CODEWITHSUNDEEP
wcfsecurityiiscertificate
empi
empi

Reputation: 15881

Custom certificate validation in WCF service

I want to check client certificates in my WCF service.

My goal is to allow only clients with certificates with specific thumbprints to be able to communicate with my service.

My WCF service is hosted in IIS, I'm using basicHttpBinding and security mode="transport" with credential type "Certificate". IIS requires client certificates for communication with the service.

Thanks in advance for help.

UPDATE: My configuration:

<basicHttpBinding>
<binding 
             name="testBinding"
         maxReceivedMessageSize="2147483647">
         <readerQuotas 
                    maxDepth="2147483647"
                maxStringContentLength="2147483647"
                maxArrayLength="2147483647"
                maxBytesPerRead="2147483647"
                maxNameTableCharCount="2147483647" />
 <security mode="Transport">
              <transport clientCredentialType="Certificate"/> 
             </security>

</binding>
</basicHttpBinding>

Behavior:

<serviceBehaviors>
    <behavior name="SomeServiceBehavior">
      <serviceMetadata httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials>
        <clientCertificate>
          <authentication certificateValidationMode="Custom" customCertificateValidatorType="SomeService.CustomCertificateValidator,SomeService"  />
        </clientCertificate>
      </serviceCredentials>         
     </behavior> 
   </serviceBehaviors>

Service configuration:

<service 
               behaviorConfiguration="SomeServiceBehavior"
               name="SomeService">
        <endpoint 
                  address=""
                  binding="basicHttpBinding"
                  bindingConfiguration="testBinding"
                  contract="ISomeService">
        </endpoint>
      </service>

And for test purpose I implemented validator in this way:

public class CustomCertificateValidator : X509CertificateValidator
    {
        public override void Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)
        {                
            throw new SecurityTokenValidationException("TEST Certificate was not issued by a trusted issuer TEST");
        }
    }

And this doesn't work. I can connect to my service with any valid certificate.

Upvotes: 12

Views: 17553

Answers (3)

Sharjeel Ahmed
Sharjeel Ahmed

Reputation: 285

I do NOT think there is anyway to have 'Custom Certificate Validation' with 'Transport Security'. It only works with 'Message Security'.

Upvotes: 6

Emil
Emil

Reputation: 2346

YES, you can use basicHttpBinding with security set to Transport and you need to hook to the ServiceHost creation in IIS - see Custom Service Host. You should be able to validate thumbprint values, certificates or any other data if you create custom config section to define list of validation criteria.

Sample code for the implementation of all of the above is available in the code download from this CodeProject artticle.

Upvotes: 1

Maurice
Maurice

Reputation: 27632

You can create a class derived from X509CertificateValidator and use it to do custom validation of the incoming certificate. Throw an SecurityTokenValidationException if you want to fail validation for some reason.

Set the certificateValidationMode to Custom and specify your validator in the clientCertificate service behavior section of the config file.

How to: Create a Service that Employs a Custom Certificate Validator

Upvotes: 14

Related Questions