I’m trying to setup a WCF service with certificate authentication on both the client and server. I’m going through hell, looping through all the possible error messages.
The final objective here is to authenticate both parties with certificates. I’ll be issuing a specific certificate for every client which (hopefully) would allow me to tell them apart.
So far I have the following config files:
Server configuration file
<configuration>
<system.serviceModel>
<services>
<service name="ServiceApiImplementation" behaviorConfiguration="myBehaviour">
<host>
<baseAddresses><add baseAddress="http://localhost:9110/MyService"/></baseAddresses>
</host>
<endpoint address="" binding="wsHttpBinding" contract="IServiceAPI" bindingName="SOAP12Binding">
<identity>
<certificateReference findValue="ServerCertificate" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName"/>
</identity>
</endpoint>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="SOAP12Binding" receiveTimeout="00:02:00" closeTimeout="00:01:00" openTimeout="00:01:00" sendTimeout="00:01:00">
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="myBehaviour">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate findValue="ServerCertificate" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
Client Configuration File
<system.serviceModel>
<client>
<endpoint address="http://localhost:9110/MyService" binding="wsHttpBinding"
bindingConfiguration="SOAP12Binding_IServiceAPI" contract="IServiceAPI"
behaviorConfiguration="behaviour1" name="SOAP12Binding_IServiceAPI">
<identity>
<!-- Value obtained when "Adding a Service Reference in visual studio" -->
<certificate encodedValue="xxxxxxxxxxxxx" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="behaviour1">
<clientCredentials>
<clientCertificate findValue="ClientCertificate" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/>
<serviceCertificate>
<defaultCertificate findValue="ServerCertificate" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="ChainTrust" trustedStoreLocation="LocalMachine" revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="SOAP12Binding_IServiceAPI">
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
I have generated a rootCA and a couple of certificates for both client and server, given the appropriate permissions and put them in the stores (both LocalMachine and CurrentUSer out of despair). To the best of my knowledge this bit is working.
The problems happen when calling the service. The latest error is:
An unsecured or incorrectly secured fault was received from the other
party. See the inner FaultException for the fault code and detail.The message could not be processed. This is most likely because the
action ‘http://tempuri.org/IServiceAPI/MyMethod’ is
incorrect or because the message contains an invalid or expired
security context token or because there is a m ismatch between
bindings. The security context token would be invalid if the service
aborted the channel due to inactivity. To prevent the service from
aborting idle sessions prematurely increase the Receive timeout on the
service endpoint’ s binding.
Or even (the previous error)
The identity check failed for the outgoing message. The expected
identity is
‘identity(http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn)’ for the
‘http://localhost:9110/MyService’ target endpoint.
The error messages vary according to my experimentation in the config files. Right now both client and server are running on the same machine so, at least, I’d be expecting that each app would authenticate the other one through the rootCA.
Please note, I’m using Message Security and wsHttpBinding because they appeared to be the correct chouices. I don’t have any big restrictions except publishing a service that can be consumed by standard JAVA Frameworks.
Can anyone help me sort through this mess?
Any help would be grealty appreciated
Regards,
I managed to solve my original problem.
Regarding the two-way certificate authentication, I found that the following codeproject article provides a working demonstration: http://www.codeproject.com/Articles/36683/9-simple-steps-to-enable-X-509-certificates-on-WCF#Step%201:-%20Create%20client%20and%20server%20certificates
Granted that this example uses peer trust, but so far I’ve never been able to have a working prototype working no matter what. From this point forward the only pitfalls I forsee are storing the certificate chain in the proper location and giving access to the private key to the user your project is running under. See this article for an explanation on how to give permissions to a certificate’s private key: http://msdn.microsoft.com/en-us/library/ff647171.aspx#Step6
For the second part of the question: How to tell the clients certificates apart in a WCF service?, you can use the following code to obtain the client’s certificate thumbprint:
This will get the client’s thumbprint that will be different for each client you issue a certificate to. Of course, all the other certificate data is available.