Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
.NET Framework Developer Center
Click to Rate and Give Feedback
MSDN
MSDN Library
.NET Development
.NET Framework 3.5
WCF Feature Details
Security
 Transport Security with Certificate...

  Switch on low bandwidth view
This page is specific to
Microsoft Visual Studio 2008/.NET Framework 3.5

Other versions are also available for the following:
Transport Security with Certificate Authentication

The following scenario shows a Windows Communication Foundation (WCF) client and service secured by an X.509 certificate. Each client has a certificate that can be used for client Secure Sockets Layer (SSL) authentication and is trusted by the service. This example shows a request/reply message pattern.

For more information about using a certificate with a service, see Working with Certificates and How to: Configure a Port with an SSL Certificate.

Secure transfer using certificates

Characteristic Description

Security Mode

Transport

Interoperability

With existing Web service clients and services.

Authentication (Server)

Authentication (Client)

Yes (using HTTPS)

Yes (using a certificate)

Integrity

Yes

Confidentiality

Yes

Transport

HTTPS

Binding

WSHttpBinding

Service

The following code and configuration are meant to run independently. Do one of the following:

  • Create a stand-alone service using the code with no configuration.

  • Create a service using the supplied configuration, but do not define any endpoints.

Code

The following code shows how to create a service endpoint that uses a transport security and a certificate.

Visual Basic
' Create the binding. 
Dim binding As New WSHttpBinding()
binding.Security.Mode = SecurityMode.Transport
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate

' Create the URI for the endpoint.
Dim httpUri As New Uri("https://localhost/Calculator")

' Create the service and add an endpoint.
Dim myServiceHost As New ServiceHost(GetType(ServiceModel.Calculator), httpUri)
myServiceHost.AddServiceEndpoint(GetType(ServiceModel.ICalculator), binding, "")

' Open the service.
myServiceHost.Open()
Console.WriteLine("Listening...")
Console.ReadLine()

' Close the service.
myServiceHost.Close()
C#
// Create the binding. 
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.
    Certificate;

// Create the URI for the endpoint.
Uri httpUri = new Uri("https://localhost/Calculator");

// Create the service and add an endpoint.
ServiceHost myServiceHost =
    new ServiceHost(typeof(ServiceModel.Calculator), httpUri);
myServiceHost.AddServiceEndpoint(
    typeof(ServiceModel.ICalculator), binding, "");

// Open the service.
myServiceHost.Open();
Console.WriteLine("Listening...");
Console.ReadLine();

// Close the service.
myServiceHost.Close();

Configuration

The following configuration can be used instead of the code to set up the service:

<bindings>
    <wsHttpBinding>
        <binding name="CertificateWithTransport">
            <security mode="Transport">
                <transport clientCredentialType="Certificate"/>
            </security>
        </binding>
    </wsHttpBinding>
</bindings>
<services>
    <service name="ServiceModel.Calculator" 
             behaviorConfiguration="credentialConfig" >
    <endpoint address=""
              binding="wsHttpBinding"
              bindingConfiguration="CertificateWithTransport" 
              contract="ServiceModel.ICalculator" />
     </service>
</services>
<behaviors>
    <serviceBehaviors>
        <behavior name="credentialConfig">
            <serviceCredentials>
                <clientCertificate trustedStoreLocation="LocalMachine" 
                                   revocationMode="Online"/>
            </serviceCredentials>
        </behavior>
    </serviceBehaviors>
</behaviors>

Client

The following code and configuration are meant to run independently. Do one of the following:

  • Create a stand-alone client using the code (and client code).

  • Create a client that does not define any endpoint addresses. Instead, use the client constructor that takes the configuration name as an argument. For example:

    Visual Basic
    Dim cc As New CalculatorClient("EndpointConfigurationName")
    C#
    CalculatorClient cc = new CalculatorClient("EndpointConfigurationName");

Code

The following code creates the client. The binding is configured to use the transport mode security, with the TCP transport, with the client credential type set to Windows.

