none
Peertrust client authentication in WCF exhibiting unexpected behavior RRS feed

  • Question

  • I have two certificates WCfServer(Service certificate) and WcfClient(Client certificate). Also, I have placed WcfClient in Trusted People on the server so that when request comes in for wcf service it should be able to validate it. But I have not put WCfServer in the Trusted People on client. Still it is working fine. It should throw some kind of exception.

    Interestingly, when I delete WcfClient from server's Trusted People, it doesn't work which is expected behavior. I don't understand why it doesn't work the same way when I delete WCfServer from client's Trusted People.

    My service config file looks like this:

    <system.serviceModel>
    
        <bindings>
          <wsHttpBinding>
            <binding name="wsHttpEndpointBinding">
              <security mode="TransportWithMessageCredential">
                <message clientCredentialType="Certificate" />
              </security>
            </binding>
          </wsHttpBinding>
        </bindings>
        <client />
        <services>      
          <service name="SecureWCFLib.Service1" behaviorConfiguration="CustomBehavior">         
            <host>
              <baseAddresses>
                <add baseAddress="http://localhost:2330/Service1/" />
              </baseAddresses>
            </host>
            <endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" contract="SecureWCFLib.IService1"  >      
              <identity>
                <dns value="localhost" />
              </identity>
            </endpoint>
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
          </service>
        </services>
        <behaviors>
          <serviceBehaviors>
            <behavior  name="CustomBehavior">
              <serviceMetadata httpGetEnabled="True" httpsGetEnabled="True" />
              <serviceDebug includeExceptionDetailInFaults="False" />
              <serviceCredentials>
                <clientCertificate>
                  <authentication certificateValidationMode="PeerTrust"/>
                </clientCertificate>
                <serviceCertificate findValue="WCfServer"
                  storeLocation="LocalMachine"
                  storeName="My"
                  x509FindType="FindBySubjectName" />
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>
      </system.serviceModel>

    My client config file content is given below:

    <system.serviceModel>
            <bindings>
                <wsHttpBinding>
                    <binding name="WSHttpBinding_IService1">
                        <security mode="TransportWithMessageCredential">
                            <message clientCredentialType="Certificate" />     
    
                        </security>
                    </binding>
                </wsHttpBinding>
            </bindings>
            <client>
                <endpoint address="https://servername:2336/SecureWCFLib.Service1.svc"
                    binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService1"
                    contract="ServiceReference1.IService1" name="WSHttpBinding_IService1" behaviorConfiguration="CustomBehavior">
                </endpoint>
            </client>
          <behaviors>
            <endpointBehaviors>
              <behavior name="CustomBehavior">
                <clientCredentials>
                  <clientCertificate findValue="WcfClient" x509FindType="FindBySubjectName"
                    storeLocation="CurrentUser" storeName="My" />
                  <serviceCertificate>                                
                    <authentication certificateValidationMode="PeerTrust"/>
                  </serviceCertificate>
                </clientCredentials>
              </behavior>
            </endpointBehaviors>
          </behaviors>
        </system.serviceModel>

    Tuesday, September 30, 2014 9:10 AM

Answers

  • Hi gliese 581 g,

    I see that you are using the PeerTrust certificateValidationMode, then in order to use the PeerTrust certificateValidationMode, our certificates have to be at the Trusted People certificate store. So if we delete the WcfClient(Client certificate), it will throw the exception such as "The caller was not authenticated by the service".
    Then as you said that when you delete the WCfServer(Service certificate)from the Trusted People certificate store, it works very well. In my mind, it should throw the exception as decrited in this article. I wonder if you are calling the wcf service on localhost.

    For more information, please try to refer to the following article:
    http://blogs.msdn.com/b/ashishme/archive/2009/05/06/windows-communication-foundation-transport-message-security-and-mutual-authentication.aspx .


    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, October 1, 2014 7:56 AM
    Moderator

All replies

  • Hi gliese 581 g,

    I see that you are using the PeerTrust certificateValidationMode, then in order to use the PeerTrust certificateValidationMode, our certificates have to be at the Trusted People certificate store. So if we delete the WcfClient(Client certificate), it will throw the exception such as "The caller was not authenticated by the service".
    Then as you said that when you delete the WCfServer(Service certificate)from the Trusted People certificate store, it works very well. In my mind, it should throw the exception as decrited in this article. I wonder if you are calling the wcf service on localhost.

    For more information, please try to refer to the following article:
    http://blogs.msdn.com/b/ashishme/archive/2009/05/06/windows-communication-foundation-transport-message-security-and-mutual-authentication.aspx .


    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, October 1, 2014 7:56 AM
    Moderator
  • I am having the same issue. I am also using TransportWithMessageCredential security mode and the server will verify the client certificate according to the certificatevalidationmode defined on the server. However, when I define the certificateValidationMode on the client, it does not seem to make a difference. The client always uses chainTrust (as far as I can tell without deleting my root certs). It definitely does NOT use peerTrust - a requirement for my project.

    I also did not understand the configuration in the article that was cited in the last post. It said to configure clientCredentialType="Certificate" for both transport and message security mode which I tried without success. It also specifies the clientCertificate findValue on the server which does not make sense. The service should be able to find the certificate in the cert store using the certificate sent from the client. In another part it shows creating a custom binding but the example code is cut off.

    Is a custom binding required to use peerTrust of the server certificate on the client?

    Does the certificateValidationMode="PeerTrust" on the client only work with security mode set to Message

    Thursday, July 2, 2015 9:23 PM