REST. SSL. Client certificate is required. No certificate was found in the request. RRS feed

  • Question

  • Hi.

    Using this blog post I bounded certificate to needed port for my self-hosted REST service.

    But I can't consume it in browser... What I'm doing wrong? If I setup fiddler to response with needed certificate and everyting works ok. How can service host and browser reach agreement on certificate? What should I do?

    My app.config is following:

            <binding name="NewBinding0">
              <security mode="Transport">
                <transport clientCredentialType="Certificate" />
          <service behaviorConfiguration="Security" name="Microsoft.Samples.BasicHttpService.Service">
            <endpoint address="https://localhost:8015" binding="webHttpBinding"
              bindingConfiguration="NewBinding0" name="test" contract="Microsoft.Samples.BasicHttpService.IService"
              kind="webHttpEndpoint" endpointConfiguration="" />
            <endpoint address="https://localhost:8016" binding="mexHttpsBinding"
              bindingConfiguration="" name="MEX" contract="IMetadataExchange"
              kind="mexEndpoint" endpointConfiguration="mex" />
            <behavior name="Security">
              <serviceMetadata httpGetBinding="webHttpBinding" httpGetBindingConfiguration="" />
                  <certificate findValue="7b15ff37931976ea3aca64e8a9974f1f5b63d0fa"
                    x509FindType="FindByThumbprint" />
                <serviceCertificate findValue="7b15ff37931976ea3aca64e8a9974f1f5b63d0fa"
                  x509FindType="FindByThumbprint" />
            <behavior name="metadata">
              <serviceMetadata />
            <standardEndpoint name="mex" />

    Thanks in advance.

    • Edited by Sharov A Tuesday, December 3, 2013 5:23 PM
    Tuesday, December 3, 2013 5:21 PM


All replies

  • Hi,

    Have you configured your SSL Certificate with netsh?

    Here's an example of it's usage:

    netsh http add sslcert iiport= certhash=<your certificate thumbprint> appid={<arbitrary guid>}

    And here's a topic that describes it in more detail: .

    Also please try to check the following:
    #SSL with Self-hosted WCF Service: .

    Best Regards,
    Amy Peng

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, December 4, 2013 9:50 AM
  • Hi, Amy !

    Here is what  I got after I run  "netsh http show urlacl" in console:

         Reserved URL            : https://+:8015/
          User: Some\Some
              Listen: Yes
              Delegate: No
              SDDL: D:(A;;GX;;;S- 1-5-21-1380874498-1941278810-846066327-1642)

    I mentioned blog post (here) where is everything I need to do.

    As I mentioned before, direct consuming from browsers doesn't work... Only if I setup fiddler to respond with certificate. Do I have to setup browser somehow, or modify service ?

    I guess, service should some how ask client(browser) if he would like to install certificate. But should it occure automaticaly or I have to write some code,settings?
    • Edited by Sharov A Wednesday, December 4, 2013 10:29 AM
    Wednesday, December 4, 2013 10:08 AM
  • And in trace log there is warning: "Client certificate is required. No certificate was found in the request" and 403 https for browser request as a result.

    Also, I don't know whether it is relevant, but on a construct servicehost activity I got "Configuration evaluation context not found" warning.

    Wednesday, December 4, 2013 10:22 AM
  • Anyone?

    • Edited by Sharov A Friday, December 6, 2013 9:58 AM spell correction
    Friday, December 6, 2013 9:58 AM
  • Solved.

    Line: <transport clientCredentialType="Certificate" />

    should be deleted...

    Thanks to Eric Lawrence. More details here.

    • Marked as answer by Sharov A Wednesday, December 11, 2013 8:51 AM
    Wednesday, December 11, 2013 8:51 AM