Reputation: 255
X.509 certificates on WCF?
Problem :
I'm developing this program on one machine.
The service works fine in development server, but when I try to host the service in IIS it gives me an error that:
Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindBySubjectName', FindValue 'WCFServer'.
So is there anyway I can resolve this? I'm trying this code from
http://www.codeproject.com/KB/WCF/9StepsWCF.aspx
certificate creation
makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=WCfServer -sky exchange -pe
makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=WcfClient -sky exchange -pe
Certificate is present in Personal and Trusted People folder in MMC
Service has one function which accepts a number and returns string and works fine
This is my service web.config:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security>
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="WCFServiceCertificate.Service1" behaviorConfiguration="WCFServiceCertificate.Service1Behavior">
<!-- Service Endpoints -->
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" contract="WCFServiceCertificate.IService1">
<!--
Upon deployment, the following identity element should be removed or replaced to reflect the
identity under which the deployed service runs. If removed, WCF will infer an appropriate identity
automatically.
-->
<!--<identity>
<dns value="localhost"/>
</identity>-->
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="WCFServiceCertificate.Service1Behavior">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</clientCertificate>
<serviceCertificate findValue="WcfServer"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
This is my Client Config
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService1" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:1387/Service1.svc" behaviorConfiguration="CustomBehavior"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService1"
contract="ServiceReference1.IService1" name="WSHttpBinding_IService1">
<identity>
<certificate encodedValue="AwAAAAEAAAAUAAAA9YoGKvsMLFkeO1WjaCLReQuz1ysgAAAAAQAAALUBAAAwggGxMIIBX6ADAgECAhDDvb3bnmzhsERpNTWEBYQXMAkGBSsOAwIdBQAwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3kwHhcNMTEwMzA0MDcwNzU3WhcNMzkxMjMxMjM1OTU5WjAUMRIwEAYDVQQDEwlXY2ZTZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM9e4DwCDYJ4l6myt1QadHzXoqCH2wa1aUjiab1aK/7d/1LZ00KfPJw8kKB358serjEi9SMg0UeyGtl0+byJ8PqShfv4MUTHZcPaWy99vHaYHwH7T9hVwY5RANBWyFy6nf1rXDh/cB2qm0Q/xN5xElOtheFqUoL8Ua6fcP33BAWPAgMBAAGjSzBJMEcGA1UdAQRAMD6AEBLkCS0GHR1PAI1hIdwWZGOhGDAWMRQwEgYDVQQDEwtSb290IEFnZW5jeYIQBjdsAKoAZIoRz7jUqlw19DAJBgUrDgMCHQUAA0EAKlaHJQNdC9VgPuHlVuniQJd+fHoVOU62nl374iXYdQus5KDgKz9RHWAtjhpToBB4sOXOnwTkJfcyJWBf6J14Mw==" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="CustomBehavior">
<clientCredentials>
<clientCertificate findValue="WcfClient"
x509FindType="FindBySubjectName"
storeLocation="CurrentUser"
storeName="My"/>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
and simply calling the service at client end using this
Service1Client obj = new Service1Client();
Response.Write(obj.GetData(12));
Now when I run everything works fine without an issue.
As you can service is running at development server.
But when i try to host the service in IIS it gives me an error that
Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindBySubjectName', FindValue 'WCFServer'.
So is there anyway I can resolve this?
Upvotes: 11
Views: 25440
Answers (4)
Reputation: 31
You will maybe have to set up dns value, meaning name of the Certificate, in the client>endopoint >indentity (as it is described in the code below )
<client>
<endpoint address="http://localhost/FrontPMWebServiceSetup111/FpmService.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService"
contract="FPMServiceReference.IService" name="WSHttpBinding_IService">
<identity>
<dns value="WCfServer" />
</identity>
</endpoint>
</client>
Upvotes: 2
Reputation: 5626
As x0n mentioned, Cassini will run as your current user, but IIS will run as IUSR. Import the certificate, with private key, into LocalMachine\Personal (LocalMachine\My), and change your service config from this:
<serviceCertificate findValue="WcfServer"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
To this:
<serviceCertificate findValue="WcfServer"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName" />
Upvotes: 14
Reputation: 52420
Install the certificate in "My" for the computer store in order to have it available for all users. You have it installed in "My" for the current user. The development server runs as the current user, so that's why it works.
Upvotes: 1
Reputation: 2635
Obviously the certificate is not found in the configured location. Make sure what user do you use to run the service. Maybe the service is running on the local system account or local service account or IIS user and you installed the cert as a different user? in MMC add a snapin to see certs in the service acount or other account that you use for the service (not current user).
Upvotes: 0
Related Questions
- Wcf self hosted service with X.509 certificate connection error
- How can I configure WCF to use x509 certificates over the internet?
- Consume WCF web service using x509 certificate in .Net Standard 2.0 Library?
- How to make X.509 certificate?
- Secure WCF via X.509 certificate with BinarySecurityToken
- Implementing SelfSigned X509 Certificate for WCF Services hosted on IIS
- How to configure WCF client binding when using X509 certificate?
- WCF Authentication - X509 Certificate
- WCF and authentications requiring certificates?
- Where do I get my WCF service to handle X509 certificates? C#.NET