none
configuring a WCF client to consume a Certificate Secured WCF service. RRS feed

  • Question

  • Hello,

             I am creating a Certificate secured WCF Service with WSHttpBinding Hosted in IIS. I did the server part but while coming to the client I designed a generic WCFclient Which will accept the URI of server Metadata and construct the proxy class. I tested my client across various Services which has no security and with windows security It worked Well. Now I  want to make my Client to work even with Certificate Security (Even though we had WCFTestClient But it will fail if the service is secured With Certificate Security This is what I am thinking. am  I wrong ??? ).

           I create server certificate using makecert command in VS command Prompt. I need to code the client side configuration some one please help me in archiving this.

     

    My  server Config is as follows :

    <system.serviceModel>

        <bindings>

          <wsHttpBinding>

            <binding name="WsHttpBindingConfig">

              <security mode="Message">

                <message clientCredentialType="Certificate"/>

              </security>

            </binding>

          </wsHttpBinding>

        </bindings>

        <services>

          <service name="certificate.Calculator">

            <endpoint address="" binding="wsHttpBinding" bindingConfiguration="WsHttpBindingConfig"

              contract="certificate.ICalculator">

              <!--<identity>

                <dns value="localhost" />

              </identity>-->

            </endpoint>

            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />

            <host>

              <baseAddresses>

                <add baseAddress="http://localhost:8733/Design_Time_Addresses/certificate/Service1/" />

              </baseAddresses>

            </host>

          </service>

        </services>

        <behaviors>

          <serviceBehaviors>

            <behavior>

              <!-- To avoid disclosing metadata information,

              set the values below to false before deployment -->

              <serviceMetadata httpGetEnabled="True" httpsGetEnabled="True"/>

              <!-- To receive exception details in faults for debugging purposes,

              set the value below to true.  Set to false before deployment

              to avoid disclosing exception information -->

              <serviceDebug includeExceptionDetailInFaults="False" />

              <serviceCredentials>

                <serviceCertificatefindValue="e520069fafe87b2630137858af823ee44f729762"storeName="My"x509FindType="FindByThumbprint

    "storeLocation="LocalMachine"/>

              </serviceCredentials>

            </behavior>

          </serviceBehaviors>

        </behaviors>

      </system.serviceModel>

    </configuration>

    I am passing the client credential details in this way :

     

     

    bindwsHttp.Security.Mode = SecurityMode.Message;

                        bindwsHttp.Security.Message.NegotiateServiceCredential = false;

                        bindwsHttp.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;

                     dynamic   obj = Activator.CreateInstance(service, bindwsHttp, endpointaddress);  //Instance of the Proxy class

     

    obj.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine,
    StoreName.My, X509FindType.FindByThumbprint,"e520069fafe87b2630137858af823ee44f729762");

    object result_obj = methodname.Invoke(obj, param); // calling a merhod, Iam getting exception here .

    the exception is :

     

    {"The service
    certificate is not provided for target 'http://minint-7mde6d9.fareast.corp.microsoft.com:833/certificate.Calculator.svc?wsdl'.
    Specify a service certificate in ClientCredentials. "}


    Please some one help me in tracing out my Mistake
     

     

    Thank you.

     


    MANIKANTA


    • Edited by Manikanta3 Monday, July 1, 2013 1:25 PM
    Monday, July 1, 2013 9:48 AM

Answers

All replies

  • Hi,

    As the error suggests it seems that your client is not providing a certificate. The first step you could do to troubleshoot this is to ensure that your client certificate is where you need it to be and the name in your config file is correct. You can do that with MMC. Here are the instructions on how to do that:

    #How to: View Certificates with the MMC Snap-in:
    http://msdn.microsoft.com/en-us/library/ms788967.aspx

    I would also try adding a client certificate manually through code:

    #How to: Specify Client Credential Values:
    http://msdn.microsoft.com/en-us/library/ms732391.aspx.

    #Message Security with a Certificate Client:
    http://msdn.microsoft.com/en-us/library/ms733098.aspx .

    Hope it can help you.

    Best Regards.


    Amy Peng
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.



    Tuesday, July 2, 2013 9:09 AM
    Moderator
  • Hi,

    I provided the client certificate  then it asked for service certificate I provided by following code now it is throwing New  exception

    code snippet :

    bindwsHttp.Security.Mode = SecurityMode.Message;

                        bindwsHttp.Security.Message.NegotiateServiceCredential = false;

                        bindwsHttp.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;

                     dynamic   obj = Activator.CreateInstance(service, bindwsHttp, endpointaddress);  //Instance of the Proxy class

    obj.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

                       obj.ChannelFactory.Credentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;

     

                       obj.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;

                       obj.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "e520069fafe87b2630137858af823ee44f729762");

     

                       obj.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "e520069fafe87b2630137858af823ee44f729762");

    the new Exception is :

    "Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'minint-7mde6d9.fareast.corp.microsoft.com' but the remote endpoint provided DNS claim 'tempCertServer'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'tempCertServer' as the Identity property of EndpointAddress when creating channel proxy. "} 

    Then I got a doubt where My server is in right condition ?

    so I created a console application and I added the server URI as add service reference the Vs created the config  then I runed  that.  I got same exception

    I find this statement in client config file

    <identity>

                        <dns value="minint-7mde6d9.fareast.corp.microsoft.com" />

                                  </identity>

    I made a small change to this statement : it as

    <identity>

                        <dns value="tempCertServer" />  // tempCertServer is my server certificate name.

                                  </identity>

    I surprised its working Fine.

    Now the question before me is how to set the value to "tempCertServer" 

    Can you suggest some thing in this direction.

    Thank you.


    MANIKANTA

    Tuesday, July 2, 2013 12:17 PM
  • Hi,

    Use the following works for you:

    <identity>

                        <dns value="tempCertServer" />  // tempCertServer is my server certificate name.

     </identity>

    What do you mean by set the value to"temcertserver"?

    Here is a similar thread:
    http://stackoverflow.com/questions/1629715/why-does-wcf-complain-over-identity-check-failure .

    Hope it can help you.

    Best Regards.


    Amy Peng
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.


    Tuesday, July 9, 2013 2:14 AM
    Moderator
  • Hi,

        Thank you. Now it is working.

    Thank you.


    MANIKANTA


    • Edited by Manikanta3 Tuesday, July 9, 2013 4:22 AM spelling mistake
    Tuesday, July 9, 2013 4:21 AM