none
WCF service with multiple client certificates RRS feed

  • Question

  • Hi,

     

    How can I specify multiple client certificates for my service? I have a service with nettcpbinding hosted in IIS, which  will be consumed by multiple clients. Each client will be having its own certificate. I want that service should have a list of certificates of clients which are allowed to call it, for others it should fail. 

     

    Service behavior configuration only allows one client certificate value, how can I specify multiple client certificates. My present service web.config is

     

    <behaviors>
          <serviceBehaviors>
            <behavior >
              <serviceMetadata httpGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="false"/>
              <serviceCredentials>
                <serviceCertificate findValue="KdService" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"></serviceCertificate>
                <clientCertificate>
                  <authentication certificateValidationMode="None"  revocationMode="NoCheck"/>
                  <certificate  findValue="KdService" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />              
                </clientCertificate>            
              </serviceCredentials>
            </behavior>
          </serviceBehaviors
        </behaviors>

    singhhome
    Wednesday, October 13, 2010 5:21 PM

Answers

  • There is no need to configure a specific client certificate on the server (as above). That kind of config goes on the client side.

    The server has a policy which determines how to validate client certificates. This is exactly so that the server will be able to work with multiple clients.

    The policy is determined by the certificateValidationMode attribute:

    <behaviors>

                <serviceBehaviors>

                    <behavior name="NewBehavior0">

                        <serviceCredentials>

                            <clientCertificate>

                                <authentication certificateValidationMode="Custom" />

                            </clientCertificate>

                        </serviceCredentials>

                    </behavior>

                </serviceBehaviors>

            </behaviors>

     

    These are the possible values:

    http://msdn.microsoft.com/en-us/library/system.servicemodel.security.x509certificatevalidationmode.aspx

    Where:

    "None" accepts any client certificate

    "Custom" allows you to write a class that validates each certificate (so you can accept only a fixed set of them)

    And the others do validation based on how the certificate is trusted by the windows certificate store.


    http://webservices20.blogspot.com/
    WCF Security, Interoperability And Performance Blog
    • Marked as answer by singhhome Thursday, October 14, 2010 5:59 PM
    Wednesday, October 13, 2010 9:32 PM