I want to check client certificates in my WCF service.
My goal is to allow only clients with certificates with specific thumbprints to be able to communicate with my service.
My WCF service is hosted in IIS, I'm using basicHttpBinding and security mode="transport" with credential type "Certificate". IIS requires client certificates for communication with the service.
Thanks in advance for help.
UPDATE: My configuration:
<basicHttpBinding>
<binding
name="testBinding"
maxReceivedMessageSize="2147483647">
<readerQuotas
maxDepth="2147483647"
maxStringContentLength="2147483647"
maxArrayLength="2147483647"
maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
Behavior:
<serviceBehaviors>
<behavior name="SomeServiceBehavior">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="Custom" customCertificateValidatorType="SomeService.CustomCertificateValidator,SomeService" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
Service configuration:
<service
behaviorConfiguration="SomeServiceBehavior"
name="SomeService">
<endpoint
address=""
binding="basicHttpBinding"
bindingConfiguration="testBinding"
contract="ISomeService">
</endpoint>
</service>
And for test purpose I implemented validator in this way:
public class CustomCertificateValidator : X509CertificateValidator
{
public override void Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)
{
throw new SecurityTokenValidationException("TEST Certificate was not issued by a trusted issuer TEST");
}
}
And this doesn't work. I can connect to my service with any valid certificate.
You can create a class derived from X509CertificateValidator and use it to do custom validation of the incoming certificate. Throw an SecurityTokenValidationException if you want to fail validation for some reason.
Set the certificateValidationMode to Custom and specify your validator in the clientCertificate service behavior section of the config file.
How to: Create a Service that Employs a Custom Certificate Validator
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With