[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1013
  • Last Modified:

Mutual Authentication issue in NET Console Application (app.config issue)

I have a .NET console application that I have successfully tested using user id and password credentials to send a SOAP request to XML gateway appliance within our company. Now after completing client development I need to replace using userid credentials with Mutual autentication. For Mutual Authentication I completed the setup
as follows...

On XML Gateway Appliance, Mutual authentication was enabled and all requests coming to the gateway are checked for client certificate. This part is already tested and working on XML Gateway

On NET Client application, I added the client certificate that I need to use for MASSL auth to the "Current User" store on my laptop & then I tried to reconfigure the app.config to make the client present the client cert to the Gateway , this is where I am unable to get it to work. I am sending my "app.config" (i already checked and I can confirm that the client is able to locate and have access to the client certificate location). I have attached my app.config below and need assistance with tweaking the config file to enable mutual authentication.

app.config
=========
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.serviceModel>
    <bindings>
      <customBinding>
        <binding name="HumanCustomBinding">
          <security authenticationMode="MutualSslNegotiated" includeTimestamp="false">
            <secureConversationBootstrap />
          </security>
          <textMessageEncoding messageVersion="Soap11">
            <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
              maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
          </textMessageEncoding>
          <httpsTransport maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647"
            maxBufferSize="2147483647" realm="" />
        </binding>
      </customBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="clientEndpointCredential">
          <clientCredentials>
            <clientCertificate storeName="My" storeLocation="CurrentUser"
                               x509FindType="FindByThumbprint"
                               findValue="4ab6efd9889a40e2671a040585f2864814cc1273" />
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
      <serviceBehaviors/>
    </behaviors>
    <client>
      <endpoint address="https://dfsadfa_cluster:18443/XYZ"
                behaviorConfiguration="clientEndpointCredential"
        binding="customBinding" bindingConfiguration="HumanCustomBinding"
        contract="XXService.XXXPort" name="SDSD" />
    </client>
  </system.serviceModel>
</configuration>

I already checked out the following links below which use Http Binding..

http://msdn.microsoft.com/en-us/library/ff650785.aspx
http://blogs.ugidotnet.org/cfolini/archive/2008/01/04/90561.aspx

however for my scenario my end point is not a web service rather a XML gateway (LAYER 7  product) hence I am using custom binding ..I am hoping an expert can tweak my above app configuration file which will ensure that my client (console app) will present the client cert stored on my machine (Current User) to XML gateway and once the mutual auth is established the SOAP message that is created within the client is accepted by XML gateway.

Appreciate your help.
0
vemi007
Asked:
vemi007
  • 2
1 Solution
 
Ryan McCauleyCommented:
This is a longshot, but are these self-signed certs? If they are, and they were generated locally (using MAKECERT) instead of by a certificate authority (even a local domain one), then it may be getting blocked by the inability to check for revocation. I found this forum post about it:

http://social.msdn.microsoft.com/forums/en-US/wcf/thread/421884d8-aca3-4d56-94a0-53eb668e45b8/

And what caught my eye was this comment in particular:

The certificates created by makecert do not have a value in the "CRL Distribution Points" field. This means that we cannot do revocation check on these certificates. Hence they cannot be used in scenarios where revocation check needs to be done.

Hopefully this helps shed some light - it looks like you're having a tough time getting your problem solved, so I hope this helps! If not, let me know and I'll try to think of/find something else to get you on your way!
0
 
vemi007Author Commented:
Thanks Ryan, for taking a stabd at it. I just need soemone to assist me to tweak the app.config to get he mutual auth to work. By trial and error , I got it to work using Custom binding -. Mutual Certificate option. I am good now.
0
 
vemi007Author Commented:
I figured out the way to update the config to make it work with Mutual Authentication, which is what i was looking for when I posted this Q here.
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now