none
Azure REST WCF service (webHttpBinding) with client certificate authentication

    Question

  • Hello,

    I'm trying to expose a WCF based REST service in a Azure web role with certificate authentication. An HTTPS endpoint is configured in the web role with a self signed certificate.

    Below is the binding configuration I use.

     

    <webHttpBinding>
    
            <binding name="webHttpEndpointBinding">
    
              <security mode="Transport">
    
                <transport clientCredentialType="Certificate"/>
    
              </security>
    
            </binding>
    
          </webHttpBinding>

     

    I used startup command to unlock IIS configuration section (%windir%\System32\inetsrv\appcmd.exe unlock config /section:system.webServer/security/access) and added below configuration section to web config.

     

     <system.webServer>
    
        <security>
    
          <access sslFlags="Ssl, SslRequireCert" />
    
        </security>
    
      </system.webServer>

     

    But I can't run the project it fails with following error.

    "There was an error attaching the debugger to the IIS worker process for  URL 'https://127.0.0.1:5100/ for role instance 'xxx'. Unable to start debugging on the web server. The web server is not configured correctly. See help for common configuration errors. Running the web page outside of the  debugger may provide further information".

    If I remove SslRequireCert, it runs properly, but when I try to access REST service through browser it fails with following error.

    "The SSL settings for the service 'SslRequireCert' does not match those of the IIS 'Ssl'.

    Any help is greatly appriciated.

    regards

    hantaana

     

    Tuesday, May 10, 2011 10:27 PM

Answers

  • Hello Tharanga,

    Thanks for your response.

    I used your web.config settings for my web role. When I started debugging the project, the "There was an error attaching the debugger to the IIS worker process" error showed up as expected. Then I opened up IIS Manager, opened the site (which is newly created when the web role is deployed in compute emulator) in browser, the actual error message was showed as "Often, if SslRequireCert is set at configuration/system.webServer/access@sslFlags, then SslNegotiateCert is intended".

    After revising the setting as:

    <system.webServer>
        <security>
            <access sslFlags="Ssl, SslRequireCert, SslNegotiateCert" />
        </security>
    </system.webServer>

    The error message became:

    HTTP Error 403.7 - Forbidden
    The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.

    I think the last error is another story. We can either remove SslRequireCert from access element or install a client certificate to resolve it. Please see Error message when you try to run a Web application that is hosted on a server that is running IIS 7.0: "HTTP Error 403.7 - Forbidden".

    I'm glad to provide further assistance if the issue is still not resolved.

    Thanks,


    Wengchao Zeng
    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
    • Marked as answer by hantaana Friday, May 13, 2011 2:41 PM
    Friday, May 13, 2011 3:39 AM
  • Thanks Wengachao. I tried accessing service on IIS as you suggested.

    Even though its giving "There was an error attaching the debugger to the IIS worker process" error, actual deployment is completed and service is deployed successfully.  

    I modified config to include SslNegotiateCert, it was still giving above error, but I was able to call REST service successfully through a proxy created with correct cert credentials. 

    Later I deployed my service to Azure and it worked without any issue. Its clear that the problem is with compute emulator and SslRequiredCert setting. 

    Appriciate your help on solving this problem. Hope Azure team will find some way to get rid of error message as well.

    I'm posting my proxy code and config, which may help someone else who is facing the same issue.

    Code

     

    // This ignores server SSL certificate validation error. MUST REMOVE WHEN USED IN PRODUCTION
    
     ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
    
    
    IServiceRest clientRest = new ChannelFactory<IServiceRest>("ClientEndPointRest").CreateChannel();
    
    Console.WriteLine("Results from Rest HTTP service call is" + clientRest.GetData(7));

     

    Config

     

     <endpointBehaviors>
    
    <behavior name="restHttpEnpointBindingBehavior">
    
              <webHttp/>
    
              <clientCredentials>
    
                <clientCertificate findValue="ClientSideCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
    
                <serviceCertificate>
    
                  <authentication certificateValidationMode="None"/>
    
                </serviceCertificate>
    
              </clientCredentials>
    
            </behavior>
    
          </endpointBehaviors>
    
    
    .....
    
    <webHttpBinding>
    
            <binding name="webHttpEndpointBinding">
    
              <security mode="Transport">
    
                <transport clientCredentialType="Certificate"/>
    
              </security>
    
            </binding>
    
          </webHttpBinding>
    
    .....
    
    
     <endpoint address="https://yourapp.cloudapp.net:8080/service1.svc" binding="webHttpBinding"
    
                       bindingConfiguration="webHttpEndpointBinding" contract="WCFServiceWebRole.IServiceRest" name="ClientEndPointRest" 
    
                       behaviorConfiguration="restHttpEnpointBindingBehavior">
    
               <identity>
    
                 <dns value="ServerSideCert"/>
    
               </identity>
    
             </endpoint>

     

     

     

    • Marked as answer by hantaana Friday, May 13, 2011 2:41 PM
    Friday, May 13, 2011 2:40 PM

All replies

  • Hello hantaana,

    You experience "There was an error attaching the debugger to the IIS worker process" error when debugging an WCF service that requires client certificate authentication in compute emulator.

