CODEWITHSUNDEEP
c#web-serviceswcfauthenticationsoap
Libin
Libin

Reputation: 138

WCF Certificate Based Authentication Issue. Service is Getting authenticated with an invalid Certificate

I'm a beginner with WCF services. Trying to implement a Certificated based authentication on a WCF service and facing an issue. The service expects a specific Certificate from the calling client. The server throws an authentication error if the client is not passing any certificate. But at the same time, the service call is passing authentication with any certificates provided by the client(The service suppose to authenticate if the client provides a specific certificate).

Following is the code snippet of server config :

Service Config :

<bindings>
    <wsHttpBinding>
        <binding name="MyWsHttpBinding" maxReceivedMessageSize="2147483647" receiveTimeout="00:30:00">
            <readerQuotas maxStringContentLength="2147483647" maxBytesPerRead="2147483647" maxDepth="2147483647" maxArrayLength="2147483647"/>
            <security mode="Transport">
                <transport clientCredentialType="None" proxyCredentialType="None"/>
                <message clientCredentialType="Certificate" algorithmSuite="Default"/>
            </security>
        </binding>
    </wsHttpBinding>
</bindings>

<serviceBehaviors>
    <behavior name="MyServiceBehavior">
        <serviceCredentials>
            <clientCertificate>
                <authentication certificateValidationMode="ChainTrust" />
            </clientCertificate>
            <serviceCertificate findValue="e616ebcd940951794736624acc6484802018c8d4" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
        </serviceCredentials>
        <serviceMetadata httpsGetEnabled="true" httpGetEnabled="true"/>
        <CustomBehaviorExtensionElement/>
        <serviceDebug includeExceptionDetailInFaults="true"/>
    </behavior>
</serviceBehaviors>


<endpointBehaviors>
    <behavior name="MyEndpointBehavior">
        <MySchemaValidator validateRequest="True" validateReply="False">
            <schemas>
                <add location="App_Data\model-service.xsd"/>
            </schemas>
        </MySchemaValidator>
    </behavior>
</endpointBehaviors>


<services>
    <service name="MyService" behaviorConfiguration="MyServiceBehavior">
        <endpoint binding="wsHttpBinding" bindingConfiguration="MyWsHttpBinding" contract="MyExchangeService" behaviorConfiguration="MyEndpointBehavior" bindingNamespace="http://www.mycompany.com/exchange/"/>
        <endpoint contract="IMetadataExchange" binding="mexHttpsBinding" address="mex" name="mex"/>
    </service>
</services>

Upvotes: 1

Views: 318

Answers (2)

Abhishek Anand
Abhishek Anand

Reputation: 176

I see that the certificate validation mode used in your code is ChainTrust.

<clientCertificate>
    <authentication certificateValidationMode="ChainTrust" />
</clientCertificate>

As mentioned in Microsoft Docs, using ChainTrust means -

The certificate is valid if the chain builds to a certification authority in the trusted root store

Meaning, the client need not send certificate with the exact same thumbprint as mentioned in your service web.config.
Infact, any certificate whose Root / Intermediate Certification Authority is present in your VM's Trusted Root Store will pass validation.

To make sure that the client is able to use only a specific certificate to authenticate to your service, change ChainTrust to PeerTrust and add the certificate to the trusted people store on your VM's Certificate Store (certmgr).

<authentication certificateValidationMode="PeerTrust" />

References:

  1. MS Docs - Working with certificates in WCF
  2. Authentication element in web.config
  3. More info on Certificate Chain of Trust

Upvotes: 1

Theobald Du
Theobald Du

Reputation: 1024

The cause of the problem is the security mode you use is transport, so only the following code works:

  <transport clientCredentialType="None" proxyCredentialType="None"/>

The following message settings have no effect:

 <message clientCredentialType="Certificate" algorithmSuite="Default"/>

Change the value in transport to certificate, you can also download the wcf demo on the official website, there are examples of related certificate verification, and there are tutorials corresponding to the demo.

Upvotes: 2

Related Questions