Clever Geek Handbook

WCF client cannot connect to WCF server without having server certificate on local machine

The scenario is like this: there are 2 WCF web services, one client (WCFClient), one server (WCFServer) deployed on different machines. I need a certificate certification in between.

On the WCF server I have set up a binding to use certificates as the client credential type.

<security mode="Message">
      <message clientCredentialType="Certificate" />
</security>

Also, in the behavior section, among other parameters, I have

<serviceBehaviors>
      <behavior name="Server.ServiceBehavior">                  
          <serviceCredentials>
            <clientCertificate>
              <authentication certificateValidationMode="PeerTrust"/>
            </clientCertificate>
            <serviceCertificate findValue="Server"
            storeLocation="LocalMachine"
            storeName="TrustedPeople"
            x509FindType="FindBySubjectName" />
          </serviceCredentials>
        </behavior>
</serviceBehaviors>

In WCF Client Service, I added this endpoint behavior

<endpointBehaviors>
   <behavior name="CustomBehavior">
     <clientCredentials>
       <clientCertificate findValue="Client" 
                          x509FindType="FindBySubjectName" 
                          storeLocation="LocalMachine" 
                          storeName="TrustedPeople" />
       <serviceCertificate>            
         <authentication certificateValidationMode="PeerTrust"/>
       </serviceCertificate>
     </clientCredentials>
   </behavior>
 </endpointBehaviors>

When I wanted to check my services, I got an error message:

The service certificate is not provided for target 'http://blablabla...'. Specify a service certificate in ClientCredentials.

So, I started checking information on the Internet. After trying a lot of things, the only thing that actually worked was adding this on my client:

<serviceCertificate>
         <defaultCertificate findValue="Server"
                             storeLocation="LocalMachine"
                             storeName="TrustedPeople"
                             x509FindType="FindBySubjectName" />
         <authentication certificateValidationMode="PeerTrust"/>
       </serviceCertificate>

Do you think yes, that means I need a server certificate on my client machine. This is definitely very bad. It works for my testing purposes, but it is not acceptable for deployment.

I would like to understand what could really cause this error message and what the solution might be.

Later change: In this project, the client does not need to have a server certificate (even without a private key). This is a system specification and it is quite difficult (in terms bureaucracy

) to go beyond that. There will be several clients, each working with a WCF client, and each does not need to know anything more about their own certificate. The server will know the server certificate and the certificate of all clients.

+3


source to share


3 answers


I really forgot about this question, but at the time I found a solution.

My actual problem was that I was using basicHttpBinding for the communication that I wanted to secure. basicHttpBinding implies the use of this service part. http://msdn.microsoft.com/en-us/library/ms731338 (v = vs .85) .aspx



Due to the system requirements I had, I changed the binding to wsHttpBinding. Now I don't need to put the server certificate on the client machine.

0


source


Looking here he reads,

When authenticating, you can use customer identification first. However, in the context of WCF, authentication usually refers to mutual authentication. Mutual authentication not only allows positive identification of clients, but also allows clients to positively identify the WCF services to which they are associated. Mutual Authentication is especially important for a WCF Internet service because an attacker can spoof the WCF service and hijack client calls to expose sensitive data.

The service credentials that will be used depend a lot on the client the authentication scheme you choose. Typically, if you are using unauthenticated client authentication such as username or authentication certificate, the service certificate is used for both authentication and message protection services. If you are using a Windows authentication client, Windows credentials for process identification can be used to both authenticate the service and secure messages.

It seems to me that you want a server certificate on the client machine, which is good, not bad. Note that you do not need (and should not) close the server key on the client machine. The private key is not contained in the certificate - only the public key.



Having a server certificate on a client computer means that only the server's public key exists on the client computer. The advantage is that the client now knows that he is talking to a real server.

I'm not familiar with WCF services, but it sounds like using certificates.

+3


source


why is it bad to have a service certificate on the client machine? it is only the public part, not the private key.

if you are using wshttpbinding you can set negotiateServiceCredential = true, in which case the client will get the server certificate dynamically. The price drops slightly and this endpoint will not interact with non.net customers.

+1


source






More articles:


All Articles