Get started for free
Visual Studio Developer Center >
WCF Message Security

Proposed Answer WCF Message Security

  • Monday, April 23, 2007 11:40 AM
     
     
    Sign In to Vote
    0

    Dear All,

       I am working with WCF Message Security. I have configured Service and Client Certificates.

     These certificates are assigned to respective project programatically. These certificates are viewed in Certmgr.msc as well. But when I run application I get the follwoing exception:

     

     

    "The caller was not authenticated by the service".

     

    I am using VISTA RTM. Can anybody solve my problem.

     

    Thanks

     

    MaheshBabu

     

All Replies

  • Monday, April 23, 2007 3:38 PM
     
     
    Sign In to Vote
    0
    You haven't provided the service side authentication exception, the binding you're using, or described how the certificates were created, so it's not clear what the problem is.  Without this information, providing a solution is difficult.  You might also find the answer you're looking for by using the search function to review existing threads about how X509 certificates work.
     
  • Wednesday, April 25, 2007 5:26 AM
     
     
    Sign In to Vote
    0

    I am using followinf code to create service and client ceritificates

     

    Service-->

    makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=localhost -sky

    exchange -pe

    certmgr.exe -add -r CurrentUser -s My -c -n localhost -r CurrentUser -s

    TrustedPeople

     

     

    Client -->

    makecert.exe -sr CurrentUser -ss My-a sha1 -n CN=WCFUser -sky

    exchange -pe

    certmgr.exe -add -r CurrentUser -s My -c -n WCFUser -r CurrentUser -s

    TrustedPeople

     

     

    Following is the code in host to assigncertificate to Service:

     

    Uri address = new Uri("http://localhost:8001/TradeService");

    WSHttpBinding binding = new WSHttpBinding();

    //Set the Security Mode

    binding.Security.Mode = SecurityMode.Message;

    binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;

    Type contract = typeof(ExchangeService.ITradeService );

    ServiceHost host = new ServiceHost(typeof(ExchangeService.TradeService));

    host.AddServiceEndpoint(contract,binding,address );

    //Set the Certificate

    host.Credentials.ServiceCertificate.SetCertificate(

    StoreLocation.CurrentUser,

    StoreName.My,

    X509FindType.FindBySubjectName,

    "localhost");

    host.Open();

     

    following is the code on client side:

     

    EndpointAddress address = new EndpointAddress("http://localhost:8001/TradeService");

    WSHttpBinding binding = new WSHttpBinding();

    binding.Security.Mode = SecurityMode.Message;binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;ChannelFactory<ITradeService> cf = new ChannelFactory<ITradeService>(binding,address );

    //Set the Client Certificate

    cf.Credentials.ClientCertificate.SetCertificate

    (StoreLocation.CurrentUser,StoreName.My,X509FindType.FindBySubjectName,"WCFUser"); //Set the Server Certificate

    cf.Credentials.ServiceCertificate.SetDefaultCertificate

    (StoreLocation.CurrentUser,StoreName.My,X509FindType.FindBySubjectName,"localhost");

     

     

    Thanks

    REgards

     

    Maheshbabu

     

     
  • Wednesday, April 25, 2007 7:17 AM
     
     
    Sign In to Vote
    0

    you are doing mutual certificate authentication right!,

    try to disable the credential negotiation and the establishment of a security context as you are provinding the certificate out of band for the client.

     

    so on the server and client side do :

     

    binding.Security.Message.NegotiateServiceCredential = false;

    binding.Security.Message.EstablishSecurityContext = false;

     

     

    for further fun reading:

    http://msdn2.microsoft.com/en-us/library/ms733102.aspx

     

     

    hth, Allan

     
  • Wednesday, April 25, 2007 8:39 AM
     
     
    Sign In to Vote
    0

    Dear Allan,

       I tried the way it is suggested, but now I am getting the follwoing errot from the client. My Service is running fine.

     



    "An unsecured or incorrectly secured fault was received from the other party. See
     the inner FaultException for the fault code and detail.System.ServiceModel.Faul
    tException: At least one security token in the message could not be validated."

     

     

    Waiting for the solution

     

    REgards

     

    MaheshBabu


     

     
  • Wednesday, April 25, 2007 9:27 AM
     
     
    Sign In to Vote
    0

    hmm

    your client code :

    cf.Credentials.ServiceCertificate.SetDefaultCertificate

    (StoreLocation.CurrentUser,StoreName.My,X509FindType.FindBySubjectName,"localhost");

     

    change the StoreName.My to StoreName.TrustedPeople ?

     

     

    Allan

     
  • Wednesday, April 25, 2007 9:37 AM
     
     
    Sign In to Vote
    0

    Client -->

    makecert.exe -sr CurrentUser -ss My-a sha1 -n CN=WCFUser -sky exchange -pe

     

    this will actually create a store name called My-a, if this is the exact  command you executed then make a space between My-a .....e.i My -a

     

     
  • Wednesday, April 25, 2007 10:58 AM
     
     
    Sign In to Vote
    0

    Thanks Allan,

       I have made the necessary changes as mentioned by you, but still the problem persists with the same error message.

