none
Accessing SSL client certificate during authentication

    Question

  • I've created a WCF service with the basicHttpBinding and

    "TransportWithMessageCredential" security mode. The binding configuration is:

    <binding name="UsernameBindingConfig">

    <security mode="TransportWithMessageCredential">

    <message clientCredentialType="UserName"/>

    <transport clientCredentialType="Certificate"/>

    </security>

    </binding>

     

    The username and password is authenticated against the database via a custom UsernamePasswordValidator. However, the identity in the database is uniquely identified by not only the Username and Password, but also the client Application name, which is the subject name of the client certificate.  Does anyone know how to access the SSL client certificate from the custom UsernamePasswordValidator? If this is not possible, what is the best way to handle a situation like this? Any feedback or comment to this will be greatly appreciated. Thanks in advance.

    Thursday, September 18, 2008 4:58 PM

Answers

  •  

    Hi Yudong,

     

    Yes, there is a way to make fully configurable. I forgot to point you out to this blog post, http://weblogs.asp.net/cibrax/archive/2008/03/26/authenticating-users-with-supporting-tokens-in-wcf-binding-extension.aspx

     

    Regarding the certificate validator, yes, if you use the supporting token solution above, it will be called during the authentication process. I used that solution in a scenario that was exactly the same as you want to implement.

     

    One thing regarding SSL, SSL is for secure the communication channel and authenticate the server only. I think what you need here is to authenticate the client (Client application) with a certificate as well, so Client Certificate + Username (Supporting tokens) is the right configuration. The certificate validator is only called to validate client certificates, so it will be called in this case.

     

    Regards,

    Pablo.

    Friday, September 19, 2008 12:39 PM

All replies

  • Hi Yudong,

     

    That's no the correct binding configuration for the scenario you describe. You should be using Supporting Tokens, there are good examples in the links below,

     

    http://weblogs.asp.net/cibrax/archive/2008/01/22/authenticating-users-with-supporting-tokens-in-wcf.aspx

    http://www.leastprivilege.com/UserNameSupportingTokenInWCF.aspx

     

    You are also going to need a CertificateValidator (Similar to the usernamePasswordValidator) to validate the certificate.

     

    Regards,

    Pablo.

     

    Thursday, September 18, 2008 5:21 PM
  • Pablo,

     

    Thanks a lot for the response. Yes, you're right that the binding I'm using  is wrong. I've looked at the Supporting token solution you mentioned in your message and found out it requires message level security with custom binding. And custom code needs to be deployed to the client. This doesn't work for us because we need to support the client that only supports username token over SSL (with mutual certificates) and deploying custom code to the client is not an option. Can we make the Supporting token solution fully configurable?

     

    I did some research myself, and It seems to me that the custom binding with authentication mode = UserNameOverTransport might do the trick. Here's the binding configuration:

    <customBinding>

    <binding name="UsernameOverTransportBindingConfig">

    <security authenticationMode="UserNameOverTransport">

    </security>

    <textMessageEncoding messageVersion="Soap11WSAddressing10"/>

    <httpsTransport requireClientCertificate="true" />

    </binding>

    </customBinding>

    When I use this binding on both client and service, I found the username, password and certificate info in the

    AuthorizationContext.ClaimSets, and the OperationContext.Current.HasSupportingTokens = true. However, there's not much documentation about what happened behind the scene with this binding. Do you think it is right solution for my situation?

     

    Another question is: even with your Supporting token solution, you can only access the username and certificate info during the authorization rather than the authentication process. The OperationContext.Current and ServiceSecurityContext.Current both are null in the custom validator and the CertificateValidator never gets called with SSL transport security. So how can I get the SSL client certificate during the authentication?

     

    Thanks!

    Thursday, September 18, 2008 10:07 PM
  • Hi,

     

    Please see the following thread: http://forums.microsoft.com/msdn/ShowPost.aspx?PostID=3850512&SiteID=1

     

    HTH

    Pedro Félix

     

    Friday, September 19, 2008 12:04 PM
    Moderator
  •  

    Hi Yudong,

     

    Yes, there is a way to make fully configurable. I forgot to point you out to this blog post, http://weblogs.asp.net/cibrax/archive/2008/03/26/authenticating-users-with-supporting-tokens-in-wcf-binding-extension.aspx

     

    Regarding the certificate validator, yes, if you use the supporting token solution above, it will be called during the authentication process. I used that solution in a scenario that was exactly the same as you want to implement.

     

    One thing regarding SSL, SSL is for secure the communication channel and authenticate the server only. I think what you need here is to authenticate the client (Client application) with a certificate as well, so Client Certificate + Username (Supporting tokens) is the right configuration. The certificate validator is only called to validate client certificates, so it will be called in this case.

     

    Regards,

    Pablo.

    Friday, September 19, 2008 12:39 PM
  • Pablo,

     

    I think your solution is exactly what we're looking for if the client certificate is authenticated at the message level. And yes, the certificate Validator gets call in this case. But unfortunately, we have to deal with the client certificate that comes in at the HTTPS transport level. (you can setup HTTPS to always require client authentication). I've verified that the WCF certificate validator is NOT called during the client authentication process. I guess we can simply change the client to use message level security completely since it's all configurable now. Smile

     

    Thanks for your help!

     

    Friday, September 19, 2008 3:02 PM