Share via


WCF: Transport Security with User Name + Client Certificate

WCF: Transport Security with User Name + Client Certificate

Vast world of WCF provides endless possibilities to handle the security.

This is one interesting scenario, where service needs to get dual layer of credentials.

Along with the valid user name and password, it also expects the client application to send a valid client certificate.

 

 

Environment:

Security: Transport/SSL

Client Credentials: User Name along with valid Client Certificate

 

IIS Settings:

 Client certificate:

WCF Service:

Binding:

End Point:

Service Behavior:

Certificate Validator:

 

 

Password Validator:

 

WCF Client

Binding:

End Point:

 

 Client end point behavior:

 

 

Notes:

  1. From above sample we have set the User name validator class on service to check the User name coming via client application.
  2. We also create a Certificate validator class on service to check the incoming certificate, here we are verifying the Thumbprint value.
  3. Failure of either validator will result in respective error and client will be treated as un-authenticated.

 

 

Hope this helps in implementing this interesting security configuration.

Comments

  • Anonymous
    May 05, 2013
    ur code doesnot work.Exception occurs "Could not find a base address that matches scheme https for the endpoint with binding CustomBinding. Registered base address schemes are []." can u mail me complete code project at my qasimabdani5@gmail.com

  • Anonymous
    May 05, 2013
    this is my app.config file...i want self hosting..bt ur code doesnot work.Exception occurs "Could not find a base address that matches scheme https for the endpoint with binding CustomBinding. Registered base address schemes are []." <?xml version="1.0" encoding="utf-8" ?> <configuration>  <system.serviceModel>    <services>        <service name="WcfService1.Service1" behaviorConfiguration="CustomValidator" >        <endpoint address=""  binding="customBinding"  bindingConfiguration="custom" name="custom" contract="WcfService1.IService1"  />      </service>    </services>    <bindings>      <customBinding>        <binding name="custom">          <security authenticationMode="UserNameOverTransport"/>          <textMessageEncoding messageVersion="Soap11WSAddressing10"/>          <httpsTransport requireClientCertificate="true"/>        </binding>      </customBinding>    </bindings>    <behaviors>      <serviceBehaviors>        <behavior name="CustomValidator">          <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>          <serviceDebug includeExceptionDetailInFaults="true" />          <serviceCredentials>            <userNameAuthentication            userNamePasswordValidationMode="Custom"            customUserNamePasswordValidatorType="WcfService1.CustomUserNameValidator, WcfService1"/>            <clientCertificate>              <authentication certificateValidationMode="Custom" customCertificateValidatorType="WcfService1.Certificatevalidator,WcfService1"/>            </clientCertificate>          </serviceCredentials>        </behavior>      </serviceBehaviors >    </behaviors >  </system.serviceModel> </configuration>

  • Anonymous
    May 05, 2013
    now service is running but get exception wen add service refernce There was an error downloading 'https://localhost:8083/TestWCFService'. The underlying connection was closed: An unexpected error occurred on a send. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. An existing connection was forcibly closed by the remote host Metadata contains a reference that cannot be resolved: 'https://localhost:8083/TestWCFService'. An error occurred while making the HTTP request to https://localhost:8083/TestWCFService. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. The underlying connection was closed: An unexpected error occurred on a send. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. An existing connection was forcibly closed by the remote host If the service is defined in the current solution, try building the solution and adding the service reference again.