WCF with certificates on both Client and Server (Message security and wsHttpBinding)

tggm picture tggm · Aug 23, 2012 · Viewed 7.3k times · Source

I'm trying to setup a WCF service with certificate authentication on both the client and server. I'm going through hell, looping through all the possible error messages.

The final objective here is to authenticate both parties with certificates. I'll be issuing a specific certificate for every client which (hopefully) would allow me to tell them apart.

So far I have the following config files:

Server configuration file

<configuration>
    <system.serviceModel>
        <services>
            <service name="ServiceApiImplementation" behaviorConfiguration="myBehaviour">
                <host>
                    <baseAddresses><add baseAddress="http://localhost:9110/MyService"/></baseAddresses>
                </host>
                <endpoint address="" binding="wsHttpBinding" contract="IServiceAPI" bindingName="SOAP12Binding">
                    <identity>
                        <certificateReference findValue="ServerCertificate" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName"/>
                    </identity>
                </endpoint>
            </service>
        </services>
        <bindings>
            <wsHttpBinding>
                <binding name="SOAP12Binding" receiveTimeout="00:02:00" closeTimeout="00:01:00" openTimeout="00:01:00" sendTimeout="00:01:00">
                    <security mode="Message">
                        <message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
        <behaviors>
            <serviceBehaviors>
                <behavior name="myBehaviour">
                    <serviceMetadata httpGetEnabled="true" />
                    <serviceDebug includeExceptionDetailInFaults="true" />
                    <serviceCredentials>
                        <serviceCertificate findValue="ServerCertificate" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
                        <clientCertificate>
                            <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/>
                        </clientCertificate>
                    </serviceCredentials>
                </behavior>
            </serviceBehaviors>
        </behaviors>
    </system.serviceModel>
</configuration>

Client Configuration File

<system.serviceModel>
    <client>
        <endpoint address="http://localhost:9110/MyService" binding="wsHttpBinding" 
                  bindingConfiguration="SOAP12Binding_IServiceAPI" contract="IServiceAPI" 
                  behaviorConfiguration="behaviour1" name="SOAP12Binding_IServiceAPI">
            <identity>
                <!-- Value obtained when "Adding a Service Reference in visual studio" -->
                <certificate encodedValue="xxxxxxxxxxxxx" />
            </identity>
        </endpoint>
    </client>
    <behaviors>
        <endpointBehaviors>
            <behavior name="behaviour1">
                <clientCredentials>
                    <clientCertificate findValue="ClientCertificate" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/>
                    <serviceCertificate>
                        <defaultCertificate findValue="ServerCertificate" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
                        <authentication certificateValidationMode="ChainTrust" trustedStoreLocation="LocalMachine" revocationMode="NoCheck" />
                    </serviceCertificate>
                </clientCredentials>
            </behavior>
        </endpointBehaviors>
    </behaviors>
    <bindings>
        <wsHttpBinding>
            <binding name="SOAP12Binding_IServiceAPI">
                <security mode="Message">
                    <message clientCredentialType="Certificate"  negotiateServiceCredential="false" establishSecurityContext="false" />
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
</system.serviceModel>

I have generated a rootCA and a couple of certificates for both client and server, given the appropriate permissions and put them in the stores (both LocalMachine and CurrentUSer out of despair). To the best of my knowledge this bit is working.

The problems happen when calling the service. The latest error is:

An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.

The message could not be processed. This is most likely because the action 'http://tempuri.org/IServiceAPI/MyMethod' is incorrect or because the message contains an invalid or expired security context token or because there is a m ismatch between bindings. The security context token would be invalid if the service aborted the channel due to inactivity. To prevent the service from aborting idle sessions prematurely increase the Receive timeout on the service endpoint' s binding.

Or even (the previous error)

The identity check failed for the outgoing message. The expected identity is 'identity(http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn)' for the 'http://localhost:9110/MyService' target endpoint.

The error messages vary according to my experimentation in the config files. Right now both client and server are running on the same machine so, at least, I'd be expecting that each app would authenticate the other one through the rootCA.

Please note, I'm using Message Security and wsHttpBinding because they appeared to be the correct chouices. I don't have any big restrictions except publishing a service that can be consumed by standard JAVA Frameworks.

Can anyone help me sort through this mess?

Any help would be grealty appreciated

Regards,

Answer

tggm picture tggm · Sep 8, 2012

I managed to solve my original problem.

Regarding the two-way certificate authentication, I found that the following codeproject article provides a working demonstration: http://www.codeproject.com/Articles/36683/9-simple-steps-to-enable-X-509-certificates-on-WCF#Step%201:-%20Create%20client%20and%20server%20certificates

Granted that this example uses peer trust, but so far I've never been able to have a working prototype working no matter what. From this point forward the only pitfalls I forsee are storing the certificate chain in the proper location and giving access to the private key to the user your project is running under. See this article for an explanation on how to give permissions to a certificate's private key: http://msdn.microsoft.com/en-us/library/ff647171.aspx#Step6

For the second part of the question: How to tell the clients certificates apart in a WCF service?, you can use the following code to obtain the client's certificate thumbprint:

X509Certificate2 certificate = null;

if(ServiceSecurityContext.Current.AuthorizationContext.ClaimSets == null)
    throw new Exception("No claim set");

foreach(var claim in ServiceSecurityContext.Current.AuthorizationContext.ClaimSets)
    if(claim is X509CertificateClaimSet)
    {
        X509CertificateClaimSet xcset = claim as X509CertificateClaimSet;
        certificate = xcset.X509Certificate;
        break;
    }

if(certificate == null)
    throw new Exception("No X509 certificate found");

string clientCertificateThumbprint = certificate.Thumbprint;

This will get the client's thumbprint that will be different for each client you issue a certificate to. Of course, all the other certificate data is available.