Mutual Authentication issue in NET Console Application (app.config issue)

Posted on 2011-04-18
Last Modified: 2013-12-16
I have a .NET console application that I have successfully tested using user id and password credentials to send a SOAP request to XML gateway appliance within our company. Now after completing client development I need to replace using userid credentials with Mutual autentication. For Mutual Authentication I completed the setup
as follows...

On XML Gateway Appliance, Mutual authentication was enabled and all requests coming to the gateway are checked for client certificate. This part is already tested and working on XML Gateway

On NET Client application, I added the client certificate that I need to use for MASSL auth to the "Current User" store on my laptop & then I tried to reconfigure the app.config to make the client present the client cert to the Gateway , this is where I am unable to get it to work. I am sending my "app.config" (i already checked and I can confirm that the client is able to locate and have access to the client certificate location). I have attached my app.config below and need assistance with tweaking the config file to enable mutual authentication.

<?xml version="1.0" encoding="utf-8" ?>
        <binding name="HumanCustomBinding">
          <security authenticationMode="MutualSslNegotiated" includeTimestamp="false">
            <secureConversationBootstrap />
          <textMessageEncoding messageVersion="Soap11">
            <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
              maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
          <httpsTransport maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647"
            maxBufferSize="2147483647" realm="" />
        <behavior name="clientEndpointCredential">
            <clientCertificate storeName="My" storeLocation="CurrentUser"
                               findValue="4ab6efd9889a40e2671a040585f2864814cc1273" />
      <endpoint address="https://dfsadfa_cluster:18443/XYZ"
        binding="customBinding" bindingConfiguration="HumanCustomBinding"
        contract="XXService.XXXPort" name="SDSD" />

I already checked out the following links below which use Http Binding..

however for my scenario my end point is not a web service rather a XML gateway (LAYER 7  product) hence I am using custom binding ..I am hoping an expert can tweak my above app configuration file which will ensure that my client (console app) will present the client cert stored on my machine (Current User) to XML gateway and once the mutual auth is established the SOAP message that is created within the client is accepted by XML gateway.

Appreciate your help.
Question by:vemi007
    LVL 28

    Expert Comment

    by:Ryan McCauley
    This is a longshot, but are these self-signed certs? If they are, and they were generated locally (using MAKECERT) instead of by a certificate authority (even a local domain one), then it may be getting blocked by the inability to check for revocation. I found this forum post about it:

    And what caught my eye was this comment in particular:

    The certificates created by makecert do not have a value in the "CRL Distribution Points" field. This means that we cannot do revocation check on these certificates. Hence they cannot be used in scenarios where revocation check needs to be done.

    Hopefully this helps shed some light - it looks like you're having a tough time getting your problem solved, so I hope this helps! If not, let me know and I'll try to think of/find something else to get you on your way!

    Accepted Solution

    Thanks Ryan, for taking a stabd at it. I just need soemone to assist me to tweak the app.config to get he mutual auth to work. By trial and error , I got it to work using Custom binding -. Mutual Certificate option. I am good now.

    Author Closing Comment

    I figured out the way to update the config to make it work with Mutual Authentication, which is what i was looking for when I posted this Q here.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
    Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
    This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA.…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now