a method using wcftestclient, I get "The security context token is expired or is not valid. The message was not processed."

I have enabled cookies in the config file. Looking at the flow of traffic in wireshark, this is what I see:

-> POST, SOAP
<- Set-Cookie: ARRAffinity=..., SOAP
-> POST, Cookie: ARRAffinity=..., SOAP
<- SOAP
-> POST, Cookie: ARRAffinity=..., SOAP
<- SOAP
-> POST, SOAP (no cookie)
<- SOAP (500)

Dump from wireshark, with content stripped: https://ghostbin.com/paste/mshuk

Looking at the logs in splunk, I see that the final POST gets directed to a different farm server than the previous ones, making the security context invalid.

Answer 1

This not really a solution for your problem, but I hope it'll help people.

As I couldn't find a correct way to handle ARR cookie, I've taken the problem in the other direction: how to make WCF completely stateless so each call can go on any server, so we don't care anymore about the ARR cookie.

On the WCF side it's quite simple: set the EstablishSecurityContext = false on the binding.

In code:

binding.Security.Message.EstablishSecurityContext = false;

In xml:

<binding name="SecureBindingBigSize">
  <security mode="TransportWithMessageCredential">
    <message establishSecurityContext="false" clientCredentialType="UserName"/>
  </security>
</binding>

Of course, your application must be compatible with this behavior (= not using session).

For info, my WsHttpBinding is using https and TransportWithMessageCredential security.