Secure WCF service in IIS using certificates

Question

I want to secure a service application in WCF 4, using a selfsigned certificate (generated by inetmgr).

But, I can't. When I call a method of the service, I have a MessageSecurityException:

The HTTP request was forbidden with client authentication scheme 'Anonymous'.

The web.config file:

<?xml version="1.0"?>
<configuration>
    <system.web>
        <compilation debug="true" targetFramework="4.0" />
        <customErrors mode="Off"/>
    </system.web>

    <system.serviceModel>
        <bindings>
            <wsHttpBinding>
                <binding name="TransportSecurity">
                    <security mode="TransportWithMessageCredential">
                        <transport clientCredentialType="Certificate" />
                        <message clientCredentialType="Certificate"/>
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>

        <behaviors>
            <serviceBehaviors>
                <behavior name="testingServiceBehavior">
                    <serviceMetadata httpsGetEnabled="true" httpGetEnabled="false" />
                    <serviceDebug includeExceptionDetailInFaults="false"/>
                </behavior>
            </serviceBehaviors>
        </behaviors>

        <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

        <services>
            <service behaviorConfiguration="testingServiceBehavior"
                     name="Testing.Service1">

                <endpoint address=""
                          binding="wsHttpBinding"
                          bindingConfiguration="TransportSecurity"
                          contract="Testing.IService1" />

                <endpoint address="mex"
                          binding="mexHttpsBinding"
                          contract="IMetadataExchange" />
            </service>
        </services>
    </system.serviceModel>

    <system.webServer>
        <modules runAllManagedModulesForAllRequests="true"/>
    </system.webServer>
</configuration>

And the code where I trying to consume the service is:

    public static bool validateCertificates(object sender,
                                            System.Security.Cryptography.X509Certificates.X509Certificate cert,
                                            System.Security.Cryptography.X509Certificates.X509Chain chain,
                                            System.Net.Security.SslPolicyErrors error)
    {
        return true;
    }

    private void button1_Click(object sender, EventArgs e)
    {
        System.Net.ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(validateCertificates);

        WSHttpBinding binding = new WSHttpBinding();
        binding.Name = "secureBinding";

        binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
        binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
        binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;

        EndpointAddress endpointAddress = new System.ServiceModel.EndpointAddress("https://rtsa.dnsalias.com:2490/Service1.svc");

        ProCell2.Servicios.Informes.Service1Client client = new Servicios.Informes.Service1Client(binding, endpointAddress);

        client.ClientCredentials.ClientCertificate.SetCertificate(
                StoreLocation.CurrentUser,
                StoreName.My,
                X509FindType.FindBySubjectName,
                "ServerWeb2");

        client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(
                StoreLocation.CurrentUser,
                StoreName.My,
                X509FindType.FindBySubjectName,
                "ServerWeb2");

        client.GetInformation();  // <-------- Here cause the exception

The SSL configuration:

SSL Setting

Is running under iis 7.0.6, and ssl is enabled, the binding in iis has the same certificate. — Gabriel, Sep 16 '11 at 23:23

score 0 · Answer 1 · edited May 23 '17 at 12:13

0

Please add the following lines to your client code:

// Disable credential negotiation and the establishment of 
// a security context.
myBinding.Security.Message.NegotiateServiceCredential = false;
myBinding.Security.Message.EstablishSecurityContext = false;

See http://msdn.microsoft.com/en-us/library/ms733102.aspx for more details and see What are the impacts of setting establishSecurityContext="False" if i use https? for the impact it has on your communication.

edited May 23 '17 at 12:13

Community

1
1

answered Sep 17 '11 at 08:17

kroonwijk

8,340
3
31
52

thanks for your help, but still the same error. even, i put that in the web.config to try. – Gabriel Sep 17 '11 at 11:46
And if you perform the exacte example as available in http://msdn.microsoft.com/en-us/library/ms733102.aspx, do you still get the same error? The problem is at your client side, obviously, so it needs to be a change in client code. or, another possibility; Is the certificate you are trying to log in with in the trusted root authorities list on the server side? Otherwise your challenge will not contain that certificate root, and your client will not be able to sent it with the request. – kroonwijk Sep 17 '11 at 18:14

Secure WCF service in IIS using certificates

1 Answers1