none
The HTTP request was forbidden with client authentication scheme 'Anonymous' RRS feed

  • Question

  • I know it's a common problem, but I hav'nt found a solution yet to my problem.
    I've created a WCF service using SSL with client certificates.
    The SSL is working both ways. (I suppose to have a client certificate and a service certificate.)
    The certificate I'm using is self-signed and I registered the .pfx file to my computer. (The same computer the service is on)
    when I run the service and client side from my computer , the process working great and I can access my service.
    when I export my self-signed certificate (to a .cer file, with no private key - only public key) and register it to another remote computer, I get the following error while running the client:

    "The HTTP request was forbidden with client authentication scheme 'Anonymous'"

    I know it is wrong to export my self-signed cert to another computer, but I think it is supposed to work. (unless it is an issuer problem, and then my WCF client didn't consider it as a valid cert - I hav'nt checked yet)

    It is only for development purposes , but I just want to be sure it will work when I use certificates the normal way, before I make any purchases.

    Is there a solution for this error , using my self-signed cert? Just to try and make it work, i enabled accesss with annonymous user -> set it to logon with IIS USER (IUSR for that matter) -> shared my wwwroot folder to IIS USER. but still my problem occures.

    Can anyone suggest me what to change in my configs , in-case of purchasing real certificates? 

    My service config:

    <system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="myBinding" maxReceivedMessageSize="999999999999">
                    <security mode="Transport">
                        <transport clientCredentialType="Certificate" />
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
    <behaviors>
         <serviceBehaviors>
           <behavior name="myBeh">
             <serviceMetadata httpsGetEnabled="true" httpsGetUrl="https://MY_ADDRESS"/>
             <serviceCredentials>
               <serviceCertificate findValue="MY_SUBJECT_NAME" 
                                   storeLocation="LocalMachine" 
                                   x509FindType="FindBySubjectDistinguishedName" 
                                   storeName="Root" />
             </serviceCredentials>
           </behavior>
    <services>
          <service name="MY_SERVICE_NAME" behaviorConfiguration="myBeh">
            <endpoint contract = "MY_CONTRACT_CLASS"
                      address="" 
             binding="basicHttpBinding" 
                      bindingConfiguration="myBinding" />
           <host>
             <baseAddresses>
                <add baseAddress="https://MY_ADDRESS"/>
             </baseAddresses>
           </host>
    </services>

    My client config:

    <system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="myBinding" maxReceivedMessageSize="999999999999">
                    <security mode="Transport">
                        <transport clientCredentialType="Certificate" />
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
    <behaviors>
         <endpointBehaviors>
           <behavior name="myBeh">
              <clientCredentials>
                <clientCertificate findValue="MY_CLIENT_CERT"
                                   storeName="Root"
                                   x509FindType="FindBySubjectDistinguishedName"
                                   storeLocation="CurrentUser"/>
              </clientCredentials>
           </behavior>
         </endpointBehaviors>

    <client>
          <endpoint address="https://MY_ADDRESS"
            binding="basicHttpBinding" bindingConfiguration="myBinding"
            contract="MY_CONTRACT" name="MyClient"endpointConfiguration="myBeh" />
    </client>


    only program's logic in code, no effect on settings.
    Tuesday, October 1, 2013 5:23 PM

All replies

  • Hi Queex,

    From your code, please check in the client's configure file if you have set the behaviorConfiguration="myBeh" rather than endpointConfiguration="myBeh". Code snippets from your code:

    <client>
          <endpoint address="https://MY_ADDRESS"
            binding="basicHttpBinding" bindingConfiguration="myBinding"
            contract="MY_CONTRACT" name="MyClient" endpointConfiguration="myBeh" />
    < /client>

    If the issue still exists, to narrow down the issue to confirm the issue is related to the client certificate, you can try set clientCredentialType="None" to check if it works.

    Best Regards.


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Wednesday, October 2, 2013 6:25 AM
    Moderator
  • Oh yes, it was behaviorConfiguration and not endpointConfiguration, little mix-up I have made.

    Anyway, the problem still exists, but I had some progess.

    everything WORKS FINE with the remote client and server - only when i put the .pfx certificate in the client computer too. (The one with the private key)

    although, if I put the .cer certificate (which I have made the .pfx certificate from) in the client computer, and in my server I put the .pfx certificate, it doesnt work.

    Here is the process I made:

    1) I used makecert to create self-signed certificate -> it created 2 files .cer .pvk

    2) I used pvk2pfx tool to create .pfx certificate from the 2 files above.

    3) I put the .pfx certificate in the server's Trusted Root.

    4) I put the .cer certificate in the client's Trusted Root. Result: Didn't work.

    5) I delete the .cer certificate in the client's Trusted Root

    6) I put the .pfx certificate in the client's Trusted Root. Result: Worked!

    Now, although it is working, I'm sure it is not the safest way that my client will have the certificate which contain the private key.

    Should I try and export the .pfx file to a new .cer file? It seems dumb since I have the .cer file the .pfx was created from. Unless it consider it a whole new certificate.

    If I put both certificates (.cer and .pfx) on my server's Trusted Root, the server doesn't even load. (There are more than 1 certificate found with same subject), so that's not an option.

    I will try tommorow to export it and see if it works, but in case it doesn't, help please?

    Wednesday, October 2, 2013 7:41 PM
  • Hi,

    What is the error message now? Do you try ignore certificate validation by setting X509CertificateValidationMode as None?

    • Edited by oak_silver Thursday, October 3, 2013 11:57 AM
    Thursday, October 3, 2013 11:57 AM