WCF Service and Two-way SSL

Posted on 2013-09-24
Medium Priority
Last Modified: 2013-12-16
Hi All,

I have done web services before. I know a WCF Service is somewhat familiar to a .net 3.5 web service difference being more capabilities and contract usages.

However, one thing I really have not done are two-way SSL for a web service.

How do you setup a WCF Service to use x509 certifications?

I know I can do a makecert for my server machine? What cert store do I put that in?

Do I do something with the web.config file for my web service? Do I do anything in the code?

When a client that is consuming the web service executes I presume there is something that is done on their side to send the cert when they call the web service. Do I need that cert before they do anything?

At what point do I validate or verify the web service call from them as coming from a valid cert?

Any information on this would be greatly apprecated.

Code samples can be very useful as well.

Question by:davism
  • 8
LVL 13

Accepted Solution

Rahul Agarwal earned 2000 total points
ID: 39526972

Author Comment

ID: 39541626
I have seen this on before but I wasn't sure if that was going to work. However, I am looking into this and will get to you asap.

Author Comment

ID: 39550833
This isn't working. I am getting this when I try to add the reference:

There was no endpoint listening at that could accept the message. This is often caused by an incorrect address or SOAP action.

Any thoughts or ideas on how this could be resolved?

Server where WebService is web.config file.

<?xml version="1.0"?>
    <compilation debug="true" targetFramework="4.0"/>


        <binding name="TransportSecurity">
          <security mode="Transport">
            <transport clientCredentialType="Certificate"/>
        <behavior name="behaviour">
          <serviceMetadata   httpsGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true" />
      <service name="TestListService.ITestservice" behaviorConfiguration="behaviour">
        <endpoint binding="wsHttpBinding"
               contract="TestListService.ITestService"  bindingConfiguration="TransportSecurity">
        <!--<endpoint address="mex" binding="mexHttpsBinding"
            name="MetadataBinding" contract="IMetadataExchange"/>-->
    <modules runAllManagedModulesForAllRequests="true"/>

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


Author Comment

ID: 39550919
I had an site port that was "http" and I had the https. I got rid of the http one which just leave the https.

However, I now get this:

Service 'TestService' has zero application (non-infrastructure) endpoints. This might be because no configuration file was found for your application, or because no service element matching the service name could be found in the configuration file, or because no endpoints were defined in the service element.

Anybody have any information on what can cause that?

Author Comment

ID: 39553263
Ok, I got a little ways into this. I am able to seemingly get it so another server can access the Web Service. But now I'm getting this on an exception of calling one of the service methods.

The client certificate is not provided. specify a client certificate in clientcredentials.

I have the clientCredentials doing a FindByThumbnail and I am supplying the value of that thumbnail.

On the server even though I have the SSL using the certificate, I have in the web.config for it to use the servicecredential and using the FindByThumbnail on it and I have the Thumbnail of the certificate I applied with the SSL.

I have exported the SSL certificate from the server machine and I have imported it on the client machine.

I have expoerted the certificate from the client machine and I have imported it on the server machine.

I am still getting that cert issue on the client machine.

Any thoughts or ideas would be greatly appreciated. Anyone?
LVL 16

Expert Comment

ID: 39625425
On the server side, you will set up the binding as https and specify the certificate you would be using.

On the client side, you just use https binding and you don't need to do anything about the certificate. It is same as browsing a https web site.

Author Comment

ID: 39625590
But with mutual-authentication wouldn't the client side  have to provide their certificate? As otherwise would it not just be one-way authentication?

Author Comment

ID: 39682632
Anybody have any information on this?

I know if I set the security mode to transport and the transport being clientCredentialingType of "Certificate", the Required SSL needs to be checked.

But I cannot then do a Add Service Reference in a C# client app because it says there service returns a "Forbidden".

Any info would be greatly appeciated.

Author Comment

ID: 39686280
Anybody have any thoughts or ideas on this one. I'm a little stumped.

Author Closing Comment

ID: 39722429
Turns out this worked. Even though the technology is older working with what and how it processed ultimately lead to the solution.


Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article is for Object-Oriented Programming (OOP) beginners. An Interface contains declarations of events, indexers, methods and/or properties. Any class which implements the Interface should provide the concrete implementation for each Inter…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …
The video provides a quick and easy steps to migrate MBOX file to well known Outlook PST and Office 365. Besides this, it also supports and migrates more than 20 email clients of MBOX which include AppleMail, Opera, Thunderbird and SeaMonkey effortl…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question