The HTTP request was forbidden with client authentication scheme 'Anonymous'

Zeezer picture Zeezer · Feb 13, 2013 · Viewed 63.2k times · Source

This seams to be a common problem, and I have looked at all the answers here but none have helped.

I am trying to get SSL to work with basichttpbinding and WCF service hosted on iis. I think the problem is in iis or with the certificates. I have created a self signed certificate in iis manager. My certificate is called "mycomputer" and have also been placed under Trusted Root Certification. The client have no problem finding the certificate.

My settings in iis are to enable anonymous auth, and disable everything else. Also require SSL and accept client certificate. Is that correct? I get an error if i choose to ignore.

I cant see anything wrong with my configs, are these correct?

Service config:

<system.serviceModel>
<services> 
  <service behaviorConfiguration="MyBehaviour" name="BasicHttpSecTest.Service1"> 
    <endpoint name="MyEndPoint" address="https://mycomputer/wp/" binding="basicHttpBinding" bindingConfiguration="ClientCertificateTransportSecurity" contract="BasicHttpSecTest.IService1" /> 
    <!--<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />-->
  </service> 
</services> 
<behaviors> 
  <serviceBehaviors> 
    <behavior name="MyBehaviour"> 
      <serviceMetadata httpsGetEnabled="true" /> 
      <serviceDebug includeExceptionDetailInFaults="true" /> 
      <serviceCredentials>
        <clientCertificate>
          <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/>
        </clientCertificate>
      </serviceCredentials>
    </behavior> 
  </serviceBehaviors> 
</behaviors> 
<bindings> 
  <basicHttpBinding> 
    <binding name="ClientCertificateTransportSecurity"> 
      <security mode="Transport"> 
        <transport clientCredentialType="Certificate" />
      </security> 
    </binding> 
  </basicHttpBinding> 
</bindings>
</system.serviceModel> 

Client Config:

<system.serviceModel> 
<client>
    <endpoint address="https://mycomputer/wp/Service1.svc" binding="basicHttpBinding"
        bindingConfiguration="MyEndPoint" contract="ServiceSSLref.IService1"
        name="MyEndPoint1" behaviorConfiguration="ClientCertificateCredential"/>
</client>

<bindings>
    <basicHttpBinding>
        <binding name="MyEndPoint">
            <security mode="Transport">
                <transport clientCredentialType="Certificate" />
            </security>
        </binding>
    </basicHttpBinding>
</bindings>

<behaviors> 
  <endpointBehaviors> 
    <behavior name="ClientCertificateCredential"> 
      <clientCredentials> 
        <clientCertificate findValue="mycomputer" storeLocation="LocalMachine" storeName="My" x509FindType="FindByIssuerName" />
        <serviceCertificate>
          <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/>
        </serviceCertificate>
      </clientCredentials> 
    </behavior> 
  </endpointBehaviors> 
</behaviors>
</system.serviceModel>

Answer

Alex picture Alex · Feb 13, 2013

I suppose that your problem might be in your client certificate. Setting clientCredentialType="Certificate" you tell WCF, that client must specify a certificate trusted by the server. As I've understood, you have only server-side generated certificate. Try to set

 <transport clientCredentialType="None" /> 

This will allow you to send messages without requiring certificate trusted by the server. Or you can try to generate certificate on client side and put it into Trusted folder on your server. Maybe this state will help you http://msdn.microsoft.com/en-us/library/ms731074.aspx