Home/ Questions/Q 851353
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T07:25:01+00:00

I am trying to configure a WCF server\client to work with SSL I get

  • 0

I am trying to configure a WCF server\client to work with SSL

I get the following exception:

The HTTP request was forbidden with client authentication scheme
‘Anonymous’

I have a self hosted WCF server.
I have run hhtpcfg
both my client and server certificates are stored under Personal and Trusted People on the Local Machine

Here is the server code:

binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
binding.Security.Mode = WebHttpSecurityMode.Transport;
_host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;
_host.Credentials.ClientCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
_host.Credentials.ClientCertificate.Authentication.TrustedStoreLocation = StoreLocation.LocalMachine;
_host.Credentials.ServiceCertificate.SetCertificate("cn=ServerSide", StoreLocation.LocalMachine, StoreName.My);

Client Code:

binding.Security.Mode = WebHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate; 
WebChannelFactory<ITestClientForServer> cf =
                new WebChannelFactory<ITestClientForServer>(binding, url2Bind);
cf.Credentials.ClientCertificate.SetCertificate("cn=ClientSide", StoreLocation.LocalMachine, StoreName.My);
            ServicePointManager.ServerCertificateValidationCallback
                   += RemoteCertificateValidate;

Looking at web_tracelog.svclog and trace.log
reveals that the server cannot autheticate the client certificate
My certificate are not signed by an Authorized CA
but this is why I added them to the Trusted People….

What Am I missing?
What am I missing?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The trick was to make the Client Certificate valid,

    To do that you have two option:

    1) make it self signed and then put it under the “Trusted Root Certification Authority”.

    Obviously in production you would like your client certificate to be signed by a trusted CA and not self signed.
    see http://msdn.microsoft.com/en-us/library/ms733813.aspx

    2) Sign your client certificate by another certificate you created (let’s call it MyCA) and put MyCA in the “Trusted Root Certification Authority” and have the client certificate in the “Trusted People”. This way your development environment is even more close to the deployment.

    How to create and sign the certificates:
    Look under http://msdn.microsoft.com/en-us/library/bfsktky3.aspx

    Here is the series of commands I used:

    1)makecert -r -pe -ss My -sr LocalMachine -a sha1 -sky exchange -n cn=MyCA -sv “MyCAPrivate.pvk”

    2) makecert -pe -ss My -sr LocalMachine -a sha1 -sky exchange -n cn=SignedClientCertificate -iv “MyCAPrivate.pvk” -ic “MyCAPublic.cer”

    • 0