locked
Transport Security with Certificate Authentication RRS feed

  • Question

  • I have a experimental service that I have configured to have transport security with clients authenticated with certificates. I am testing this config as I may need to support clients that cannot support the latest WS-Security standards used for message security.

    Could anybody confirm whether the following is definately fact : When hosting a service in IIS (6.0 if it matters) enabling SSL and the option 'Required Client Certificates' - client certificates can only be authenticated in a ChainTrust manner?

    This seems to be the case in my tests and changing clientCertificateValidationMode settings in my services config files seem to have no bearing on how client certificates are validated.

    The reason I question this is that I have seen the odd article that suggests PeerTrust can be used, but obviously I appreciate IIS is handling this and not the service itself.

    Many Thanks,
    Mark
    Tuesday, December 1, 2009 5:15 PM

Answers

  • Hi,

    For WCF Transport Security,WCF Validate of HTTPS Client Certificates using chain trust

    When using HTTPS to communicate between a client and a service, the certificate that the client uses to authenticate to the service must support chain trust. That is, it must chain to a trusted root certificate authority. If not, the HTTP layer raises a WebException with the message "The remote server returned an error: (403) Forbidden." WCF surfaces this exception as a MessageSecurityException.

    IIS will validate the Client Certificates with the help of Certificate Services.

    Here is a good article:
    http://msdn.microsoft.com/en-us/library/aa702579.aspx

    Regards
    Frank Xu Lei--谦卑若愚,好学若饥
    专注于.NET平台下分布式应用系统开发和企业应用系统集成
    Focus on Distributed Applications Development and EAI based on .NET
    欢迎访问老徐的中文技术博客:Welcome to My Chinese Technical Blog
    欢迎访问微软WCF中文技术论坛:Welcome to Microsoft Chinese WCF Forum
    欢迎访问微软WCF英文技术论坛:Welcome to Microsoft English WCF Forum
    • Marked as answer by Riquel_Dong Monday, December 7, 2009 7:25 AM
    Wednesday, December 2, 2009 5:29 AM

All replies