locked
Authentication with WSHttpBinding and a certificate RRS feed

  • Question

  • I am successfully using WSHttpBinding with a certificate credentials. However when the user calls a service, the user is not authenticated, WindowsIdentity.IsAuthenticated == false. I am using self-signed certificates for the user and the client. I am guessing I need to create a user certificate that belongs to a certain user and could be used for authentication, but I am not sure how to do this. Any ideas?
    Thursday, October 22, 2020 8:51 PM

All replies

  • You can refer to this link about using X.509 certificate for verification in WCF:

    https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication

    The following link contains many examples of WCF, including examples of using x.509 authentication, you can refer to it:

    https://www.microsoft.com/en-us/download/details.aspx?id=21459




    • Edited by Peng Ding Friday, October 23, 2020 8:37 AM
    Friday, October 23, 2020 8:36 AM
  • Thank you for your comment. This example does not authenticate the client though. Let me explain. There is a domain user X. When the user is connecting to a WCF service with Windows credentials, it is authenticated by user name and password. But I need to use message encryption. For this, I have a server certificate and a user certificate. This works fine, but user certificate does not belong to a specific user, I created it manually. Hence the user can reach the server endpoint, but is not authenticated. I think I need to create a user certificate that can be used by Windows to identify that this certificate belongs to user X. How can I do this?
    Friday, October 23, 2020 12:56 PM
  • I am sorry, I probably should have mentioned that my WCF server uses security permissions based on the user who is currently connected. E.g. user X can use function ICalculator.Add(), but cannot use ICalculator.Subtract(), but user Y can user both - ICalculator.Add() and ICalculator.Subtract(). For this I have a custom PrinciaplPermission class and attribute for each function in the service implementation. Here is more details about it:

    https://docs.microsoft.com/en-us/dotnet/framework/wcf/how-to-restrict-access-with-the-principalpermissionattribute-class

    Now when the system calls "public void Demand()", I can check if the specific user has rights to execute this function using Thread.CurrentPrincipal:

    var principal = Thread.CurrentPrincipal as WindowsPrincipal;
    var identity = principal.Identity as WindowsIdentity;

    It works if I use username/password authentication. But if I use certificate to encrypt the connection, this identity.IsAuthenticated is false.

    Friday, October 23, 2020 1:09 PM
  • And, yes, the example clearly shows how to use a certificate to control access rights:

    // Only a client authenticated with a valid certificate that has the
    // specified subject name and thumbprint can call this method.
    [PrincipalPermission(SecurityAction.Demand,
        Name = "CN=ReplaceWithSubjectName; 123456712345677E8E230FDE624F841B1CE9D41E")]
    public double Multiply(double a, double b)
    {
        return a * b;
    }

    As you can see, I can use certificate property, but it is not connected to a user. In some cases, I would like to identify the user by a certificate and then see if the user belongs to a group that has the right to execute certain call.

    Friday, October 23, 2020 1:13 PM