Link to home
Start Free TrialLog in
Avatar of Berico
BericoFlag for United States of America

asked on

WCF Certificate Authorization: How can I enable WCF Authorization based on authenticated certificates?

How, within a WCF Service, can I use ASP.NET roles (via the System.Web.Security.SqlRoleProvider and aspnetdb) where the identity is based on a certificate provided from the client?

I have truly researched this and am not able to successfully implement a solution.  All authorization is based on my windows login.

CD
ASKER CERTIFIED SOLUTION
Avatar of Darren
Darren
Flag of Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Berico
Berico
Flag of United States of America image

ASKER

I am currently in an intranet.  The intent, however, is to be able to open our service to the internet, where clients will have certificates.  Initially, we will provide the certificates, but it is very possible that we will have to accept certificates released by other Certificate Authorities.  In that scenario, we will not have any control of the certificates (of course, they will have to register their certificates so that our system can relate them to roles).
No matter what I try, the authorization continues to be windows-based.
 
My server-side config:
  <system.serviceModel>
    <services>
      <service name="Test.ServiceImplementations.BasicService" behaviorConfiguration="CertificateBehavior">
        <endpoint address="http://localhost/Test.ServiceHost.WebCertificate/BasicCertService.svc"
                  binding="wsHttpBinding"
                  bindingConfiguration="WSHttpBinding_CertificateWithMessage"
                  contract="Test.ServiceContracts.IBasicService">
        </endpoint>
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_CertificateWithMessage">
          <security mode="Message">
            <transport clientCredentialType="Certificate" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="CertificateBehavior">
          <!--<serviceMetadata httpsGetEnabled="true"/>-->
          <serviceMetadata httpsGetEnabled="true" httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <serviceCredentials>
            <clientCertificate>
              <authentication certificateValidationMode="PeerTrust" revocationMode="Online"/>
            </clientCertificate>
            <serviceCertificate findValue="TestServer5"
                                x509FindType="FindBySubjectName"
                                storeLocation="LocalMachine"
                                storeName="My">
            </serviceCertificate>
          </serviceCredentials>
          <serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName ="SqlRoleManager"  />
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>
 
My client-side config:

  <system.serviceModel>
    <client>
      <endpoint name="CertificateServiceClient"
                address="http://TestServer/Test.ServiceHost.WebCertificate/BasicCertService.svc"
                binding="wsHttpBinding"
                bindingConfiguration="WSHttpBinding_CertificateService"
                contract="Test.ServiceContracts.IBasicService"
                behaviorConfiguration="CertificateBehavior">
        <identity>
          <dns value="localhost"/>
        </identity>
      </endpoint>
    </client>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_CertificateService">
          <security mode="Message">
            <transport clientCredentialType="Certificate"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="CertificateBehavior">
          <clientCredentials>
            <clientCertificate findValue="TestClient5"
                               x509FindType="FindBySubjectName"
                               storeLocation="LocalMachine"
                               storeName="My"/>
            <serviceCertificate>
              <authentication certificateValidationMode="ChainTrust" revocationMode="Online"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
  </system.serviceModel>
Avatar of Berico
Berico
Flag of United States of America image

ASKER

For your first link, I did not install a CRL, which may answer another question that I posted on Friday:  Why do revoked certificates continue to be authenticated.

The question at hand, though, is focused on Authorization based soley on certificates.