Problem in using certificates in wcf nettcp

Question

0.00/5 (No votes)

See more:

I am trying to learn how to use certificates for mutual authentication over net tcp binding of WCF. My requirement is if client can produce correct certificate to the server , then only
client will be able to communicate otherwise not.

Below is the example of the project I created for the same.

1>First I created the certificates by the below commands

Creation of the Root Certificates
----------------------------------------------------------------------

makecert -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.cer -ss TrustedPeople -sr localmachine

Creation of the client certificate in My locations from the root certificate
---------------------------------------------------------------------------------------------
makecert -sk localhost -iv RootCATest.pvk -n "CN=localhost" -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe

Creation of the service certificate in trusted people location from the root certificate(I created this one in trusted people location otherwise server was throwing error that certificate not present in trusted people store )
--------------------------------------------------------------------------------------------------------
makecert -sk localhost -iv RootCATest.pvk -n "CN=localhost" -ic RootCATest.cer -sr localmachine -ss trustedpeople -sky exchange -pe

2>Below is the server and client code
-----------------------------------
Server code:
----------------------------------
namespace NetTcpBindingDemo
{
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

class Program
{
static void Main(string[] args)
{
var b = new NetTcpBinding();
b.Security.Mode = System.ServiceModel.SecurityMode.TransportWithMessageCredential;
b.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate;
b.Security.Transport.ProtectionLevel = ProtectionLevel.EncryptAndSign;

var sh = new ServiceHost(typeof(EchoService));
sh.AddServiceEndpoint(typeof(IEchoService), b, "net.tcp://localhost:56111/EchoService");
sh.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine,StoreName.TrustedPeople,X509FindType.FindByIssuerName, "RootCATest");

sh.Open();
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("EchoService has started.");
Console.ResetColor();
Console.ReadLine();
}
}
}
--------------------------------------------
Client Code:
--------------------------------------------
namespace NetTcpBindingDemo
{
using System.Diagnostics;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using System.ServiceModel;
using System.ServiceModel.Security;

internal class Program
{
private static void Main(string[] args)
{
var address = new EndpointAddress(new Uri("net.tcp://localhost:56111/EchoService"));

var b = new NetTcpBinding();
b.Security.Mode = SecurityMode.TransportWithMessageCredential;
b.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate;
b.Security.Transport.ProtectionLevel = ProtectionLevel.EncryptAndSign;

var channelFactory = new ChannelFactory<iechoservice>(b, address);
channelFactory.Credentials.ClientCertificate.SetCertificate(
StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByIssuerName, "RootCATest");

channelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.PeerTrust;
var client = channelFactory.CreateChannel(address);

// var client = new EchoServiceClient();
Console.ForegroundColor = ConsoleColor.Yellow;

var c = client as ICommunicationObject;
Console.WriteLine("Verifying Certificate...........");
c.Open();
Console.WriteLine("Certificate verification done...........");
client.Echo("Hello World\\n");
}
}
}
-------------------------------------------------------------------------

The interesting part is if I dnt set the certifciate in the client side then also client is able to communicate with server,even if I put a different certificate in client then also the same.

Please let me know what to do so that the client can authenticate correctly to the server using the certificates?

Posted 2-Jun-13 3:12am

Member 859721

Add a Solution

Comments

Prasad Khandekar 2-Jun-13 15:32pm

Perhaps following articles might help you in correctly configuring your service/server.
1. http://msdn.microsoft.com/en-us/library/windowsazure/hh289316.aspx
2. http://www.iisadmin.co.uk/?p=11&page=6
3. http://blogs.msdn.com/b/saurabh_singh/archive/2007/04/14/how-to-setup-iis-and-ad-for-client-certificate-setup-and-authentication.aspx
4. http://ondrej.wordpress.com/2010/01/24/iis-7-and-client-certificates/

Regards,

Member 859721 3-Jun-13 0:57am

Well, the most of the above links are configuring certificates with IIS. But I want to configure with nettcp.

However I found that if the Security.Mode is changed to Transport in both client and server then the client certifiact needs to be configured in client otherwise in TransportWithMessageCredential mode the communication works without the client certificate.
Can anyone explain the reason for this?

Member 859721 7-Jun-13 5:50am

In Security.Mode in transport mode ,I created a service certificate ,imported to the store from .pfx file(containing the private key and public key). Then I exported from the the public key from it and created another certificate and added that in the store as client certificate. And I am getting the below error .Please help on this.

The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:09.9470000'.

I think I am not having clear concept of which certificate to use where. I have gone through many links but still I think its a bit unclear.

I think server should use a certificate which is having only the private key. And the client should use the certificate with the pairing public key. We can create public key by exporting the same in the store. If my thinking is correct then the question is how to create a certificate with only private key.

If I can get the overview(not in details) how this private and public key part used in server and client and how to create the respective certificates that will be very helpful.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)