1

I have created a wcf data service and expose it over HTTP, with SSL required. I am trying to have a setup where both the service and the clients are authenticated through certificates (mutual authentication). I am using developer certificates. so, I added the server's certificate to the client's trusted people store.

but I'm still getting an exception : "403 - Forbidden: Access is denied."

1- Here is my server config :

 <system.serviceModel>
    <bindings>
        <webHttpBinding>
            <binding name="webHttpBindingConfig">
                <security mode="Transport">
                    <transport clientCredentialType="Certificate" />
                </security>
            </binding>
        </webHttpBinding>
    </bindings>
    <behaviors>

    </behaviors>
    <services>
        <service behaviorConfiguration="" name="PricingDataService">
            <endpoint address="https://MyServiceSecure/MyServiceSecure/MyServiceSecure.svc"
                binding="webHttpBinding" bindingConfiguration="webHttpBindingConfig"
                name="webHttpEndpoint" contract="System.Data.Services.IRequestHandler" />
        </service>
    </services>

How do I make the server to recognise the client's certificate ? (it should be a developer certificate as well).

2- Here is my client config :

  <system.serviceModel>
    <bindings>
        <webHttpBinding>
            <binding name="webHttpBindingConfig">
                <security mode="Transport">
                    <transport clientCredentialType="Certificate" />
                </security>
            </binding>
        </webHttpBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="clientCredentialBehavior">
          <clientCredentials>
            <clientCertificate storeName="TrustedPeople" storeLocation="LocalMachine"
                                x509FindType="FindBySubjectName" findValue="tempClientcert" />
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>
        <endpoint address="https://MyServiceSecure/MyServiceSecure/MyServiceSecure.svc"
            binding="webHttpBinding" bindingConfiguration="webHttpBindingConfig"
            contract="System.Data.Services.IRequestHandler" name="" kind=""
            endpointConfiguration="" behaviorConfiguration="clientCredentialBehavior">
            <identity>
              <dns value="MyServiceSecure"/>
            </identity>
        </endpoint>
    </client>
</system.serviceModel>

3- Here's the code I use to call the wcf code :

> MyServiceContext service = new MyServiceContext (
            new Uri("https://MyServiceSecure/MyServiceSecure/MyServiceSecure.svc"));

service.SendingRequest += this.OnSendingRequest_AddCertificate;


//
private void OnSendingRequest_AddCertificate(object sender, SendingRequestEventArgs args)
    {
        if (null != ClientCertificate)
            (args.Request as HttpWebRequest).ClientCertificates.Add(X509Certificate.CreateFromCertFile(@"C:\Localhost.cer"););
    }

do I create a certificate on the server and then install it on the client ?

Attilah
  • 17,632
  • 38
  • 139
  • 202

1 Answers1

1

I think your certificates might be wrong, but start out by verifying in IIS that "Client certificates" under "SSL Settings" for the website are either set to Accept or Require (whichever suits you best).

I believe that for your purposes creating a self-signed certificate for the server in IIS and then exporting this certificate to a .pfx file and installing it in your trusted root should work.

If that doesn't help you, I'd look at this question: Using makecert for Development SSL

Community
  • 1
  • 1
Tchami
  • 4,647
  • 1
  • 32
  • 45
  • Ok, so I create a certificate on server and export it to the client machine. How do I make the server to recognise and allow clients to access it ? (my SSL setting for the website is set to Require). – Attilah Apr 06 '11 at 22:46
  • I'm not exactly sure where you're stuck, but first of all you need to create a HTTPS binding for the website, see http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/ Does that answer your question? – Tchami Apr 07 '11 at 07:35
  • I'm stuck trying to get the server to recognize the client's certificate. – Attilah Apr 07 '11 at 12:58
  • I want to do mutual authentication where the server authenticates the client by requiring client certificates. so far, the server cannot recognize the client's certificates and denies it access. – Attilah Apr 07 '11 at 12:59
  • It sounds to me like the client certificate is somehow not associated with the server certificate, but I'm not sure how to solve that in your case. I did find this article which might help you though: http://viisual.net/configuration/IIS7-CTLs.htm – Tchami Apr 07 '11 at 16:01