WCF is extremely extensible and has many ready-to-use features, however I continue to struggle with some topics, and the more documents I read, the more I get confused.
I hope to get answers from the community. Feedback on any suggestion or question is greatly appreciated.
For the record: to really accept one answer, I have to split this post into several questions, but this will lead to even more confusion. I am sure that there are some real WCF experts on the Internet who can answer several questions in this document at once, so I can take one answer as a real deal to configure client authentication using IIS in the right way.
Let me outline the situation and partner request:
1: Partner requirement and customer certificate use issue.
Partner X needs to call the API on my server and they have a clear requirement to use Clientcertificate authentication. They created a client certificate and provided us with a public key certificate only, since it seems that only the logic preserves the private key in fact private and in their own system. The certificate was imported to the local computer account and, looking at the certification path, is valid. All intermediate certification authorities and, ultimately, trust the root certification authority.
2: serveride configuration
I have a serviceBehavior configured as such:
<behavior name="ClientCertificateBehavior"> <serviceMetadata httpsGetEnabled="true" /> <serviceCredentials> <serviceCertificate findValue="<serialnumber here>" x509FindType="FindBySerialNumber" /> <clientCertificate> <authentication certificateValidationMode="PeerTrust" /> </clientCertificate> </serviceCredentials> </behavior>
I assume I made the first mistake here and should use ChainTrust to actually verify the certificate using its certification path. What do you think?
The service is configured as such:
<service behaviorConfiguration="ClientCertificateBehavior" name="<Full service namespace and servicename>"> <endpoint binding="basicHttpBinding" bindingConfiguration="Soap11CertificateBasicHttpBinding" contract="<The interface>"></endpoint> </service>
The binding is as follows:
This is basicHttpBinding to force SOAP1.1 (as per partner specifications).
<binding name="Soap11CertificateBasicHttpBinding"> <security mode="Transport"> <transport clientCredentialType="Certificate" /> </security> </binding>
3: WCF Hosting in IIS and IIS Configuration
We host our WCF services in IIS7. We set up a folder in which services need SSL, and accept client certificates. Authentication using authentication is allowed.
The fact is that communication from the partner works, and we were sure that everything was in order, however, changing the IIS setting to the βrequiredβ client certificate shows us that suddenly it is no longer possible to successfully call our service.
Am I correct in assuming that the following things are being performed incorrectly:
The ServiceCerticate in serviceBehavior is not needed. This is a parameter used by the client. Or do you need to provide this certificate information for the service endpoint to match the certificate that is sent by the client?
To authenticate with client authentication, which does work in IIS, the certificate must be mapped to the user. This user must be granted permissions on the folder containing the services, and all authentication mechanisms (anonymous, windows, ...) must be disabled. In this way, IIS will handle the actual handshake and verify servicecommunication. Or is it more of a security issue that maps a certificate to a user?
By setting Accept in IIS, we bypass the actual certificate verification between the client and server.
All authentication mechanisms, such as anonymous and windows, must be disabled in IIS for the folder in which the services are located.