none
The HTTP request was forbidden with client authentication scheme 'Anonymous'. RRS feed

  • Question

  • I'm trying to use message level authentication with a certificate however whenever thew client starts up and invokes an operation. I get this error:\

    The HTTP request was forbidden with client authentication scheme 'Anonymous'. I have created the necessary certificate which is located in my local computer personal and my user trusted root CA. To validate the self sign certificate I'm sing code provide by MSDN for WCF. Can someone please help me!

    <?xml version="1.0"?>

    <configuration>

      <system.web>

        <compilation debug="true"/>

      </system.web>

      <system.serviceModel>

        <services>

          <service name="DemoService.HeaderService" behaviorConfiguration="DemoService.HeaderServiceBehavior">

            <host>

              <baseAddresses>

                <add baseAddress="https://localhost:8732/Design_Time_Addresses/DemoService/HeaderService/"/>

              </baseAddresses>

            </host>

            <endpoint address=""

                      binding="wsHttpBinding"

                      contract="DemoService.IGetHeaders"

                      bindingConfiguration="SecurityDemo">

              <identity>

                <dns value="localhost"/>

              </identity>

            </endpoint>

          </service>

        </services>

        <bindings>

          <!--<basicHttpBinding>

          </basicHttpBinding>-->

          <wsHttpBinding>

            <binding name="SecurityDemo">

              <security mode="Transport">

                <transport clientCredentialType="Certificate"/>

              </security>

            </binding>

          </wsHttpBinding>

        </bindings>

        <behaviors>

          <serviceBehaviors>

            <behavior name="DemoService.HeaderServiceBehavior">

              <serviceMetadata httpGetEnabled="False"/>

              <serviceDebug includeExceptionDetailInFaults="True"/>

            </behavior>

          </serviceBehaviors>

        </behaviors>

      </system.serviceModel>

      <startup>

        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>

      </startup>

    </configuration>

    This is my client configuration.

    <?xml version="1.0"?>

    <configuration>

      <system.diagnostics>

        <sources>

          <source name="System.ServiceModel.MessageLogging" switchValue="Verbose,ActivityTracing">

            <listeners>

              <add type="System.Diagnostics.DefaultTraceListener" name="Default">

                <filter type="" />

              </add>

              <add name="ServiceModelMessageLoggingListener">

                <filter type="" />

              </add>

            </listeners>

          </source>

          <source name="System.ServiceModel" switchValue="Verbose,ActivityTracing"

            propagateActivity="true">

            <listeners>

              <add type="System.Diagnostics.DefaultTraceListener" name="Default">

                <filter type="" />

              </add>

              <add name="ServiceModelTraceListener">

                <filter type="" />

              </add>

            </listeners>

          </source>

        </sources>

        <sharedListeners>

          <add initializeData="C:\dumps_Trace\FailedAuthentication.svclog"

            type="System.Diagnostics.XmlWriterTraceListener, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"

            name="ServiceModelMessageLoggingListener" traceOutputOptions="Timestamp">

            <filter type="" />

          </add>

          <add initializeData="c:\dumps_Trace\FailedAuthenticationtracelog.svclog"

            type="System.Diagnostics.XmlWriterTraceListener, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"

            name="ServiceModelTraceListener" traceOutputOptions="Timestamp">

            <filter type="" />

          </add>

        </sharedListeners>

        <trace autoflush="true" />

      </system.diagnostics>

      <system.serviceModel>

        <diagnostics>

          <messageLogging logEntireMessage="true" logKnownPii="true" logMalformedMessages="false"

            logMessagesAtServiceLevel="false" logMessagesAtTransportLevel="false" />

          <endToEndTracing propagateActivity="true" activityTracing="true"

            messageFlowTracing="true" />

        </diagnostics>

        <bindings>

          <!--<basicHttpBinding>

          </basicHttpBinding>-->

          <wsHttpBinding>

            <binding name="SecurityDemo">

              <security mode="Transport">

                <transport clientCredentialType="Certificate"/>

              </security>

            </binding>

          </wsHttpBinding>

        </bindings>

        <client>

          <endpoint address="https://localhost:8732/Design_Time_Addresses/DemoService/HeaderService/"

            binding="wsHttpBinding" bindingConfiguration="SecurityDemo"

            contract="DemoService.IGetHeaders" name="IGetHeaders">

            <headers>

              <MyHeader name="Sample" xmlns="http://tempuri.org">This is my header data</MyHeader>

            </headers>

            <identity>

              <dns value="localhost" />

            </identity>

          </endpoint>

        </client>

      </system.serviceModel>

    <startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup></configuration>



    dblk

    Friday, December 13, 2013 6:16 PM

Answers

  • Hi,

    The demo using Certificate can run successfully. Please try to check it:
    I create 2 certificate for server and client, and set them trusted to each other.

