IIS hosted WCF with SSL security -"The HTTP request was forbidden with client authentication scheme 'Anonymous'" error

Question

I am trying to host wcf on IIS using transport security. I found a good tutorial and follow the instructions : http://robbincremers.me/2011/12/27/wcf-transport-security-and-client-certificate-authentication-with-self-signed-certificates/. I am always getting "The HTTP request was forbidden with client authentication scheme 'Anonymous'". How can I handle it?

What I did so far is:

1. I created self-signed root authority certificate as explained here.

   makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer

2. Created a new server certificate signed by a root authority certificate

   makecert -sk SignedByCA -iv TempCA.pvk -n "CN=localhost" -ic TempCA.cer localhost.cer -sr localmachine -ss My

3. Created a new client certificate signed by a root authority certificate

   makecert -sk SignedByCA -iv TempCA.pvk -n "CN=clientCert" -ic TempCA.cer clientCert.cer -sr localmachine -ss My

4. Added CA to Trusted Root Certificate

   

5. Added these certificates to Personal --> Certificates

6. Added client certificate to Trusted People

7. Everything looks OK

8. Created very simple WCF application. Added it IIS

9. Adjust security settings

10. This is my service web.config file

> <?xml version="1.0"?> <configuration>   <system.web>
>     <compilation debug="true" targetFramework="4.5" />
>     <httpRuntime targetFramework="4.5"/>   </system.web>   <system.serviceModel>
>     <bindings>
>       <basicHttpBinding>
>         <binding name="EmployeeBindingConfig">
>           <security mode="Transport">
>             <transport clientCredentialType="Certificate" />
>           </security>
>         </binding>
>       </basicHttpBinding>
>     </bindings>
>     <behaviors>
>       <serviceBehaviors>
>         <behavior name="EmployeeServiceBehavior">
>           <serviceMetadata httpsGetEnabled="true"/>
>           <serviceDebug includeExceptionDetailInFaults="true"/>
>           <serviceCredentials>
>             <clientCertificate>
>               <authentication certificateValidationMode="PeerOrChainTrust"
> trustedStoreLocation="LocalMachine" />
>             </clientCertificate>
>           </serviceCredentials>
>         </behavior>
>       </serviceBehaviors>
>     </behaviors>
>     <services>
>       <service
>         behaviorConfiguration="EmployeeServiceBehavior"
>         name="WCF.Tutorial.TransportSecurity.ServiceNew.EmployeeService">
>         <host>
>           <baseAddresses>
>             <add baseAddress="https://localhost/WCF.Tutorial.TransportSecurity.ServiceNew"/>
>           </baseAddresses>
>         </host>
>         <endpoint address="EmployeeService"
>                   binding="basicHttpBinding"
>                   bindingConfiguration="EmployeeBindingConfig"
>                   contract="WCF.Tutorial.TransportSecurity.ServiceNew.IEmployeeService"
> />
>         <endpoint
>            address="mex"
>            binding="mexHttpsBinding"
>            contract="IMetadataExchange" />
>       </service>
>     </services>   </system.serviceModel>   <system.webServer>
>     <modules runAllManagedModulesForAllRequests="true"/>   </system.webServer> </configuration>

11. This is my client app.config

>     <?xml version="1.0" encoding="utf-8" ?>
>     <configuration>
>         <startup> 
>             <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
>         </startup>
>       <system.serviceModel>
>         <behaviors>
>           <endpointBehaviors>
>             <behavior name="EmployeeEndpointBehaviour">
>               <clientCredentials>
>                 <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="omer-HP"/>
>               </clientCredentials>
>             </behavior>
>           </endpointBehaviors>
>         </behaviors>
>         <bindings>
>           <basicHttpBinding>
>             <binding name="EmployeeBindingConfig">
>               <security mode="Transport">
>                 <transport clientCredentialType="Certificate" />
>               </security>
>             </binding>
>           </basicHttpBinding>
>         </bindings>
>         <client>
>           <endpoint address="https://localhost/WCF.Tutorial.TransportSecurity.ServiceNew/EmployeeService.svc"
>                     binding="basicHttpBinding" bindingConfiguration="EmployeeBindingConfig"
>             contract="WCF.Tutorial.TransportSecurity.ServiceNew.IEmployeeService"
> name="serviceEndpoint"
> behaviorConfiguration="EmployeeEndpointBehaviour"/>
>         </client>
>       </system.serviceModel>
>     </configuration>

12. This is my client code and error

My question is how can I pass this error? I need your help.

Answer 1

At least the issue has been found. When I looked inside Windows Event Log I saw that error

When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

I backed some certificates up and deleted them. After this operation my program works.