Click here to Skip to main content
16,013,747 members
Search within:


Articles / Programming Languages / C# 3.0
 
Article

Use Mutual SSL Authentication in WCF

Rate me:
Please Sign up or sign in to vote.
4.13/5 (6 votes)
16 Mar 2012CPOL3 min read 82.2K   4.2K   28   8
How to configure and use Mutual SSL Authentication in WCF.

Introduction

In this article, I will show you how to configure the client and service to use Mutual SSL authentication in WCF. If you're not familiar with the concept of Mutual SSL Authentication, I recommend you to read the article named An Introduction to Mutual SSL Authentication and then continue with this article.

Background

Windows Communication Foundation (WCF) is a framework for building service-oriented applications. Address, Binding, and Contract (ABC) are the fundamentals building blocks of all WCF applications. Binding controls three aspects of message communication:

  1. The suite of WS-* protocols, including WS-Security, WS-ReliableMessaging, and so on.
  2. The message encoding, such as XML 1.0, Message Transmission Optimization Mechanism (MTOM), and binary.
  3. The transport protocol, including HTTP, TCP, Named Pipe, and Microsoft Message Queuing (MSMQ).

Thus, Binding is the place to configure Mutual SSL Authentication. However, Mutual SSL Authentication is a transport level security and it can only provide "point-to-point" security between two endpoints (service and client). If there are intermediary systems between the client and the server, each intermediate point must forward the message over a new secured connection.

With regard to this fact, only those bindings that support transport security can be configured to use Mutual SSL authentication. The following list shows the standard bindings that support transport level security:

  • BasicHttpBinding
  • WSHttpBinding
  • WS2007HttpBinding
  • NetTcpBinding
  • NetNamedPipeBinding
  • NetMsmqBinding
  • NetPeerTcpBinding
  • MsmqIntegrationBinding

Configuration

Mutual SSL Authentication configuration in WCF is a two step process:

  1. Enable application to use transport security and use certificate as its credential in Bindings.
  2. Specify a valid certificate in Behaviors, which will be requested in the process of mutual authentication.

Binding configuration

Enabling an application to use transport security and use certificate as its credential in WCF is as easy as specifying the following settings to the <binding> section in both the client and service application configuration file:

  1. Specify "Transport" as the security mode.
  2. Specify "Certificate" as the clientCredentialType.

And the settings are applicable for all bindings, regardless of whether it is BasicHttpBinding, NetTcpBinding, or any other qualified Binding which supports transport level security.

The following diagram shows how to apply the settings in basicHttpBinding and netTcpBinding:

BasicHttpBinding

basicHttpBinding

NetTcpBinding

netTcpBinding

Behavior configuration

To configure the client and service applications to present their certificate in the process of mutual authentication, they need an endpoint and service behavior which specify the client certificate and service certificate, respectively.

Client configuration (EchoClient)

  • Endpoint Behavior is highlighted in the green color box.
  • Client Certificate is highlighted in the blue color box.

Client configuration

Service configuration (EchoService)

  • Service Behavior is highlighted in the green color box.
  • Service Certificate is highlighted in the blue color box.

Service configuration

Using the samples

I've created two demo projects, available from the link at the top of this article, which use the Mutual SSL Authentication in BasicHttpBinding and NetTcpBinding. In order to run the demo projects, you need to change the following settings in both the client and service projects:

  1. Change the host and domain name (demopc.mydomain.com) in the client and service endpoint addresses according to your environment setup.
  2. Optionally change the port (56111) in the client and service endpoint addresses if it has been occupied.
  3. Specify a valid client and service certificate which are available from your workstation certificate store.

History

  • 16th March, 2012: Initial version.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Elvin Cheng
Singapore Singapore
Elvin Cheng is currently living in Woodlands, Singapore. He has been developing applications with the .NET Framework, using C# and ASP.NET since October 2002. Elvin specializes in building Real-time monitoring and tracking information system for Semi-conductor manufacturing industry. During his spare time, he enjoys reading books, watching movie and gym.

Comments and Discussions

 
First Prev Next
QuestionWCF is sending Kerberos requests to domain controller when using Certificates and Transport SecurityMode Pin
Member 144722843-Apr-20 4:45
Member 144722843-Apr-20 4:45 
QuestionThe HTTP request was forbidden with client authentication scheme 'Anonymous'. Pin
Member 105569821-Jun-14 21:26
Member 105569821-Jun-14 21:26 
AnswerRe: The HTTP request was forbidden with client authentication scheme 'Anonymous'. Pin
Member 105569824-Jun-14 21:55
Member 105569824-Jun-14 21:55 
AnswerRe: The HTTP request was forbidden with client authentication scheme 'Anonymous'. Pin
euhm3-May-15 22:13
euhm3-May-15 22:13 
Questionc# wcf client communicating with a java webservice Pin
kernelboss14-Jan-14 23:31
kernelboss14-Jan-14 23:31 
QuestionProblem in creation of the certificates for the above demo. Pin
Member 8597216-Jun-13 23:46
Member 8597216-Jun-13 23:46 
The above example helped me a lot to understand to use the certificates in WCF using the netctp binding.

But for creating of the certificate,what i did is I created a service certificate ,imported to the store from .pfx file(containing the private key and public key). Then I exported from the the public key from it and created another certificate and added that in the store as client certificate. And I am getting the below error .Please help on this.

The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:09.9470000'.

I think I am not having clear concept of which certificate to use where. I have gone through many links but still I think its a bit unclear.

I think server should use a certificate which is having only the private key. And the client should use the certificate with the pairing public key. We can create public key by exporting the same in the store. If my thinking is correct then the question is how to create a certificate with only private key.

If I can get the overview(not in details) how this private and public key part used in server and client and how to create the respective certificates that will be very helpful.
Questioncertificate not find Pin
nikudale9-Apr-13 6:08
nikudale9-Apr-13 6:08 
QuestionWireshark sniffing Pin
Member 205900411-Dec-12 2:25
Member 205900411-Dec-12 2:25 
Last Visit: 31-Dec-99 18:00     Last Update: 1-Oct-24 1:22Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 16 Mar 2012

Article Copyright 2012 by Elvin Cheng
Everything else Copyright © CodeProject, 1999-2024

Web01 2.8:2024-07-22:1