WCF Multiple authentication Modes in a single service hosted in IIS - Certificate and Windows

Question

Hi All

We're trying to change the client authentication mode for all our WCF (SOAP) services to Certificate (We're in windows mode now). We're  trying to host the new services in the same IIS virtual directories as the current service(s) for ease of deployment and backward compatibility. We picked up one service and tried the following

1. Created Certificate and attached it to the IIS Virtual folder for the service and enabled accept Certificates

2. Created a new Service (SVC) in the same Host Project basically inheriting from the existing service (We did this because we could not figure out how to have multiple authentication modes for different endpoints of the same service)

3. Created a new service behavior in the Project's web.config

<behavior name="CertServiceBehavior">
          <messageLoggingTracing createDefaultRequestValue="false" />
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceMetadata httpsGetEnabled="true" httpGetEnabled="false" />
          <serviceCredentials>
            <serviceCertificate findValue="svcint_certd1.servevirtual.net" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
            <clientCertificate>
              <authentication certificateValidationMode="PeerOrChainTrust" />
              <certificate findValue="svcint_certd1.servevirtual.net" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
            </clientCertificate>
          </serviceCredentials>
        </behavior>

4. Created new binding configuration (basicHttp) and applied the following settings

 <binding name="basicHttpBinding_cert" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="2147483647" maxBufferPoolSize="524288" maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <security mode="Transport">
            <transport clientCredentialType="Certificate"></transport>
          </security>
        </binding>

5. Created a new Service with new end points.

  <service name="Serve.WcfServices.CommunicationWCFService.CommunicationServiceCert" behaviorConfiguration="CertServiceBehavior">
        <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_cert" contract="Serve.WcfServices.CommunicationWCFService.ICommunicationService" />
        <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
      </service>

When I try running the service I get an error-

The SSL settings for the service 'SslRequireCert' does not match those of the IIS 'SslNegotiateCert'.

I understand if I change IIS seeting to require SSL, the above will go away but that also means I'll not be able to access my existing service without passing a certificate which is going to break backward compatibility with this approach.

Any help is appreciated.

Answer 1

For Multiple authentication in IIS, try using this config file:

<bindings>
      <basicHttpBinding>
        <binding name="secureBinding">
          <security mode="Transport">
            <transport clientCredentialType="InheritedFromHost" />
          </security>
        </binding>
      </basicHttpBinding>
</bindings>

Answer 2

Hi lalat1382,

I see that you are using the following:

 <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" /

If you do not want to change IIS seeting to require SSL, please try to change the mexHttpsBinding to the mexHttpBinding as following:

 <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />

Best Regards,
Amy Peng

---

We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click HERE to participate the survey.

Answer 3

Amy the above change did not work.

Answer 4

Hi

The config is not recognized and results in a config error.

Answer 5

Hi,

The SSL settings for the service 'SslRequireCert' does not match those of the IIS 'SslNegotiateCert'.

Now go to your inetmgr, navigate to the virtual directory, and click on the SSL Setting, and make sure “Require” certificate is selected instead of “Ignore”. Now, if you have a sub directory under the v-dir, make sure you click on any sub directory as well and double check your SSL setting to require certificate.

Alternatively, open the master iis Host config file at C:\Windows\System32\inetsrv\config\applicationHost.config, and then search for “Default Web Site/MyVdir”. And see if it only contains “ssl”, like the following:

   <location path="Default Web Site/MyVdir">
        <system.webServer>
            <security>
                <access sslFlags="Ssl" />
            </security>
        </system.webServer>
    </location>

To fix this, just add additional sslFlags to look like the following.

  <location path="Default Web Site/MyVdir">
        <system.webServer>
            <security>
               <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
            </security>
        </system.webServer>
    </location>

Now make sure the changes are saved and do an iisreset before trying to hit the server again.

For more check:
http://blogs.msdn.com/b/hongmeig1/archive/2013/05/23/wcf-notsupportedexception-the-ssl-settings-for-the-service-sslrequirecert-does-not-match-those-of-the-iis-ssl.aspx .