locked
Client side certificate authentication with service reference RRS feed

  • Question

  • Hi,

    I am working on an app where I need to use client side certificates to authenticate a request to a web service used in the project with a service reference.

    The web service is working fine with username/password set for the ClientCredentials in the generated WebServiceClient class. The ClientCredentials contains a ClientCertificate but this is not available in Windows Runtime. So all samples on the web using this only apply to WCF apps.

    I also found this two posts:

    http://social.msdn.microsoft.com/Forums/windowsapps/en-US/0d005703-0ec3-4466-b389-663608fff053/using-client-side-certificates-in-windows-metro?forum=winappswithcsharp

    http://gauravmantri.com/2012/09/08/consuming-windows-azure-service-management-api-in-a-windows-8-application/

    It looks like one can import the certificate into the app key store with CertificateEnrollmentManager.ImportPfxDataAsync and let HttpClient use this certificate by setting the ClientCertificateOptions to Automatic for a HttpClientHandler.

        HttpClientHandler aHandler = new HttpClientHandler();
        aHandler.ClientCertificateOptions = ClientCertificateOption.Automatic;

        HttpClient aClient = new HttpClient(aHandler);

    My question is how this or something similar can be done for a generated WebServiceClient call for a service reference.

    Regards Matthias

    Wednesday, February 5, 2014 9:17 AM

Answers

  • Hello,

    You cannot programmatically add a client certificate to a WCF method call from a Windows Store app.

    Using the full desktop experience, you'd normally add a client certificate to the outgoing call using the <yourClient>.Credentials.ClientCertificate.SetCertificate(...) method, but the ClientCertificate property does not exist in a Windows Store app.

    Even with the System.Net.HttpClient class, you can only set the ClientCertificateProperty.Automatic which will pick up the installed certificate from your app container, but such a call is not available for the WCF classes.

    The only option left for you is to manually call the service using the HttpClient class by creating the SOAP Envelope yourself and use the code to set ClientCertificateOption.Automatic for the HttpClient class. Creating and parsing the SOAP envelope is a huge task, so you may want to check if your WCF service exposes a simpler REST endpoint to consume your service using the HttpClient class.

    Thanks,

    Prashant.


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Friday, February 14, 2014 2:00 AM
    Moderator
  • Hi Matthias,

    I cannot comment on future versions, but I can recommend you to open a Bug/ Submit an idea to the Visual Studio Connect site here: https://connect.microsoft.com/VisualStudio since this issue is specifically with WCF in .NET rather than a Windows problem.

    To be able to use the Shared certificates, your app can use the Shared Certificates capability so that it can fetch an already existing client certificate from the Current User store and not have it necessary to import the certificate in the app container specific store: http://msdn.microsoft.com/en-us/library/windows/apps/hh465029.aspx

    Thanks,

    Prashant


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Friday, February 14, 2014 10:12 PM
    Moderator

All replies

  • Hello,

    It seems that you are trying to consume a WCF Service through a Windows Store app and you have already added a Service Reference to your Windows Store app. Adding the Client certificate using the ImportPfxDataAsync will only install a client certificate within your app's certificate context, but then using the HttpClient class will not work because HttpClient and the generated WCF classes do not use the same underlying structure.

    Is your question simply: "How to add client certificates to a WCF method call?" Please clarify.

    Thanks,

    Prashant.


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Wednesday, February 5, 2014 10:13 PM
    Moderator
  • "How to add client certificates to a WCF method call?" sums up my question pretty good.
    Thursday, February 13, 2014 10:44 AM
  • Hello,

    You cannot programmatically add a client certificate to a WCF method call from a Windows Store app.

    Using the full desktop experience, you'd normally add a client certificate to the outgoing call using the <yourClient>.Credentials.ClientCertificate.SetCertificate(...) method, but the ClientCertificate property does not exist in a Windows Store app.

    Even with the System.Net.HttpClient class, you can only set the ClientCertificateProperty.Automatic which will pick up the installed certificate from your app container, but such a call is not available for the WCF classes.

    The only option left for you is to manually call the service using the HttpClient class by creating the SOAP Envelope yourself and use the code to set ClientCertificateOption.Automatic for the HttpClient class. Creating and parsing the SOAP envelope is a huge task, so you may want to check if your WCF service exposes a simpler REST endpoint to consume your service using the HttpClient class.

    Thanks,

    Prashant.


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Friday, February 14, 2014 2:00 AM
    Moderator
  • Thanks for the clarification.

    Two additonal questions:

    - Will this get available in a future version?

    - In general the need to import the certificate into the sandbox of the app when the certificate might be available on a Windows 8 Pro device already is far from perfect. Might there be a change for the sandbox of an app in the future where the app will be able to use the certificates from the device?

    Regards Matthias

    Friday, February 14, 2014 10:11 AM
  • Hi Matthias,

    I cannot comment on future versions, but I can recommend you to open a Bug/ Submit an idea to the Visual Studio Connect site here: https://connect.microsoft.com/VisualStudio since this issue is specifically with WCF in .NET rather than a Windows problem.

    To be able to use the Shared certificates, your app can use the Shared Certificates capability so that it can fetch an already existing client certificate from the Current User store and not have it necessary to import the certificate in the app container specific store: http://msdn.microsoft.com/en-us/library/windows/apps/hh465029.aspx

    Thanks,

    Prashant


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Friday, February 14, 2014 10:12 PM
    Moderator