Search code examples
wcfservicecertificatex509

WCF Proxy error Using X509 Certificate


I created a wcf service and could SUCCESSFULLY refer it in client application. But the problem comes when I implement X509 certificate.

1) when I change the service to use x509 Certificate, I couldn't create a proxy as the mex end points are not shown in the browser. So in this case, how should I refer the Service in client app, when the service is secured and mex end points are not exposed?

2) Can I use both message and transport security as Certificate? Will this scenario work for basicHttpBinding ? I heard that basicHttpBinding cannot have message security through certificate.

Any help in this regard, will be highly appreciated.

Here is my service model in Service. 

<system.serviceModel>
<client>       
  <endpoint behaviorConfiguration="" 
    binding="basicHttpBinding"
        bindingConfiguration="WCFServiceX509Binding" 
    contract="WCFService.Contract.Service.IWCFServiceContract"
        name="WCFServiceClientEndPoint" />      
</client>
<bindings>
  <basicHttpBinding>
    <binding name="WCFServiceX509Binding" maxBufferSize="6553600"
      maxBufferPoolSize="52428800" maxReceivedMessageSize="6553600">
      <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="Certificate" />
        <message clientCredentialType="Certificate" />
      </security>
    </binding>        
  </basicHttpBinding>
</bindings>
<services>
  <service  behaviorConfiguration="ServiceBehavior" 
    name="WCFService.Model.WCFServiceModel">
    <endpoint 
    address="" 
    binding="basicHttpBinding" 
    bindingConfiguration="WCFServiceX509Binding"
        name="WCFServiceBasicHttpEndPoint" 
    contract="WCFService.Contract.Service.IWCFServiceContract">
      <identity>
            <certificateReference findValue="WCFUADOCServer" />
      </identity>
    </endpoint>
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="ServiceBehavior">
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials />
    </behavior>
  </serviceBehaviors>
  <endpointBehaviors>
    <behavior name="ClientCertificateBehavior">
      <clientCredentials>
        <clientCertificate  findValue="WCFUADOCServer"
                  x509FindType="FindBySubjectName"
                  storeLocation="LocalMachine"
                  storeName="TrustedPeople" />
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

Thanks so much, Chand.

Solution
    1. Mex endpoint does not depend on certificate. Based on your configuration you don't expose mex endpoint at all and help page with WSDL should be still available over HTTP.
    2. What do you want to do? Security is little bit high level term in this case. You can use secured transport channel and you can probably use certificate transported in message for authentication (I have never tried this combination). The scenario should work over BasicHttpBinding. I was surprised by it myself but BasicHttpBinding actually support full mutual certificate asymmetric message security.

    If you want to expose service with transport security you must use HTTPS - either configured by IIS management console (when hosting in IIS) or assign certificate to port by netsh (self hosting). Be aware that account running the service must have access to private keys in certificate - you must correctly set up ACL.

    If you want to authenticate client by certificate you should set up service credentials. If you are using self signed certificates placed to certificate store you should use at least this:

    <serviceCredentials>
  <clientCertificate>
   <authentication certificateValidationMode="PeerTrust" />
  </clientCertificate>
</serviceCredentials>

    You can also define custom certificate validator. For endpoint use rather dns identity.

    For client use also PeerTrust validation mode for service certificate.