none
WCF SSL/Require Client Certificates + Silverlight, IIS6 Issue

    Question

  • Hello,

    I am a government contractor that has the following requirements that must be set up in IIS6 to host a Silverlight app and corresponding WCF service:

    1. Authentication Methods - none checked.
    2. Secure Communications - SSL required + Require Client Certificates checked.

    Given that, Silverlight only supports a two client bindings to talk to WCF, customBinding and basicHttpBinding.  We have found only two ways to support the configuration mentioned above in IIS;  first, we use wsHttpBinding (this is not allowed) or we could check Anonymous as authentication in IIS6 (this is also not allowed).  If anonymous is not checked, WCF on the server side will attempt to verify/validate that it's hosting environment is set up correctly and it will throw.

    Attempting to set the httpsTransport scheme to Anonymous leads to:

    System.NotSupportedException: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

    Attempting to set it to None results in:

    ArgumentException: The 'None' authentication scheme has been specified on the HTTP factory. However, the factory only supports specification of exactly one authentication scheme. Valid authentication schemes are Digest, Negotiate, NTLM, Basic, or Anonymous.

     

    Attempting many other configurations of the bindings available result in yet other but similar exceptions.  So, my outstanding question is two-fold:

     

    1. Is there any way to use either a custom or basic binding to satisfy transport level security that matches my IIS settings requirements?  I can *not* vary those settings at all.
    2. If not, is there any way to tell WCF to just trust that I have the binding set up correctly and do not attempt to configure itself against the hosting environment.

    Thanks in advance,

    Marc

    Thursday, March 10, 2011 7:57 PM

Answers

  • Hello, if you check "Require Client Certificates", it means you want to use transport security with client certificate authentication. But this is not supported by Silverlight. So you have two options:

    1. Do not use Silverlight. Use a client that supports client certificate authentication (such as WPF). Then your WCF service should also be configured to use certificate authentication:

              <binding>
                <security mode="Transport">
                  <transport clientCredentialType="Certificate"/>
                </security>
              </binding>

    2. Uncheck "Require Client Certificates". You can use a Silverlight friendly security mechanism. For example, Silverlight supports message security: http://msdn.microsoft.com/en-us/library/dd833059(v=VS.95).aspx.


    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
    Windows Azure Technical Forum Support Team Blog
    • Marked as answer by Yi-Lun Luo Thursday, March 17, 2011 9:04 AM
    Tuesday, March 15, 2011 2:09 AM