none
The HTTP request was forbidden with client authentication scheme 'Anonymous' mutual handshake RRS feed

  • Question

  • I am implementing mutual handshake over https using wcf, and I receive an error: "The HTTP request was forbidden with client authentication scheme 'Anonymous'."

    Service code:

            var binding = new BasicHttpBinding()
            {
                Security =
                {
                    Mode = BasicHttpSecurityMode.Transport,
                    Transport = { ClientCredentialType = HttpClientCredentialType.Certificate },
                },
            };
    
            var sh = new ServiceHost(typeof(EchoService), new Uri("https://localhost:9876"));
            //sh.Description.Behaviors.Add(new ServiceMetadataBehavior());
            //sh.AddServiceEndpoint(ServiceMetadataBehavior.MexContractName, MetadataExchangeBindings.CreateMexHttpsBinding(), "mex");
            sh.AddServiceEndpoint(typeof(IEchoService), binding, "");
            sh.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
            sh.Open();
    Client code:
            var binding = new BasicHttpBinding()
            {
                Security =
                {
                    Mode = BasicHttpSecurityMode.Transport,
                    Transport = { ClientCredentialType = HttpClientCredentialType.Certificate },
                },
            };
    
            var sslClientFactory = new ChannelFactory<IEchoService>(binding, "https://localhost:9876");
            sslClientFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
            var sslClient = sslClientFactory.CreateChannel();
            var response = sslClient.Echo("Https Echo");
    I have assign this certificate to port using httpcfg.


    If I change binding from BasicHttpBinding to NetTcpBinding it works fine.

    If I run two instances of my service (in one process), one which uses NetTcpBinding and second one which uses BasicHttpBinding, and consume it from net tcp client and https client, both works fine (clients use the same certificate).

    What cases that if i run only my https client I get "The HTTP request was forbidden with client authentication scheme 'Anonymous'."?

    Tuesday, June 3, 2014 9:21 AM

Answers

  • Hi,

    It seems strange that your service works well with the nettcp client and https client, but not work with only https client.

    Maybe you can try to enable the wcf tracing to get more error information.

    The following configuration taken from MSDN can be applied to enable tracing on your WCFservice.

    <configuration>
      <system.diagnostics>
        <sources>
          <source name="System.ServiceModel"
                  switchValue="Information, ActivityTracing"
                  propagateActivity="true" >
            <listeners>
                 <add name="xml"/>
            </listeners>
          </source>
          <source name="System.ServiceModel.MessageLogging">
            <listeners>
                <add name="xml"/>
            </listeners>
          </source>
          <source name="myUserTraceSource"
                  switchValue="Information, ActivityTracing">
            <listeners>
                <add name="xml"/>
            </listeners>
          </source>
        </sources>
        <sharedListeners>
            <add name="xml"
                 type="System.Diagnostics.XmlWriterTraceListener"
                 initializeData="Error.svclog" />
        </sharedListeners>
      </system.diagnostics>
    </configuration>

    Best Regards,
    Amy Peng

     


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, June 4, 2014 8:56 AM
    Moderator
  • Hi Amy,

    thank you for you answer.

    I added logging as you advice and on server side I received:

    Client certificate is required. No certificate was found in the request.

    I added some other logging options and I received on the client:

    System.Net Information: 0 : [7984] SecureChannel#16266972 - We have user-provided certificates. The server has specified 145 issuer(s). Looking for certificates that match any of the issuers.
    System.Net Information: 0 : [7984] SecureChannel#16266972 - Left with 0 client certificates to choose from.

    I ran this solution on some other machine, and everything works fine.

    I removed all my certs from "Trusted Root Certification Authorities", and inserted there only certificate from this solution and finally it works.

    I have noticed that I have a lot of doubled certs (pairs of two identically certs - with the same thumbrpint) in store (I dont know how i put them there like that), and I think that this was a problem. Maybe when certs are doubled in store, server sends to client only those issuers from not doubled certs?


    Thursday, June 5, 2014 7:53 AM

All replies

  • Hi,

    It seems strange that your service works well with the nettcp client and https client, but not work with only https client.

    Maybe you can try to enable the wcf tracing to get more error information.

    The following configuration taken from MSDN can be applied to enable tracing on your WCFservice.

    <configuration>
      <system.diagnostics>
        <sources>
          <source name="System.ServiceModel"
                  switchValue="Information, ActivityTracing"
                  propagateActivity="true" >
            <listeners>
                 <add name="xml"/>
            </listeners>
          </source>
          <source name="System.ServiceModel.MessageLogging">
            <listeners>
                <add name="xml"/>
            </listeners>
          </source>
          <source name="myUserTraceSource"
                  switchValue="Information, ActivityTracing">
            <listeners>
                <add name="xml"/>
            </listeners>
          </source>
        </sources>
        <sharedListeners>
            <add name="xml"
                 type="System.Diagnostics.XmlWriterTraceListener"
                 initializeData="Error.svclog" />
        </sharedListeners>
      </system.diagnostics>
    </configuration>

    Best Regards,
    Amy Peng

     


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, June 4, 2014 8:56 AM
    Moderator
  • Hi Amy,

    thank you for you answer.

    I added logging as you advice and on server side I received:

    Client certificate is required. No certificate was found in the request.

    I added some other logging options and I received on the client:

    System.Net Information: 0 : [7984] SecureChannel#16266972 - We have user-provided certificates. The server has specified 145 issuer(s). Looking for certificates that match any of the issuers.
    System.Net Information: 0 : [7984] SecureChannel#16266972 - Left with 0 client certificates to choose from.

    I ran this solution on some other machine, and everything works fine.

    I removed all my certs from "Trusted Root Certification Authorities", and inserted there only certificate from this solution and finally it works.

    I have noticed that I have a lot of doubled certs (pairs of two identically certs - with the same thumbrpint) in store (I dont know how i put them there like that), and I think that this was a problem. Maybe when certs are doubled in store, server sends to client only those issuers from not doubled certs?


    Thursday, June 5, 2014 7:53 AM
  • Hi,

    Yes, you are right.

    Friday, June 13, 2014 7:12 AM