Reputation: 33
WCF self hosted service with certificate authentication
I have created a self-hosted WCF RESTful service with basic http authentication that runs over https with a self-signed SSL certificate. Everything works fine. When users access the service operations via a web browser,they get a pop up asking for credentials (login/password).
Now I want to do certificate authentication instead of basic, but it does not work. The client's browser(IE/chrome/firefox) never prompts for certificate selection, I always get a HTTP 403 error and when I set a breakpoint in my custom certificate validor it never hits. So I'm definitely missing something here. I tried debugging with Fiddler and it confirms that there is no authentication header in the request.
Here is my code to host the service.
Uri baseAdress = new Uri("https://localhost:8446/");
WebServiceHost host = new WebServiceHost(typeof(RestService));
WebHttpBinding wb = new WebHttpBinding();
wb.Security.Mode = WebHttpSecurityMode.Transport;
wb.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
host.AddServiceEndpoint(typeof(IRestService), wb, baseAdress);
host.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.Custom;
host.Credentials.ClientCertificate.Authentication.CustomCertificateValidator =
new MyX509CertificateValidator()
host.Open();
Thanks for any tips.
Upvotes: 1
Views: 4171
Answers (2)
Reputation: 8107
I found this article which could probably help you: http://blogs.msdn.com/b/james_osbornes_blog/archive/2010/12/10/selfhosting-a-wcf-service-over-https.aspx
It talks about some kind of registering the certificate to netsh,..
Also, please make sure that your certificate issued to localhost (since domain part in url you call should ne same woth cert. Issued to).
Upvotes: 1
Reputation: 33
Thanks for your input. I found out what was wrong.
When I created the self signed certificate for the ssl port binding with the makecert tool, I added the "-eku" key which is making the certificate purpose to be for Server Authentication. I recreated another one without that option, so it could be used for all purposes.
Also I made sure that my certificate was in the personal store of the current user. After that when a client enters the url of my service, they get a pop up asking them to select a certificate, and there is the one that I created.
For those facing the same issue, this post might be useful.
Upvotes: 1
Related Questions
- Selfhosted WCF Service with SSL and Username and Password authentication
- Certificate based authentication in WCF
- WCF authentication without certificate
- WCF service certificate authentication
- WCF Restful Service with Service certificate
- WCF service self hosting with https
- WCF, self signed Certificates for Encryption
- Unique Certificate Authentication and REST service
- Authenticate user with certificate to WCF service
- How to setup selfhosted https WCF service with embedded certificates on client and server?