none
Enabling IIS Client Certificates Mapping Authentication for WCF Rest Service RRS feed

  • Question

  • I am developeing WCF based Rest Service (webHttpBinding) deployed in IIS 10 (Windows 10).

    Now, i have requirement to configure this WebService to use SSL certificate and want to ensure that client uses only that certificate to allow secure communication.

    Although when i configure, https binding of my webservice for a specific certificate (Cert_A) and client uses (Cert_B) instead of Cert_A. The communication work. Event though Cert_A and Cert_B don't have common CA.

    My requirement is ensure communication work if and only if both WebService and Client uses same certificate or worst case common CA. How can i achieve this? 

    I was trying to configure my WebService for One to One Certificate Mapping to achieve my requirement as provided in link :

    https://docs.microsoft.com/en-us/iis/manage/configuring-security/configuring-one-to-one-client-certificate-mappings/

    When i try to configure using Configuration Editor, it reports errors "Cannot add duplicate collection entry of type 'add' with unique key attribute 'certificate' set to 'xxxx' 

    when i look at my Web.config file it reports for following line created because of above steps:

    ....

    <system.webServer>

         <security>

             <authentication>

                    <iisClientCertificateMappingAuthetication oneToOneCetificateMappingsEnabled="true">

                        <oneToOneMappings> 

                               <add certificate="XXXX">

                       </oneToOneMappings>

                    </iisClientCertificateMappingAuthetication 

             </authentication>

         </security>

    </system.webServer> 

    Please help to find any solution of either of above two problems.

    Saturday, March 23, 2019 5:56 AM

All replies

  • Hi Achal kumar,

                

    >>My requirement is ensure communication work if and only if both WebService and Client uses same certificate or worst case common CA. How can i achieve this? 
    Setting the following code on the server side indicates that the authentication mode for the client is certificate.
    <security mode="Transport">
                <transport clientCredentialType="Certificate"></transport>
              </security>
            </binding>
          </webHttpBinding>
    </bindings>
    Then set the authentication mode(programmatically)
    https://i.stack.imgur.com/8zt10.png
    When we set up the mode to Custom, we should specify the class of the certificate validation manually.

    <clientCertificate>
                  <authentication certificateValidationMode="Custom" customCertificateValidatorType="WcfServiceLibrary1.MyX509Validator,WcfServiceLibrary1"/>
                </clientCertificate>
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>

    Validation class.

    namespace WcfServiceLibrary1
    {
        public class MyX509Validator : System.IdentityModel.Selectors.X509CertificateValidator
        {
            public override void Validate(X509Certificate2 certificate)
            {
                if (!certificate.Thumbprint.Equals("B9DF5B912B8CF8EAB07A7BB9B0D17694522AB0CE", StringComparison.CurrentCultureIgnoreCase))
                {
                    throw new SecurityTokenException("Unknown Certificate");
                }
            }
    

    When we use other authentication modes, make sure that the server and client certificates are installed in the correct places.
    None: you could put the ceritificate anywhere
    PeerTrust: you should put the certificate in the trusted people store.
    ChainTrust: if the chain builds to a certification authority in the trusted root store, then the certification is valid.
    PeerOrChainTrust: the above.
    Custom: we should specify the custom x509validator class which implements the System.IdentityModel.Selectors.X509CertificateValidator
    https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication
    Feel free to let me know if there is anything I can help with.
    Best Regards
    Abraham

       
    Monday, March 25, 2019 4:25 AM
    Moderator