Custom certificate validation in WCF service

Question

I want to check client certificates in my WCF service.

My goal is to allow only clients with certificates with specific thumbprints to be able to communicate with my service.

My WCF service is hosted in IIS, I'm using basicHttpBinding and security mode="transport" with credential type "Certificate". IIS requires client certificates for communication with the service.

Thanks in advance for help.

UPDATE: My configuration:

<basicHttpBinding>
<binding 
             name="testBinding"
         maxReceivedMessageSize="2147483647">
         <readerQuotas 
                    maxDepth="2147483647"
                maxStringContentLength="2147483647"
                maxArrayLength="2147483647"
                maxBytesPerRead="2147483647"
                maxNameTableCharCount="2147483647" />
 <security mode="Transport">
              <transport clientCredentialType="Certificate"/> 
             </security>

</binding>
</basicHttpBinding>

Behavior:

<serviceBehaviors>
    <behavior name="SomeServiceBehavior">
      <serviceMetadata httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials>
        <clientCertificate>
          <authentication certificateValidationMode="Custom" customCertificateValidatorType="SomeService.CustomCertificateValidator,SomeService"  />
        </clientCertificate>
      </serviceCredentials>         
     </behavior> 
   </serviceBehaviors>

Service configuration:

<service 
               behaviorConfiguration="SomeServiceBehavior"
               name="SomeService">
        <endpoint 
                  address=""
                  binding="basicHttpBinding"
                  bindingConfiguration="testBinding"
                  contract="ISomeService">
        </endpoint>
      </service>

And for test purpose I implemented validator in this way:

public class CustomCertificateValidator : X509CertificateValidator
    {
        public override void Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)
        {                
            throw new SecurityTokenValidationException("TEST Certificate was not issued by a trusted issuer TEST");
        }
    }

And this doesn't work. I can connect to my service with any valid certificate.

Answer 1

You can create a class derived from X509CertificateValidator and use it to do custom validation of the incoming certificate. Throw an SecurityTokenValidationException if you want to fail validation for some reason.

Set the certificateValidationMode to Custom and specify your validator in the clientCertificate service behavior section of the config file.

How to: Create a Service that Employs a Custom Certificate Validator