none
WCF Mutual Certificate authentication to load balanced web servers on different domain RRS feed

  • Question

  • Hello,

    I was looking for someone to put me in the right direction.  I have been spending some time on configuring bindings for a solution that would be a X509 certificate mutual authentication between the client and the server.  The hurdle that I believe is causing me headaches is that the WCF resides in a hosting environment that is on a different domain.  In addition there is a load balancer that sits in front of two web servers.  The hurdle is that only the load balancer requires the traffic to be SSL.  Once it meets that requirement, the load balancer redirects to the web server with standard HTTP traffic.  

    Not too long ago, I had to put a WCF service that support username authentication over SSL and I had to come up with a custom binding element extension to allow the credentials to come through with standard HTTP traffic.  I know and understand the ramification of this.  Different story but I am wondering if something custom would need to be developed here

    The x509 certificate I am using for DEV/Testing is a self-signed.  On the client, for dev and testing purpose, I am returning true for ServicePointManager.ServerCertificateValidationCallback

    I have tried different binding configuration which is the reason I am not posting it and just looking for someone to put me in the right direction for me to go down.  

    Basically the errors I keep getting client side are about verifying security for the message.  

    Server side the typical message would be "WCF Security Processor was unable to find a security header in the message.  The servers are down for maintenance. 

    What I am looking for is could it be one of the following:

    1) Based on the architecture, can all standard binding configuration accomplish this?

    2) Is there a custom piece that I need to do to support this architecture of load balancer redirecting to HTTP?

    3) Because of the architecture, there is no way to make this happen. 

    Please let me know if you have any questions.  Thanks!

    Sunday, November 6, 2016 4:34 PM

All replies

  • Hi eblah,

    Do you mean you want to achieve that SSL request between client and load balance, and mutual certificate authentication between load balanced between load balance and back-end service, or you want to achieve SSL request, and http redirect between load balanced and back-end service? In other words, is your certificate used to authentication or encrypted SSL?

    For things to consider when implementing a load balancer with wcf, I suggest you refer the link below:

    #Things to Consider When Implementing a Load Balancer with WCF

    https://msdn.microsoft.com/en-us/library/hh273122(v=vs.100).aspx

    For this flow Outside (https) -> LB -> Inside (http), I suggest you refer the link below:

    # WCF: SSL offloading in load balancer – a simple approach

    https://blogs.msdn.microsoft.com/dsnotes/2016/05/14/wcf-ssl-offloading-in-load-balancer-a-simple-approach/

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, November 7, 2016 2:27 AM
  • Thanks Edward!  The second article was what I was looking for in my last project.  I couldn't figure that out but that is great to know.  

    For the certificate, I was hoping to use the x509 cert for authentication.  It is already a requirement by the hosting facility that communication between the client and the load balancer be SSL.  They have their own certificate for that.  In the perfect world, I would like to see the x509 certificate on the client be passed to the WCF service and compared and verified.  Is this possible?  

    Monday, November 7, 2016 1:44 PM
  • Hi eblah,

    There are three security mode in WCF, transport security mode, message security mode and TransportWithMessage security mode. When SSL offloading is enabled, all communication from the load balancer to the webservers is done in clear text(HTTP), even for HTTPS requests from clients to the load balancer. In other words client talks to the  device over HTTPS and the device then talks to the service using HTTP. A WCF client/service solution that relies on transport security (HTTPS) may fail to run with such a device because now the webserver doesn’t have SSL enabled and the SSL is terminated at the device.

    For certificate authentication, you will need to use TransportWithMessage security mode, and you need to try allowInsecureTransport due to that hosting environment will not be supporting SSL.

    You could refer the link below for more information.

    # WCF and Intermediate Devices

    https://blogs.msdn.microsoft.com/distributedservices/2010/05/13/wcf-and-intermediate-devices/

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, November 8, 2016 5:23 AM