none
How do I log traces for SSL client certificate authentication? RRS feed

  • Question

  • Hello,

    I successfully enabled SSL client mapping in IIS on virtual directory and can successfully access default.html file with SSL certificate mapped to AD account. This parts works fine.

    There is service in the same folder service.svc and accessing it fails. Config for that service is below. Failed request tracing rule showing authentication failing inside Service Module. See image below where it's showing that AUTH in IIS succeeded with SSL type but failed in WCF.

     <system.serviceModel>
            <services>            
                <service name="Microsoft.CertificateAuthority.Enrollment.SecurityTokenService" behaviorConfiguration="serviceBehaviorConfigDefault">
                    <endpoint address="CES" binding="wsHttpBinding" bindingConfiguration="TransportWithHeaderClientAuth" contract="Microsoft.CertificateAuthority.Enrollment.ISecurityTokenService" />
                    <!-- To enable mex, uncomment the following and uncomment the serviceMetadata in corresponding serviceBehaviors -->
                    <!-- <endpoint address="mex" binding="wsHttpBinding" bindingConfiguration="TransportWithHeaderClientAuth" contract="IMetadataExchange" />-->                 
                </service>
            </services>
            
            <bindings>
                <wsHttpBinding>                
                    <binding name="TransportWithHeaderClientAuth">
                        <security mode="Transport">                        
                            <transport clientCredentialType="Windows" />
                            <message clientCredentialType="None" establishSecurityContext="false" negotiateServiceCredential="false" />
                        </security>
                        <readerQuotas maxStringContentLength="131072" />
                    </binding>
    
                    <binding name="TransportWithMessageClientAuthUserName">
                        <security mode="TransportWithMessageCredential">
                            <transport clientCredentialType="None" />
                            <message clientCredentialType="UserName" establishSecurityContext="false" negotiateServiceCredential="false" />
                        </security>
                        <readerQuotas maxStringContentLength="131072" />
                    </binding>
                    
                    <binding name="TransportWithCertificateClientAuth">
                        <security mode="Transport">
                            <transport clientCredentialType="Certificate" />
                            <message clientCredentialType="None" establishSecurityContext="false" negotiateServiceCredential="false" />
                        </security>
                        <readerQuotas maxStringContentLength="131072" />
                    </binding>
                </wsHttpBinding>
            </bindings>
            
            <behaviors>
                <serviceBehaviors>
                    <behavior name="serviceBehaviorConfigClientAuth">
                        <serviceThrottling maxConcurrentCalls="1024" maxConcurrentSessions="1024" maxConcurrentInstances="1024" />
                        <serviceCredentials>
                            <clientCertificate>                            
                                <authentication includeWindowsGroups="true" mapClientCertificateToWindowsAccount="true" revocationMode="Online" trustedStoreLocation="LocalMachine" />
                            </clientCertificate>
                        </serviceCredentials>
                        <!-- To enable mex uncomment the following -->
                        <!-- <serviceMetadata httpsGetEnabled="true" httpsGetUrl="" /> -->
                    </behavior>
                    
                    <behavior name="serviceBehaviorConfigDefault">
                        <serviceThrottling maxConcurrentCalls="1024" maxConcurrentSessions="1024" maxConcurrentInstances="1024" />
                        <!-- To enable mex uncomment the following -->
                        <!-- <serviceMetadata httpsGetEnabled="true" httpsGetUrl="" /> -->
                    </behavior>
                </serviceBehaviors>
            </behaviors>
        </system.serviceModel>

    Thursday, December 19, 2013 9:55 PM

Answers

  • Hi,

    I saw that you have used the following:

    <endpoint address="CES" binding="wsHttpBinding" bindingConfiguration="TransportWithHeaderClientAuth" 
    contract="Microsoft.CertificateAuthority.Enrollment.ISecurityTokenService" />

    and from the above, we can see that you have used the TransportWithHeaderClientAuth bindingconfiguration:

    <binding name="TransportWithHeaderClientAuth">
                        <security mode="Transport">                        
                            <transport clientCredentialType="Windows" />
                            <message clientCredentialType="None" establishSecurityContext="false" negotiateServiceCredential="false" />
                        </security>
                        <readerQuotas maxStringContentLength="131072" />
                    </binding>
    

    So you are using the windows authentication not the certificate authentication.
    Then please try to use change it to use the TransportWithCertificateClientAuth for instead.

    Best Regards,
    Amy Peng 


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by artisticcheese Friday, December 20, 2013 5:29 PM
    Friday, December 20, 2013 6:30 AM
    Moderator