Barbloke6
Barbloke6

Reputation: 61

Configuring WCF Transport security for IIS6 over SSL

I've been attempting to set up WCF transport security using SSL on IIS6.

The client is on a seperate machine on the same domain.

I understand the premise of certificates, root CA etc and have a working set of certs for message security and can use these no probs in the same enviroment set up. (i've learn't a lot over the last week :)

I'm having an nightmare trying to get my client to authenticate against the IIS 6 service when i switch it to SSL. Always recieving 'annonymous authetication not allowed' when calling.

IN IIS i have

under secure communications i have

under web site security (authentication and access control)

For the client wsHttpBinding i have a certificate ready to authenticate and a custom endpoint behaviour to supply this info but i don't think its getting this far!

UPDATED SERVER CONFIG

<system.serviceModel>
    <bindings>
        <wsHttpBinding>
            <binding name="CertificateWithTransport">
                <security mode="Transport">
                    <transport clientCredentialType="Certificate"/>
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <services>
        <service name="WCFServiceCertificate.Service1" behaviorConfiguration="credentialConfig">                
            <endpoint address="https://svnvmig02/Service1.svc" 
                        binding="wsHttpBinding" 
                        bindingConfiguration="CertificateWithTransport" 
                        contract="WCFServiceCertificate.IService1">
            </endpoint>
        </service>
    </services>
    <behaviors>
        <serviceBehaviors>
            <behavior name="credentialConfig">                   
                <serviceMetadata httpsGetEnabled="true" httpGetEnabled="false"/>                    
                <serviceDebug includeExceptionDetailInFaults="false"/>
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

UPDATED CLIENT CONFIG

<system.serviceModel>
    <bindings>
        <wsHttpBinding>
            <binding name="WSHttpBinding_IService1">
                <security mode="Transport">
                    <transport clientCredentialType="Certificate" />
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <client>
        <endpoint address="https://svnvmig02/Service1.svc" binding="wsHttpBinding" behaviorConfiguration="CustomBehavior"
            bindingConfiguration="WSHttpBinding_IService1" contract="ServiceReference1.IService1"
            name="WSHttpBinding_IService1">
        </endpoint>
    </client>
    <behaviors>
        <endpointBehaviors>
            <behavior name="CustomBehavior">
                <clientCredentials>
                    <clientCertificate findValue="svnvmig02" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
                    <serviceCertificate>
                        <authentication certificateValidationMode="PeerTrust"/>
                    </serviceCertificate>
                </clientCredentials>
            </behavior>
        </endpointBehaviors>
    </behaviors>
</system.serviceModel>  

EDIT: Probably worth mentioning that my VS projects are 3.5 but IIS6 is running .net4

With the amended config (thanks Fabio ;) i can now IE browse the address https://svnvmig01/Service1.svc from the client machine and see the generated svc page which allows me to click on the wsdl URl which is also available.

The majority of the pages i have found on the net refer to selfhosting or IIS7....I'm hoping IIS7 support is better ;)

Any help would be greatly appreciated :)

Upvotes: 0

Views: 1888

Answers (2)

CodingWithSpike
CodingWithSpike

Reputation: 43728

I think your issue here may be that you have IIS set to:

Anonymous access = OFF

I use transport security on several of my servers, and all the IIS6 ones have that setting ON, not OFF. This also corresponds to the error message you provided:

'annonymous authetication not allowed'

Without anon access off, IIS will either want the user to enter a username/password, or pass along a windows / active directory / kerberos credentials.

Upvotes: 1

Shiraz Bhaiji
Shiraz Bhaiji

Reputation: 65441

Your config includes:

https://svnvmig02:8091/Service1.svc

The normal port for ssl is 443.

It may be that the request is not going to the site that you expect it to go to. Therefore, you are getting and unexpected error message.

Check the IIS logs to make sure which site is receiving the request.

Upvotes: 1

Related Questions