    <system.serviceModel>
          <behaviors>
            <endpointBehaviors>
              <behavior name="ClientBehavior">
                <clientCredentials>
                  <clientCertificate storeName="My"
                                        x509FindType="FindBySubjectName"
                                        findValue="ClientCerWithPK"
                                        storeLocation="CurrentUser"/>
                  <serviceCertificate>
                    <defaultCertificate storeName="My"  
                                        x509FindType="FindBySubjectName" 
                                        findValue="WCFServerPK" 
                                        storeLocation="CurrentUser"/>
                  </serviceCertificate>
                </clientCredentials>
              </behavior>
            </endpointBehaviors>
          </behaviors>
            <bindings>
                <wsHttpBinding>
                    <binding name="WSHttpBinding_IWCFService" >
                        <security mode="Transport">
                            <transport clientCredentialType="Certificate" proxyCredentialType="None"
                                realm="" />
                            <message clientCredentialType="None" negotiateServiceCredential="false"
                                establishSecurityContext="false" />
                        </security>
                    </binding>
                </wsHttpBinding>
            </bindings>
            <client>
                <endpoint address="https://localhost:8732/Design_Time_Addresses/DemoService/HeaderService/"
                          binding="wsHttpBinding"
                          bindingConfiguration="WSHttpBinding_IWCFService"
                          contract="ClientProxy.IWCFService"
                          behaviorConfiguration="ClientBehavior"
                          name="WSHttpBinding_IWCFService" />
            </client>
        </system.serviceModel>

    Best Regards,
    Amy Peng

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, December 16, 2013 9:22 AM
    Moderator
  • Hi,

    First please try to set the following to see if it helps:

     <security mode="Transport">
        <transport clientCredentialType="None" /> 
    </security>


    Then for hosting the wcf with https, you should also do some configuration in the IIS, please try to check it:
    #
    How to: Configure an IIS-hosted WCF service with SSL:
    http://msdn.microsoft.com/en-us/library/hh556232(v=vs.110).aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Thursday, December 19, 2013 11:23 AM
    Moderator

All replies

  • I have a process dump if that would give some insight to this issue….


    dblk

    Friday, December 13, 2013 6:19 PM
  • Hi,

    The demo using Certificate can run successfully. Please try to check it:
    I create 2 certificate for server and client, and set them trusted to each other.

    <system.serviceModel>
          <behaviors>
            <endpointBehaviors>
              <behavior name="ClientBehavior">
                <clientCredentials>
                  <clientCertificate storeName="My"
                                        x509FindType="FindBySubjectName"
                                        findValue="ClientCerWithPK"
                                        storeLocation="CurrentUser"/>
                  <serviceCertificate>
                    <defaultCertificate storeName="My"  
                                        x509FindType="FindBySubjectName" 
                                        findValue="WCFServerPK" 
                                        storeLocation="CurrentUser"/>
                  </serviceCertificate>
                </clientCredentials>
              </behavior>
            </endpointBehaviors>
          </behaviors>
            <bindings>
                <wsHttpBinding>
                    <binding name="WSHttpBinding_IWCFService" >
                        <security mode="Transport">
                            <transport clientCredentialType="Certificate" proxyCredentialType="None"
                                realm="" />
                            <message clientCredentialType="None" negotiateServiceCredential="false"
                                establishSecurityContext="false" />
                        </security>
                    </binding>
                </wsHttpBinding>
            </bindings>
            <client>
                <endpoint address="https://localhost:8732/Design_Time_Addresses/DemoService/HeaderService/"
                          binding="wsHttpBinding"
                          bindingConfiguration="WSHttpBinding_IWCFService"
                          contract="ClientProxy.IWCFService"
                          behaviorConfiguration="ClientBehavior"
                          name="WSHttpBinding_IWCFService" />
            </client>
        </system.serviceModel>

    Best Regards,
    Amy Peng

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, December 16, 2013 9:22 AM
    Moderator
  • Hi Amy,

    Why do I get the anonymous auhtentication error? The config you provide seems like a mutual authentication config. My objective is to allow the user to authenticate to the server. I don't need the service to be authenticated by the client. I'm utilizing MCTS 70-503 Training kit and according to the example I should not have to create 2 certificates. 


    dblk


    • Edited by d_blk Monday, December 16, 2013 5:11 PM
    Monday, December 16, 2013 5:02 PM
  • Hi,

    First please try to set the following to see if it helps:

     <security mode="Transport">
        <transport clientCredentialType="None" /> 
    </security>


    Then for hosting the wcf with https, you should also do some configuration in the IIS, please try to check it:
    #
    How to: Configure an IIS-hosted WCF service with SSL:
    http://msdn.microsoft.com/en-us/library/hh556232(v=vs.110).aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Thursday, December 19, 2013 11:23 AM
    Moderator