WCF – 2 Way SSL Security using Certificates

re: WCF – 2 Way SSL Security using Certificates

Prashant — Thu, 11 Dec 2008 00:14:23 GMT

Hey I got nice help from blog.

but I am still endup with Exception.

"The SSL settings for the service 'None' does not match those of the IIS 'Ssl, SslNegotiateCert, SslRequireCert, SslMapCert'"

If i change trasport secutity from "trasport" to "trasportwithMessageCredential" It works. But again I end up with "Could not establish trust relationship for the SSL/TLS secure channel with authority"

Can you tell me the cause.

re: WCF – 2 Way SSL Security using Certificates

imayak — Thu, 11 Dec 2008 05:41:11 GMT

For this error "Could not establish trust relationship for the SSL/TLS secure channel with authority", check that the SSL Certificate that you have is trusted on the client.

That is, the SSL certificate issuer should be in the Trusted Store of your client computer. If your SSL certificate is issued from a Trusted CA like Verisign,you shouldn't be facing this problem because all of the known Verisign issuers are already trusted.

However, if you are testing with a temporary certificate which you created using makecert.exe or got from a test CA like Comodo, you will face this problem.

If you still want more clarifications, let me know what kind of binding configuration you are using, so that I can help you out with the right settings.

Good luck.

re: WCF – 2 Way SSL Security using Certificates

Manpreet — Thu, 11 Dec 2008 22:36:20 GMT

Excellent description. Keep up the good work.

re: WCF – 2 Way SSL Security using Certificates

Anony Mouse — Mon, 15 Dec 2008 06:49:08 GMT

Good blog. Thanks.

I am a little confused about anonymous access too. Can you write a wcf service that just uses anonymous access without encryption and without windwos authentication?

I know you would not want to do this, but want to know if you can.

Otherwise is it safe to assume all wcf services must use certificate based authentication?

re: WCF – 2 Way SSL Security using Certificates

imayak — Mon, 15 Dec 2008 08:15:56 GMT

You can always set the WCF service to use no authentication at all. Of course no one would want to do that, but its possible.

On your second question, it is not required for all WCF services to use certificate based authentication.

WCF Services must be configured for SSL client certificate authentication only if the clients are already "known" to the service. (ie., Intranet applications or when you have a defined set of customers to access the service)

Internet based non-critical services generally don't use client certificates.

re: WCF – 2 Way SSL Security using Certificates

John — Thu, 08 Jan 2009 00:50:18 GMT

Someone copied your post here: http://codingtkj.blogspot.com/2008/12/2-way-ssl-security-using-certificates.html

re: WCF – 2 Way SSL Security using Certificates

John — Thu, 08 Jan 2009 02:41:07 GMT

You can leave the mex endpoint uncommented if you configure it to use wsHttpBinding and the same bindingConfiguration as your service uses. For example,

<endpoint address="mex" binding="wsHttpsBinding"

name="MetadataBinding" contract="IMetadataExchange" bindingConfiguration="CertificateWithTransport"/>

For more info see:

http://msdn.microsoft.com/en-us/library/aa395212.aspx

(Custom Secure Metadata Endpoint)

re: WCF – 2 Way SSL Security using Certificates

Maxim — Mon, 23 Feb 2009 22:53:32 GMT

Nice and useful article!

But even after enabling anonymous in IIS and disabling mex, I still get errors:

Service error: The HTTP request was forbidden with client authentication 'Anonymous'. Service Fault: The remote server returned an error: (403) Forbidden.

What could be the reason?

re: WCF – 2 Way SSL Security using Certificates

Ashley Tate — Mon, 27 Apr 2009 19:44:31 GMT

@Maxim: I ran into the same error and have documented at least one cause here:

http://coditate.blogspot.com/2009/04/confusing-errors-using-wcf-transport.html

re: WCF – 2 Way SSL Security using Certificates

imayak — Tue, 28 Apr 2009 06:39:28 GMT

@Maxim : It's true that sometimes the error messages aren't very clear and helpful in troubleshooting. Just go through the settings once again and ensure that everything is right.

re: WCF – 2 Way SSL Security using Certificates

meir — Wed, 13 May 2009 11:50:21 GMT

great article.

but when i checked the Require SSL in iis (7.0).

then every time i get Internal Server Error.

why?

re: WCF – 2 Way SSL Security using Certificates

meir — Wed, 13 May 2009 12:09:56 GMT

i found out that if iis is configured as Require SSL, i had 2 comment the HTTP binding/endpoint swctions in the web.config to get it to work.

why?

re: WCF – 2 Way SSL Security using Certificates

Chris Mullins — Thu, 21 May 2009 04:06:11 GMT

I was able to get the MEX endpoint to work using this same approach. The issues is the binding and bindingConfiguration of the endpoint.

