none
The problem of using certificates for authentication.

    Question

  • The client machine has the "TicketSalesClient" certificate in "My" storage of current user and the "TicketSalesServer" certificate in "TrustedPeople" storage of current user. The server machine has "TicketSalesClient" certificate in "TrustedPeople" storage of local machine and the "TicketSalesServer" certificate in "My" storage of local machine.

    The service runs under IIS 7. Below is the web.config file:

     

    <system.serviceModel> 
        <services>
          <service behaviorConfiguration="secureBehavior" name="InternetRailwayTicketSales.TicketSalesImplementations.TicketSalesService">
            <endpoint address="TicketSalesService" 
                      binding="basicHttpBinding" 
                      bindingConfiguration="secureHttpBinding" contract="InternetRailwayTicketSales.TicketSalesInterface.ITicketSales" />
    
            <endpoint address="TicketSalesServiceSecureMex" 
                      binding="basicHttpBinding" 
                      bindingConfiguration="secureHttpBinding" 
                      contract="IMetadataExchange" />
            
            <host>
              <baseAddresses>
                <add baseAddress="https://localhost:443/TicketSales/" />            
              </baseAddresses>
            </host>
            
          </service>
        </services>
        <bindings>
          <basicHttpBinding>
            <binding name="secureHttpBinding">
              <security mode="Transport">
                <transport clientCredentialType="Certificate"/>
              </security>
            </binding>
          </basicHttpBinding>
        </bindings>
    
        <behaviors>
          <serviceBehaviors>
            <behavior name="secureBehavior">
              <serviceThrottling maxConcurrentInstances="5000" maxConcurrentSessions="5000" />
              <serviceMetadata httpsGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="True" />
              <serviceCredentials>
                <serviceCertificate findValue="TicketSalesServer" 
                                    storeLocation="LocalMachine"
                                    storeName="My"
                                    x509FindType="FindBySubjectName"/>
                <clientCertificate>
                  <authentication certificateValidationMode="PeerTrust"/>
                </clientCertificate>
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>
      </system.serviceModel>
    

     


    The service in IIS is configured for SSL and certificate requiring.

    1)Now when I try to add service reference in the client I receieve: "The HTTP request was forbidden with client authentication scheme 'Anonymous'. The remote server returned an error: (403) Forbidden."

    2)If I try to request the metadata endpoint using browser I firstly apply the SSL certificate and then receieve an error that "The credentials do not give the right to view this directory or page." As I understand this is because I can't give the client credentials through the browser.

    3)I tried to use svcutil with configuration file which contains client credentials:

     

    <configuration>
      <system.serviceModel>
        <client>
          <endpoint 
            behaviorConfiguration="ClientCertificateBehavior"
            binding="basicHttpBinding"
            bindingConfiguration="Binding1" 
            contract="IMetadataExchange"
            name="https" />
        </client>
        <bindings>
          <basicHttpBinding>
            <binding name="Binding1">
              <security mode="Transport">
                <transport clientCredentialType="Certificate" />
              </security>
            </binding>
          </basicHttpBinding>
        </bindings>
        <behaviors>
          <endpointBehaviors>
            <behavior name="ClientCertificateBehavior">
              <clientCredentials>
                <clientCertificate findValue="TicketSalesClient"
                                   storeLocation="CurrentUser"
                                   storeName="My"
                                   x509FindType="FindBySubjectName" />
              </clientCredentials>
            </behavior>
          </endpointBehaviors>
        </behaviors>
      </system.serviceModel>
    </configuration>
    

     


    And then:

    svcutil https://veryLongAddress.svc?wsdl /config:svcutilConf.config

    And the response is that the "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure"

    So what am I doing wrong?


    • Edited by FofanovIS Thursday, December 01, 2011 8:21 AM
    Thursday, December 01, 2011 8:20 AM

Answers

  • Seems like your certificates installation is fine. Can you try as shown below and see the output. Try to browse to the service from IE and you should be able to see the service and its wsdl.

    Go to IE and then

    Tools --> Internet Options --> Security --> Internet --> Custom Level

    Tools --> Internet Options --> Security --> Intranet --> Custom Level

    Now scroll down to Misc section to find the option "Dont Prompt for client certificate selection when no certificate is present or only one certificate is present" to Diable.

    Now restart IE and browse to the service and IE should ask you to select a client certificate from the personal store and you need to select mvc.localhost.

    If TicketSalesClient cert is not visible then your client certificate is not in the appropriate store.

    The reason for this is that the file you are using to install the certificates do matter as well as the purpose for which the certificate has been created. You can find the purpose of each certificate when you double click them in the certificate store you have a column that is called Intended Purpose. Make sure its for your client certificate


    Rajesh S V
    • Edited by Rajesh S V Thursday, December 01, 2011 10:38 AM
    • Marked as answer by FofanovIS Friday, December 02, 2011 12:25 PM
    Thursday, December 01, 2011 10:13 AM

All replies

  • Seems like your certificates installation is fine. Can you try as shown below and see the output. Try to browse to the service from IE and you should be able to see the service and its wsdl.