    Can you create a web application using the same WCF service and debug it in ASP.NET Development Server or IIS to see if it works or not? This will help us check if it is a WCF configuration issue or an Azure service issue.

    Related resources are:

    How to Set Up SSL on IIS 7
    http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/ 

    Configuring WCF for client certificate authentication
    http://blogs.ugidotnet.org/cfolini/archive/2008/01/04/90561.aspx 

    I'm glad to assist you if the issue is still not resolved.

    Thanks,


    Wengchao Zeng
    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
    Thursday, May 12, 2011 1:47 AM
  • Hello Wenchao,

    Appreciate your reply. I created a web app using same WCF service as you suggested and ran it on IIS with SSL + client certificate authentication. It worked without any issue.

    It's only there when I try to run same WCF service on an Azure dev fabric web role.

     

    Thanks and regards

    Tharanga 

    Thursday, May 12, 2011 10:32 PM
  • Hello Tharanga,

    Thanks for your response.

    I used your web.config settings for my web role. When I started debugging the project, the "There was an error attaching the debugger to the IIS worker process" error showed up as expected. Then I opened up IIS Manager, opened the site (which is newly created when the web role is deployed in compute emulator) in browser, the actual error message was showed as "Often, if SslRequireCert is set at configuration/system.webServer/access@sslFlags, then SslNegotiateCert is intended".

    After revising the setting as:

    <system.webServer>
        <security>
            <access sslFlags="Ssl, SslRequireCert, SslNegotiateCert" />
        </security>
    </system.webServer>

    The error message became:

    HTTP Error 403.7 - Forbidden
    The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.

    I think the last error is another story. We can either remove SslRequireCert from access element or install a client certificate to resolve it. Please see Error message when you try to run a Web application that is hosted on a server that is running IIS 7.0: "HTTP Error 403.7 - Forbidden".

    I'm glad to provide further assistance if the issue is still not resolved.

    Thanks,


    Wengchao Zeng
    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
    • Marked as answer by hantaana Friday, May 13, 2011 2:41 PM
    Friday, May 13, 2011 3:39 AM
  • Thanks Wengachao. I tried accessing service on IIS as you suggested.

    Even though its giving "There was an error attaching the debugger to the IIS worker process" error, actual deployment is completed and service is deployed successfully.  

    I modified config to include SslNegotiateCert, it was still giving above error, but I was able to call REST service successfully through a proxy created with correct cert credentials. 

    Later I deployed my service to Azure and it worked without any issue. Its clear that the problem is with compute emulator and SslRequiredCert setting. 

    Appriciate your help on solving this problem. Hope Azure team will find some way to get rid of error message as well.

    I'm posting my proxy code and config, which may help someone else who is facing the same issue.

    Code

     

    // This ignores server SSL certificate validation error. MUST REMOVE WHEN USED IN PRODUCTION
    
     ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
    
    
    IServiceRest clientRest = new ChannelFactory<IServiceRest>("ClientEndPointRest").CreateChannel();
    
    Console.WriteLine("Results from Rest HTTP service call is" + clientRest.GetData(7));

     

    Config

     

     <endpointBehaviors>
    
    <behavior name="restHttpEnpointBindingBehavior">
    
              <webHttp/>
    
              <clientCredentials>
    
                <clientCertificate findValue="ClientSideCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
    
                <serviceCertificate>
    
                  <authentication certificateValidationMode="None"/>
    
                </serviceCertificate>
    
              </clientCredentials>
    
            </behavior>
    
          </endpointBehaviors>
    
    
    .....
    
    <webHttpBinding>
    
            <binding name="webHttpEndpointBinding">
    
              <security mode="Transport">
    
                <transport clientCredentialType="Certificate"/>
    
              </security>
    
            </binding>
    
          </webHttpBinding>
    
    .....
    
    
     <endpoint address="https://yourapp.cloudapp.net:8080/service1.svc" binding="webHttpBinding"
    
                       bindingConfiguration="webHttpEndpointBinding" contract="WCFServiceWebRole.IServiceRest" name="ClientEndPointRest" 
    
                       behaviorConfiguration="restHttpEnpointBindingBehavior">
    
               <identity>
    
                 <dns value="ServerSideCert"/>
    
               </identity>
    
             </endpoint>

     

     

     

    • Marked as answer by hantaana Friday, May 13, 2011 2:41 PM
    Friday, May 13, 2011 2:40 PM
  • Thanks for response! I would like to have a small survey under the Windows Live developers. The test is for a thesis where I study how a web service can be more accessible for developers. Give me 4 minutes of your precious time and join the survey here: https://docs.google.com/a/sense-os.nl/spreadsheet/viewform?formkey=dHZIOFhybURrMExMb3B1MjFzWXFVU1E6MQ
    Thursday, March 1, 2012 12:57 PM
  • Did you run into any: "The HTTP request was forbidden with client authentication scheme 'Anonymous'." errors? I have tried following the solution that you provided, but now I receive this error when connecting to the service. I posted more details and my full web.conf here:

    http://social.msdn.microsoft.com/Forums/eu/windowsazuredevelopment/thread/9d75d128-1c72-46eb-a2c7-34f6e3b932e6

    If possible would you be able to point out any differences compared to your working web.config?

    Thursday, April 26, 2012 5:47 PM