Step 1 was to create a service behavior that required SSL.

</behavior>

</serviceBehaviors>

</behaviors>

Step 2 is to enable the MEX endpoint using the wsHttpBinding and proper binding configuration. In this case, the binding configuration is the same as the primary endpiong name.

Doing this worked fine. To get to the MEX endpoint, a client cert is required - which is exactly what I wanted.

re: WCF – 2 Way SSL Security using Certificates

imayak — Thu, 21 May 2009 08:00:55 GMT

Meir >> I can't get your problem. Can you post your bindings as well?

re: WCF – 2 Way SSL Security using Certificates

Jaster — Tue, 09 Jun 2009 19:06:03 GMT

Awsome Work!

But i'm still expirencing some trouble. I can create an instance of the service, but i can't call any methods. i recieve an errormessage like: "could not establish trusted ssl/tsl channel..."

any ideas?

Regards

Jaster

re: WCF – 2 Way SSL Security using Certificates

imayak — Wed, 10 Jun 2009 12:02:16 GMT

It's basically a certificate trust issue. The client machine that you are using to talk to the server does not trust the certificate that you are using on your server.

Make sure the certificate's 'CN' property has the domain name.

Eg., If the WCF Service URL is : https://myserver/services/service.svc

then, your certificate should be issued to "myserver". i.e., you should see CN=myserver in the certificate properties.

If this is also done, then install the certificate in the trusted store of the client machine. It should work.

re: WCF – 2 Way SSL Security using Certificates

T.Chowdhury — Sun, 21 Jun 2009 16:03:36 GMT

Very Good Article, follwoing your steps I was able to install my service using SSL. Although few of my steps somehow differ than what it has stated in the article. I will comeback to later on that.

First I have few questions in code below (Configuring the client to use SSL) which certificate thumb print represents below Client or Server? My second question is how do I know what's the value of

storeLocation?

re: WCF – 2 Way SSL Security using Certificates

imayak — Mon, 22 Jun 2009 08:19:56 GMT

Chowdhury,

In the behavior, you must give the client certificate's thumbprint value.

In the storeLocation attribute, give the name of the store where the certificate resides. There are multiple certificate stores on the computer and here is how you open them.

On Run -> Type mmc and press Enter

Press Ctrl +M

On Add or Remove Snap-ins window, select Certificates and click Add button

A new window with

1. My User Account

2. Service Account

3. Computer Account

appears

If you select "My User Account", you will be able to see all certificates accessible to that particular windows user account.

If you select Service Account, you will be able to see all certificates accessible to that particular windows service that you will eventually choose in the next window.

Sample theory applies to the third option as well.

re: WCF – 2 Way SSL Security using Certificates

Elena Neroslavskaya — Wed, 29 Jul 2009 06:44:13 GMT

Thank you for the great post. The only problem we have noticed that once Anonymous is enabled on IIS, ANY certificate issued by CA that is in trusted authorities store is granted access.

Is there a possibility to restrict access to just one specific Cert?

re: WCF – 2 Way SSL Security using Certificates

T.Chowdhury — Sun, 02 Aug 2009 06:09:13 GMT

Hi, here are some good news and bad news. Good news is following your steps, I was able to install my service using SSL as well as consume the service from a client (console application). No issue.

