Avatar of davism
davismFlag for United States of America asked on

WCF Service and Two-way SSL

Hi All,

I have done web services before. I know a WCF Service is somewhat familiar to a .net 3.5 web service difference being more capabilities and contract usages.

However, one thing I really have not done are two-way SSL for a web service.

How do you setup a WCF Service to use x509 certifications?

I know I can do a makecert for my server machine? What cert store do I put that in?

Do I do something with the web.config file for my web service? Do I do anything in the code?

When a client that is consuming the web service executes I presume there is something that is done on their side to send the cert when they call the web service. Do I need that cert before they do anything?

At what point do I validate or verify the web service call from them as coming from a valid cert?

Any information on this would be greatly apprecated.

Code samples can be very useful as well.

Thanks
WCFC#Microsoft IIS Web Server

Avatar of undefined
Last Comment
davism

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Rahul Agarwal

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
davism

I have seen this on before but I wasn't sure if that was going to work. However, I am looking into this and will get to you asap.
ASKER
davism

This isn't working. I am getting this when I try to add the reference:

There was no endpoint listening at https://192.168.0.4/TestService.svc that could accept the message. This is often caused by an incorrect address or SOAP action.

Any thoughts or ideas on how this could be resolved?

Server where WebService is web.config file.

<?xml version="1.0"?>
<configuration>
  <system.web>
    <compilation debug="true" targetFramework="4.0"/>
  </system.web>

  <system.serviceModel>

    <bindings>
      <wsHttpBinding>
        <binding name="TransportSecurity">
          <security mode="Transport">
            <transport clientCredentialType="Certificate"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="behaviour">
          <serviceMetadata   httpsGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service name="TestListService.ITestservice" behaviorConfiguration="behaviour">
        <endpoint binding="wsHttpBinding"
               contract="TestListService.ITestService"  bindingConfiguration="TransportSecurity">
        </endpoint>
        <!--<endpoint address="mex" binding="mexHttpsBinding"
            name="MetadataBinding" contract="IMetadataExchange"/>-->
       
      </service>
    </services>
   
  </system.serviceModel>
 
   <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>

</configuration>
ASKER
davism

I had an site port that was "http" and I had the https. I got rid of the http one which just leave the https.

However, I now get this:

Service 'TestService' has zero application (non-infrastructure) endpoints. This might be because no configuration file was found for your application, or because no service element matching the service name could be found in the configuration file, or because no endpoints were defined in the service element.

Anybody have any information on what can cause that?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
davism

Ok, I got a little ways into this. I am able to seemingly get it so another server can access the Web Service. But now I'm getting this on an exception of calling one of the service methods.

The client certificate is not provided. specify a client certificate in clientcredentials.

I have the clientCredentials doing a FindByThumbnail and I am supplying the value of that thumbnail.

On the server even though I have the SSL using the certificate, I have in the web.config for it to use the servicecredential and using the FindByThumbnail on it and I have the Thumbnail of the certificate I applied with the SSL.

I have exported the SSL certificate from the server machine and I have imported it on the client machine.

I have expoerted the certificate from the client machine and I have imported it on the server machine.

I am still getting that cert issue on the client machine.

Any thoughts or ideas would be greatly appreciated. Anyone?
Ravi Vaddadi

On the server side, you will set up the binding as https and specify the certificate you would be using.

On the client side, you just use https binding and you don't need to do anything about the certificate. It is same as browsing a https web site.
ASKER
davism

But with mutual-authentication wouldn't the client side  have to provide their certificate? As otherwise would it not just be one-way authentication?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
davism

Anybody have any information on this?

I know if I set the security mode to transport and the transport being clientCredentialingType of "Certificate", the Required SSL needs to be checked.

But I cannot then do a Add Service Reference in a C# client app because it says there service returns a "Forbidden".

Any info would be greatly appeciated.
ASKER
davism

Anybody have any thoughts or ideas on this one. I'm a little stumped.
ASKER
davism

Turns out this worked. Even though the technology is older working with what and how it processed ultimately lead to the solution.

Thanks!
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23