none
WCF service setup with certificate authentication error RRS feed

  • Question

  • I have a WCF service setup and I need to use a certificate with it and are getting numerous errors when I attempt to browse it. The 1st error I get is "Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service."

    This sounds like a straightforward error message and setting the authentication method in IIS to anonymous resolves being able to browse the service. But I need to use a certificate and setting authentication to anonymous is obviously not right since we only want those with the proper certificate to access the service. I have all authentication methods in IIS set to disabled when I get the above error message. I have the SSL settings in IIS for the service set to require a certificate as well. I am using IIS 8.5 as well.

    Here is my config file in hoping someone could point me in the correct direction. The service should only work over HTTPS since we are using a certificate and I need the meta data exposed as well hence the mexHttpBinding. I have searched the web but no solution is working. Any help is appreciated.

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
    
      <configSections>
        <sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
          <section name="HEALookupProxy.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
        </sectionGroup>
      </configSections>
      <appSettings>
        <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
      </appSettings>
      <system.web>
        <compilation targetFramework="4.5.1" />
        <httpRuntime targetFramework="4.5.1" />
        <authentication mode="None"></authentication>
      </system.web>
      <system.serviceModel>
        <serviceHostingEnvironment multipleSiteBindingsEnabled="true">
          <baseAddressPrefixFilters >
            <add prefix="https"/>
          </baseAddressPrefixFilters>
    
        </serviceHostingEnvironment>
        <services>
          <service name="HEALookupProxy.HEALookupService" behaviorConfiguration="HEALookupServiceBehavior">
            <endpoint address="" binding="wsHttpBinding" contract="HEALookupProxy.IHEALookupService" bindingConfiguration="HEALookupConfig" />
            <endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />
          </service>
        </services>
    
        <bindings>
          <wsHttpBinding>
            <binding name="HEALookupConfig">
              <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="Certificate"/>
              </security>
    
            </binding>
          </wsHttpBinding>
        </bindings>
    
        <behaviors>
          <serviceBehaviors>
            <behavior name="HEALookupServiceBehavior">
              <serviceMetadata httpsGetEnabled="true"/>
              <serviceDebug includeExceptionDetailInFaults="false" />
              <serviceCredentials>
                <serviceCertificate x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" findValue="certnameremoved" />
              </serviceCredentials>
    
            </behavior>
          </serviceBehaviors>
        </behaviors>
    
      </system.serviceModel>
      <system.webServer>
        <modules runAllManagedModulesForAllRequests="true" />
        <!--
            To browse web app root directory during debugging, set the value below to true.
            Set to false before deployment to avoid disclosing web app folder information.
          -->
        <directoryBrowse enabled="false" />
        <security>
          <authorization>
            <remove users="*" roles="" verbs="" />
            <add accessType="Allow" users="user1, user2" />
          </authorization>
        </security>
      </system.webServer>
    
    
    </configuration>




    • Edited by spark29er Thursday, April 9, 2015 4:19 PM
    Thursday, April 9, 2015 4:06 PM

Answers

  • Hi spark29er,

    >>The service should only work over HTTPS since we are using a certificate and I need the meta data exposed as well hence the mexHttpBinding.

    For creating the HTTPS WCF service, first please change the mexHttpBinding to mexHttpsBinding as following:

    <endpoint contract="IMetadataExchange" binding="mexHttpsBinding" address="mex" />

    For more information, please try to refer to:
    #Seven simple steps to enable HTTPS on WCF WsHttp bindings:
    http://www.codeproject.com/Articles/36705/simple-steps-to-enable-HTTPS-on-WCF-WsHttp-bindi .

    Then please try to check the following article about how to do the certificate authentication on HTTPS WCF Service:
    http://blogs.msdn.com/b/imayak/archive/2008/09/12/wcf-2-way-ssl-security-using-certificates.aspx .

    Besides, setting the includeExceptionDetailInFaults as false can give us more detailed error information.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Friday, April 10, 2015 5:48 AM
    Moderator
  • Hi spark29er,

    Yes, when we use the certificate authentication in the WCF Service, we will need to install the service certificate and the client certificate as you said. Then in the client side, the client will use the service public key to encrypt the message and send to the service and the service will use the service private key to decrypt the message. Besides, in the service side, it will use the the client public key to encrypt the message and send to the client. Then the client will use the client private key to decrypt the message.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Sunday, April 19, 2015 8:35 AM
    Moderator

All replies

  • Hi spark29er,

    >>The service should only work over HTTPS since we are using a certificate and I need the meta data exposed as well hence the mexHttpBinding.

    For creating the HTTPS WCF service, first please change the mexHttpBinding to mexHttpsBinding as following:

    <endpoint contract="IMetadataExchange" binding="mexHttpsBinding" address="mex" />

    For more information, please try to refer to:
    #Seven simple steps to enable HTTPS on WCF WsHttp bindings:
    http://www.codeproject.com/Articles/36705/simple-steps-to-enable-HTTPS-on-WCF-WsHttp-bindi .

    Then please try to check the following article about how to do the certificate authentication on HTTPS WCF Service:
    http://blogs.msdn.com/b/imayak/archive/2008/09/12/wcf-2-way-ssl-security-using-certificates.aspx .

    Besides, setting the includeExceptionDetailInFaults as false can give us more detailed error information.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Friday, April 10, 2015 5:48 AM
    Moderator
  • Thanks, I modified the IIS authentication settings to allow Annonynous based on the article and I obviously can browse the service now. I find it really odd that it needs to be set to this considering I don't want anyone to browse the service but everyone says this is needed.

    Can you tell me how in general certification authentication works with WCF in lament terms. I keep hearing terms like public and private keys and I cant see how it fits in the whole picture. As I understand it,  I (or client) creates or gets a SSL certificate from some CA and gives it to the entity that is hosting the WCF service. They install that on there machine through MMC as a trusted certificate. Then the server entity gives there certificate to the client/consumer and they would install that on there client machine. Is this correct? I am confused on this..


    • Edited by spark29er Friday, April 10, 2015 6:40 PM
    Friday, April 10, 2015 5:31 PM
  • Hi spark29er,

    Yes, when we use the certificate authentication in the WCF Service, we will need to install the service certificate and the client certificate as you said. Then in the client side, the client will use the service public key to encrypt the message and send to the service and the service will use the service private key to decrypt the message. Besides, in the service side, it will use the the client public key to encrypt the message and send to the client. Then the client will use the client private key to decrypt the message.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Sunday, April 19, 2015 8:35 AM
    Moderator