The app config file used for the client console application shown as below

<system.serviceModel>

</security>

</binding>

</wsHttpBinding>

</bindings>

<endpoint address="https://tnsiit.tnsinsideit.local/EmailService/EmailService.svc"

behaviorConfiguration="credentialConfiguration" binding="wsHttpBinding"

bindingConfiguration="EmailServiceHttpsEndpoint" contract="EmailClient.EmailService.IEmailService"

name="EmailServiceHttpsEndpoint" />

</client>

</clientCredentials>

</behavior>

</endpointBehaviors>

</behaviors>

</system.serviceModel>

The bad news is after that I have created an ASP.net application, trying to consume the same service. I have cut & paste the above configuration into ASP.net web config, we I was testing the above service via aspx page, I'm getting this error

Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindByThumbprint', FindValue 'c72e3caa4ae63e20791f10bc6ab99ef24a2cc34d'.

Do I have to do something different for ASP .NEt application.

Any help will be really appreciable.

re: WCF – 2 Way SSL Security using Certificates

erosen03 — Thu, 06 Aug 2009 07:34:36 GMT

Thanks for a great post. I had a similar issue trying to figure out why a particular WCF service kept reporting that it needed anonymous authentication enabled in IIS, even after I corrected the items in the WCF service's web.config file. It turned out for me that even though web.config changes are supposed to be applied immediately after the file is saved, I had to issue an IISRESET command in order for the error message about anonymous access to go away.

re: WCF – 2 Way SSL Security using Certificates

Sahil Malik — Wed, 12 Aug 2009 05:37:58 GMT

Hi Imaya,

This is a good article, and you being the original source, it has been shamelessly copied all over the internet by people claiming it as their own. Anyway, credit goes to you for the original.

I wanted to point out a couple of things though.

a) Setting anonymous is not necessary. You've had to set anonymous over there because your service settings are not properly translating the certificate identity into an identity that the service will understand, i.e. an AD identity for instance. Try doing the mapping using serviceBehavior/service-clientCredentials .. and you'll see what I'm saying.

b) Metadata exchange does not need to be turned off either. You simply need to do httpsEnabled - true, or enable metadata over HTTPS as one other comment mentioned above.

Great post otherwise. Love it.

Sahil

re: WCF – 2 Way SSL Security using Certificates

imayak — Wed, 12 Aug 2009 07:27:04 GMT

Thanks Sahil.

I appreciate your clarification for the issues mentioned.

re: WCF – 2 Way SSL Security using Certificates

Manav — Thu, 13 Aug 2009 00:13:02 GMT

Hi Imaya,

Thanks for the great post. I exactly had the same issues, and your article pulled me out. My only grievence is I found you article when I had struggled thru and fixed almost all the issues, and was stuck at the last one - related to commenting the mex endpoint.

Still a great post. Keep up the good work.

Manav

re: WCF – 2 Way SSL Security using Certificates

Alex — Sun, 06 Sep 2009 13:44:35 GMT

Hi Imaya,thanks for your great post.

By the way,what do you mean by terms of "2 way SSL security?"

what is the typical usage scenario for it?

re: WCF – 2 Way SSL Security using Certificates

imayak — Mon, 07 Sep 2009 09:00:49 GMT

@Alex : It's just that the client will also have a SSL certificate so the server can authenticate the client. So, I call it '2 Way'.

re: WCF – 2 Way SSL Security using Certificates

Chloé — Tue, 20 Oct 2009 00:26:40 GMT

hi imayak,

thank you for taking your time and help us all. i have a problem =)

before i found your post, i already figured out how to set up https on my dev machine running xp as well as my QA 2003 server with self certificate.

my project (website) is a distribution website, therefore, i cannot use static url in the web.config or in the clientconfig. i find the Uri and create the proxy from there.

everything works great! with two end points in the web.config file.

1 - basicHttpBinding

2 - wsHttpBinding

hitting the wsdl with http or https works, however, when i set SSL Required on, i can't get to the wsdl at all. if i remove basicHttpBinding section or wsHttpBinding and remove httpGetEnabled (basicHttpBinding) or httpsGetEnabled (wsHttpBinding) out of the serviceMetadata, then it works.

Question 1) Any thought?

Question 2) do i need those end points in the web.config? Can i do it dynamically when i about to call WCF?

I'm new to WCF as well, so if you or anyone knows how to create a dynamic end point w/out any end point in the web.config, please feel free to give me info.

thank you very much.

Chloé