    Go to IE and then

    Tools --> Internet Options --> Security --> Internet --> Custom Level

    Tools --> Internet Options --> Security --> Intranet --> Custom Level

    Now scroll down to Misc section to find the option "Dont Prompt for client certificate selection when no certificate is present or only one certificate is present" to Diable.

    Now restart IE and browse to the service and IE should ask you to select a client certificate from the personal store and you need to select mvc.localhost.

    If TicketSalesClient cert is not visible then your client certificate is not in the appropriate store.

    The reason for this is that the file you are using to install the certificates do matter as well as the purpose for which the certificate has been created. You can find the purpose of each certificate when you double click them in the certificate store you have a column that is called Intended Purpose. Make sure its for your client certificate


    Rajesh S V
    • Edited by Rajesh S V Thursday, December 01, 2011 10:38 AM
    • Marked as answer by FofanovIS Friday, December 02, 2011 12:25 PM
    Thursday, December 01, 2011 10:13 AM
  • After all IE didnt ask me for certificate selection. And the client certificate is for all purposes. How the IIS should be configured? Which authentication mode should be chosen at service and server level? There are many modes. Which modes should be turned on and which modes should be turned off?

    p.s. I should say that the communication between the client and the service if fine without using certificates.
    • Edited by FofanovIS Thursday, December 01, 2011 10:47 AM
    Thursday, December 01, 2011 10:33 AM
  • If you follow the steps to change the options in IE as said above for Internet and Intranet it should prompt for a client certificate selection. You can have anonymous authentication mode enabled
    Rajesh S V
    Thursday, December 01, 2011 10:46 AM
  • OK. I have changed the setting for intranet. The same error. But then I decided to add certificates to the Root storage. It hepled. Now the request from IE involves to the confirmation of client certificate. When I confirm it I receive new error: "Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service." If I try to connect from the client I receive "The HTTP request was forbidden with client authentication scheme 'Anonymous'. The authentication header received from the server "Negotiate, NTLM"".

    OK. I have turned on anonymous authentication in IIS and now all is OK. But the question is why the client certificate must me inside the Root store but not inside the TrustedPeople. Why?
    • Edited by FofanovIS Thursday, December 01, 2011 11:59 AM
    Thursday, December 01, 2011 11:21 AM
  • The client certificate on client machines needs to be in the Current User --> Personal folder for IE to pick up to send it

    On server machine needs to be in Local machine --> Trusted People Store

    Who issued the client certificate? If you double click on your client certificate in the store you can see the "Issued By"

    This issuers certificate needs to be present in the Root store for the server to know that it has been issued by a trusted authority.

     


    Rajesh S V
    Thursday, December 01, 2011 12:08 PM
  • Oops. It works only with

     

    System.Net.ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(
                delegate
                {
                    return true;
                });
    

    If I comment this then I receive: Could not establish trust relationship for the SSL/TLS secure channel with authority "192.168.0.64".

     

    Thursday, December 01, 2011 12:11 PM
  • That is because you are using a self signed certificate. Once you have a certificate issued by a proper authority you would not need that code.
    Rajesh S V
    Thursday, December 01, 2011 12:13 PM
  • But how can I avoid the requsting of a certificate issued by a trusted authority?
    Thursday, December 01, 2011 12:30 PM
  • If you do not wish to purchase a certificate then you can switch to username password autentication mechanism.
    • Edited by Rajesh S V Thursday, December 01, 2011 1:56 PM
    Thursday, December 01, 2011 1:55 PM
  • Hi FofanovIS,

    since the certificate is self issued, you must also add it in the Trusted Authorities store.

    HTH
    Fabio 


    Fabio Cozzolino
    Microsoft MVP Connected System Developer
    Blogs: http://dotnetside.org/blogs/fabio http://weblogs.asp.net/fabio
    Windows Azure. Programmare per il Cloud Computing - http://bit.ly/l5An4P
    Professional WCF 4 - http://bit.ly/avD3xE
    Thursday, December 01, 2011 8:15 PM
  • Am I right that if I deploy the service to IIS and configure a web site for using https with self-signed certificate then I don't need to configure web.config like this?

    <behavior name="secureBehavior">
              <serviceThrottling maxConcurrentInstances="5000" maxConcurrentSessions="5000" />
              <serviceMetadata httpsGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="True" />
              <serviceCredentials>
                <serviceCertificate findValue="TicketSalesServer" 
                                    storeLocation="LocalMachine"
                                    storeName="My"
                                    x509FindType="FindBySubjectName"/>
                <clientCertificate>
                  <authentication certificateValidationMode="PeerTrust"/>
                </clientCertificate>
              </serviceCredentials>
            </behavior>
    

    Friday, December 02, 2011 6:41 AM
  • Yes. I'm right.
    Friday, December 02, 2011 8:27 AM
  • Yes you do not need to specify the service certificate since its mapped on your IIS but you need to specify the client certificate element as you are trying to use client authentication using certificates.
    Rajesh S V
    Friday, December 02, 2011 10:14 AM