    I have changed store location to Trusted People and specified My -a insted of My-a, but still the problem persists.

     

    IS this becauses I am using VISTA, I am not sure but does VISTA have some issues with Certifications.

     

    Now I am  not  getting what to do?

     

    Can you please mail me any Demo if you have it with you?

     

    Thanks

     

    MahehBabu

     
  • Wednesday, April 25, 2007 11:44 AM
     
     Proposed Answer
    Sign In to Vote
    1

    ok I created 2 config file that should reassemble your current service contract e.g ExchangeService.ITradeService etc.

     

     use these config files here with out your code and see if this helps..

     

    first your certs: which is what you did in the first place.

     

    //server

    makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=TradeService -sky exchange -pe

    certmgr.exe -add -r CurrentUser -s My -c -n TradeService -r CurrentUser -s TrustedPeople

     

     //client

    makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=WCFUser -sky exchange -pe

    certmgr.exe -add -r CurrentUser -s My -c -n WCFUser -r CurrentUser -s TrustedPeople

     


     

    [Server side config file]

     

    <?xml version="1.0" encoding="utf-8" ?>

    <configuration>

    <system.serviceModel>

    <services>

    <service name="ExchangeService.TradeService"

    behaviorConfiguration="Tradebehavior">

    <endpoint address="http://localhost:8001/TradeService"

    binding="wsHttpBinding"

    bindingConfiguration="wsTradeBinding"

    contract="ExchangeService.ITradeService" />

    </service>

    </services>

    <bindings>

    <wsHttpBinding>

    <binding name="wsTradeBinding">

    <security mode="Message">

    <message clientCredentialType="Certificate" />

    </security>

    </binding>

    </wsHttpBinding>

    </bindings>

    <behaviors>

    <serviceBehaviors>

    <behavior name="Tradebehavior">

    <serviceCredentials>

    <serviceCertificate findValue="TradeService"

    x509FindType="FindBySubjectName"

    storeLocation="CurrentUser"

    storeName="TrustedPeople" />

    <clientCertificate>

    <authentication certificateValidationMode="PeerTrust" />

    </clientCertificate>

    </serviceCredentials>

    </behavior>

    </serviceBehaviors>

    </behaviors>

    </system.serviceModel>

    </configuration>

     

    [client side config file]

     

    <?xml version="1.0" encoding="utf-8"?>

    <configuration>

    <system.serviceModel>

    <client>

    <endpoint address="http://localhost:8001/TradeService"

    binding="wsHttpBinding"

    bindingConfiguration="clientConfig"

    behaviorConfiguration="clientBehavior"

    contract="ITradeService">

    <identity>

    <certificateReference findValue="TradeService"

    x509FindType="FindBySubjectName"

    storeLocation="CurrentUser"

    storeName="TrustedPeople" />

    </identity>

    </endpoint>

    </client>

    <bindings>

    <wsHttpBinding>

    <binding name="clientConfig">

    <security mode="Message">

    <message clientCredentialType="Certificate" />

    </security>

    </binding>

    </wsHttpBinding>

    </bindings>

    <behaviors>

    <endpointBehaviors>

    <behavior name="clientBehavior">

    <clientCredentials>

    <clientCertificate findValue="WCFUser"

    x509FindType="FindBySubjectName"

    storeLocation="CurrentUser"

    storeName="TrustedPeople" />

    <serviceCertificate>

    <authentication certificateValidationMode="PeerOrChainTrust" />

    </serviceCertificate>

    </clientCredentials>

    </behavior>

    </endpointBehaviors>

    </behaviors>

    </system.serviceModel>

    </configuration>

     

    Vista should have no issues regarding certificates.

     

    if this fails also, please provide me with your code as it is now and output from the client/server tracelog.

     

    Allan

     
  • Thursday, April 26, 2007 6:24 AM
     
     
    Sign In to Vote
    0

    Dear Allan,

     

    Thanks a Lot!!!!!!!!!!!!!!!!

       the solution works for me.

     

    Now I am trying the same thing for "UserName" Token. Lets see wheather it works there or not.

     

    In fact I tried but it is giving me exeption

    "The username is not provided. Specify username in ClientCredentials."

    Here I am using the same certificate. I think It should be possible to use same certificate for Certificate and UserName token.

     

    (Tell me wheather I am correct or wrong).

     

    If any problem I will again request you.

     

    Thanks

     

    Regards

    MaheshBabu 

     
  • Monday, July 23, 2007 9:18 AM
     
     
    Sign In to Vote
    0
    Dear Allan,

    I have a similar problem, so I've tried your code however I am getting the following exception:

    Cannot find the X.509 certificate using the following search criteria: StoreName 'TrustedPeople', StoreLocation 'CurrentUser', FindType 'FindBySubjectName', FindValue 'TradeService'.

    Thank you,