2


I created a wcf service and could SUCCESSFULLY refer it in client application. But the problem comes when I implement X509 certificate.

1) when I change the service to use x509 Certificate, I couldn't create a proxy as the mex end points are not shown in the browser. So in this case, how should I refer the Service in client app, when the service is secured and mex end points are not exposed?

2) Can I use both message and transport security as Certificate? Will this scenario work for basicHttpBinding ? I heard that basicHttpBinding cannot have message security through certificate.

Any help in this regard, will be highly appreciated.

Here is my service model in Service. 

<system.serviceModel>
<client>       
  <endpoint behaviorConfiguration="" 
    binding="basicHttpBinding"
        bindingConfiguration="WCFServiceX509Binding" 
    contract="WCFService.Contract.Service.IWCFServiceContract"
        name="WCFServiceClientEndPoint" />      
</client>
<bindings>
  <basicHttpBinding>
    <binding name="WCFServiceX509Binding" maxBufferSize="6553600"
      maxBufferPoolSize="52428800" maxReceivedMessageSize="6553600">
      <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="Certificate" />
        <message clientCredentialType="Certificate" />
      </security>
    </binding>        
  </basicHttpBinding>
</bindings>
<services>
  <service  behaviorConfiguration="ServiceBehavior" 
    name="WCFService.Model.WCFServiceModel">
    <endpoint 
    address="" 
    binding="basicHttpBinding" 
    bindingConfiguration="WCFServiceX509Binding"
        name="WCFServiceBasicHttpEndPoint" 
    contract="WCFService.Contract.Service.IWCFServiceContract">
      <identity>
            <certificateReference findValue="WCFUADOCServer" />
      </identity>
    </endpoint>
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="ServiceBehavior">
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials />
    </behavior>
  </serviceBehaviors>
  <endpointBehaviors>
    <behavior name="ClientCertificateBehavior">
      <clientCredentials>
        <clientCertificate  findValue="WCFUADOCServer"
                  x509FindType="FindBySubjectName"
                  storeLocation="LocalMachine"
                  storeName="TrustedPeople" />
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

Thanks so much, Chand.

John Saunders
  • 160,644
  • 26
  • 247
  • 397
Chandanan
  • 45
  • 6

1 Answers1

0
  1. Mex endpoint does not depend on certificate. Based on your configuration you don't expose mex endpoint at all and help page with WSDL should be still available over HTTP.
  2. What do you want to do? Security is little bit high level term in this case. You can use secured transport channel and you can probably use certificate transported in message for authentication (I have never tried this combination). The scenario should work over BasicHttpBinding. I was surprised by it myself but BasicHttpBinding actually support full mutual certificate asymmetric message security.

If you want to expose service with transport security you must use HTTPS - either configured by IIS management console (when hosting in IIS) or assign certificate to port by netsh (self hosting). Be aware that account running the service must have access to private keys in certificate - you must correctly set up ACL.

If you want to authenticate client by certificate you should set up service credentials. If you are using self signed certificates placed to certificate store you should use at least this:

<serviceCredentials>
  <clientCertificate>
   <authentication certificateValidationMode="PeerTrust" />
  </clientCertificate>
</serviceCredentials>

You can also define custom certificate validator. For endpoint use rather dns identity.

For client use also PeerTrust validation mode for service certificate.

Community
  • 1
  • 1
Ladislav Mrnka
  • 360,892
  • 59
  • 660
  • 670
  • Wow that was fast... Awesome references. Yes the security is at very high level. basically it carries really sensitive info and hence I had to have both Transport and message security. – Chandanan Apr 27 '11 at 20:49
  • I will try to do all the stuff u suggested and will get back to you again. thanks so much for the reply. regard, Chand. – Chandanan Apr 27 '11 at 20:53
  • I forgot to post you additional link regarding "high level term". I modified my answer. – Ladislav Mrnka Apr 27 '11 at 20:54
  • I have one more question in this regard. In the client, if we set the behavior telling to use certificate in config file, should we again pass the cert in code? – Chandanan Apr 27 '11 at 21:01
  • "For client use also PeerTrust validation mode for service certificate" what do you mean by that? should I add that in the ?? – Chandanan Apr 27 '11 at 21:34
  • Sorry that was a mistake. If you use HTTPS that is probably not needed. The certificate must be in trusted people store of the user running the client. – Ladislav Mrnka Apr 27 '11 at 21:41
  • Hi Ladislav, I followed all that u indicated (using Findprivatekey & Httpcfg (result was 0 )) When I try to access the service,it says:EndpointNotFoundException - There was no endpoint listening at "URl" that could accept the message. This is often caused by an incorrect address or SOAP action WebException - System.Net.WebException: The remote server returned an error: (502) Bad Gateway. at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream() – Chandanan May 02 '11 at 17:25
  • Did you specify address correctly? This doesn't look like problem with security settings. – Ladislav Mrnka May 02 '11 at 18:12
  • Here is the error when I browse the service in local of server.Network Access Message: The page cannot be displayed Technical Information (for Support personnel) Error Code: 502 Proxy Error. Connection refused(10061) IP Address: 192.168.1.148 Date: 5/2/2011 6:20:55 PM [GMT] Server: SVRName Source: proxy Also , when I run httpcfg set ssl -i 0.0.0.0:8015 -h thumbprint HttpsetserviceConfiguration completed with 0. – Chandanan May 02 '11 at 18:23
  • It is very long time since I used httpcfg so I even don't know want is correct result code. Can you query ssl configuration using httpcfg? It should show you if certificate is correctly assigned to port. – Ladislav Mrnka May 02 '11 at 18:36
  • Yes it shows the assigned port with certificate thumbprint. Do you mean there is no need to use this tool at all for configuring the port to the certificate? – Chandanan May 02 '11 at 18:47
  • It is needed. When using netsh in windows 2008 it is also needed to add acl for the port. Does httpcf also offers this? It looks like your port is blocked. – Ladislav Mrnka May 02 '11 at 18:58
  • Hi Ladislav, Finally I could get through this. I switched to wsHttp Binding and hence the transport and message level security is offered. Mex end Point can be offered when https is used by wshttsmex.... Thanks for all your help in educating me. Kind Regards, – Chandanan May 09 '11 at 21:42
  • Hi Ladislav, Can you please help me with this question? http://stackoverflow.com/q/5943194/727878 – Chandanan May 10 '11 at 17:13