Visual Basic
' Create the binding.
Dim myBinding As New WSHttpBinding()
myBinding.Security.Mode = SecurityMode.Transport
myBinding.Security.Transport.ClientCredentialType = _
    HttpClientCredentialType.Certificate

' Create the endpoint address. Note that the machine name 
' must match the subject or DNS field of the X.509 certificate
' used to authenticate the service. 
Dim ea As New EndpointAddress("https://localhost/Calculator")

' Create the client. The code for the calculator 
' client is not shown here. See the sample applications
' for examples of the calculator code.
Dim cc As New CalculatorClient(myBinding, ea)

' The client must specify a certificate trusted by the server.
cc.ClientCredentials.ClientCertificate.SetCertificate( _
StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectName, "contoso.com")

' Begin using the client.
Try
    cc.Open()

    Console.WriteLine(cc.Add(100, 11))
    Console.ReadLine()

    ' Close the client.
    cc.Close()
Catch tex As TimeoutException
    Console.WriteLine(tex.Message)
    cc.Abort()
Catch cex As CommunicationException
    Console.WriteLine(cex.Message)
    cc.Abort()
Finally
    Console.WriteLine("Closed the client")
    Console.ReadLine()
End Try
C#
// Create the binding.
WSHttpBinding myBinding = new WSHttpBinding();
myBinding.Security.Mode = SecurityMode.Transport;
myBinding.Security.Transport.ClientCredentialType =
    HttpClientCredentialType.Certificate;

// Create the endpoint address. Note that the machine name 
// must match the subject or DNS field of the X.509 certificate
// used to authenticate the service. 
EndpointAddress ea = new
    EndpointAddress("https://localhost:8006/Calculator");

// Create the client. The code for the calculator 
// client is not shown here. See the sample applications
// for examples of the calculator code.
CalculatorClient cc =
    new CalculatorClient(myBinding, ea);

// The client must specify a certificate trusted by the server.
cc.ClientCredentials.ClientCertificate.SetCertificate(
    StoreLocation.CurrentUser,
    StoreName.My,
    X509FindType.FindBySubjectName,
    "contoso.com");

// Begin using the client.
Console.WriteLine(cc.Add(100, 1111));
try
{
    cc.Open();

    // Close the client.
    cc.Close();
}

Configuration

The following configuration code is for the client, and likewise specifies the certificate location and values used to find it.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="credentialConfiguration">
          <clientCredentials>
            <clientCertificate findValue="Contoso.com"
                      storeLocation="CurrentUser" 
                      x509FindType="FindBySubjectName" />
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_ICalculator">
          <security mode="Transport">
            <transport clientCredentialType="Certificate" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
      <endpoint address="https://machineName/Calculator"
                behaviorConfiguration="credentialConfiguration"
                binding="wsHttpBinding"
                bindingConfiguration="WSHttpBinding_ICalculator"
                contract="ICalculator"
                name="WSHttpBinding_ICalculator" />
    </client>
  </system.serviceModel>
</configuration>

See Also


© 2007 Microsoft Corporation. All rights reserved.
Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
Service Config      TomAndJerry ... Larry Liu   |   Edit   |   Show History

The server configuration in the above example says

<clientCertificate trustedStoreLocation="LocalMachine"

revocationMode="Online"/>


There are no such attributes for ClientCertificate. These are attributes of <Authentication> which is a sub element of <clientCertificate>

<clientCertificate>
<authentication trustedStoreLocation="LocalMachine"revocationMode="Online"certificateValidationMode="PeerOrChainTrust" />
</clientCertificate>

Aside from the misplacement of the attributes, the <clientCertificate> element shown in the above service configuration actually has no bearing to the service behavior in this case. When transport security is used in wsHttpBinding and the service is hosted in IIS, I don't think the certificateValidationMode is relevant anymore.

Authenticate client using Certificate      Friendly Dog II   |   Edit   |   Show History
Agreed with above comment. However the question is then how to set up service to authenticate clients using certificate when Transport security is used? I want to ensure what my service is only called by certain clients. Do I have to do this via Message security?
Tags What's this?: Add a tag
Flag as ContentBug
© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Page view tracker