Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

The HTTP request was forbidden with client authentication scheme 'Anonymous'

I am trying to configure a WCF server\client to work with SSL

I get the following exception:

The HTTP request was forbidden with client authentication scheme 'Anonymous'

I have a self hosted WCF server. I have run hhtpcfg both my client and server certificates are stored under Personal and Trusted People on the Local Machine

Here is the server code:

binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
binding.Security.Mode = WebHttpSecurityMode.Transport;
_host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;
_host.Credentials.ClientCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
_host.Credentials.ClientCertificate.Authentication.TrustedStoreLocation = StoreLocation.LocalMachine;
_host.Credentials.ServiceCertificate.SetCertificate("cn=ServerSide", StoreLocation.LocalMachine, StoreName.My);

Client Code:

binding.Security.Mode = WebHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate; 
WebChannelFactory<ITestClientForServer> cf =
                new WebChannelFactory<ITestClientForServer>(binding, url2Bind);
cf.Credentials.ClientCertificate.SetCertificate("cn=ClientSide", StoreLocation.LocalMachine, StoreName.My);
            ServicePointManager.ServerCertificateValidationCallback
                   += RemoteCertificateValidate;

Looking at web_tracelog.svclog and trace.log reveals that the server cannot autheticate the client certificate My certificate are not signed by an Authorized CA but this is why I added them to the Trusted People....

What Am I missing? What am I missing?

like image 652
Dudi Avatar asked Jun 09 '10 00:06

Dudi


1 Answers

The trick was to make the Client Certificate valid,

To do that you have two option:

1) make it self signed and then put it under the "Trusted Root Certification Authority".

Obviously in production you would like your client certificate to be signed by a trusted CA and not self signed. see http://msdn.microsoft.com/en-us/library/ms733813.aspx

2) Sign your client certificate by another certificate you created (let's call it MyCA) and put MyCA in the "Trusted Root Certification Authority" and have the client certificate in the "Trusted People". This way your development environment is even more close to the deployment.

How to create and sign the certificates: Look under http://msdn.microsoft.com/en-us/library/bfsktky3.aspx

Here is the series of commands I used:

1)makecert -r -pe -ss My -sr LocalMachine -a sha1 -sky exchange -n cn=MyCA -sv "MyCAPrivate.pvk"

2) makecert -pe -ss My -sr LocalMachine -a sha1 -sky exchange -n cn=SignedClientCertificate -iv "MyCAPrivate.pvk" -ic "MyCAPublic.cer"

like image 76
Dudi Avatar answered Oct 01 '22 04:10

Dudi