StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POMessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'" when accessing credential secured WCF service
text
Body
copied!<p>I'm trying to understand the process of transport security authentication, based on certificates. Suppose I'm making a <strong>service</strong> with the following config with https opened on 8732 port:</p> <pre><code><wsHttpBinding> <binding name="SecurityTest"> <security mode="Transport"> <transport clientCredentialType="Certificate"/> </security> </binding> </wsHttpBinding> <service name="MyNamespace.MyService"> <host> <baseAddresses> <add baseAddress="https://localhost:8732/MyService/" /> </baseAddresses> </host> <endpoint address="" binding="wsHttpBinding" bindingConfiguration="SecurityTest" contract="MyNamespace.IContract" > </endpoint> </service> </code></pre> <p>Then I create a self-signed certificate for Root Authority so that I could create new certificates: </p> <pre><code>makecert -n "CN=MyAuthority" -r -sv MyAuthority.pvk MyAuthority.cer -sky exchange </code></pre> <p>Then I add my <code>MyAuthority.cer</code> to the local machine "Root" cataloge. After this I create another certificate using my MyAuthority certificate and place it in local machine's "My" catalog:</p> <pre><code>makecert -sky exchange -sk local -iv MyAuthority.pvk -n "CN=local" -ic MyAuthority.cer local.cer -sr Localmachine -ss My </code></pre> <p>Then I use netsh to bind my local.cer certificate to 8732 port:</p> <pre><code>netsh http add sslcert ipport=0.0.0.0:8732 certhash=02b751d7f71423c27141c9c385fc3d3976 d7 aa b5 appid={C4BFC5DC-2636-495B-9803-8DD8257C92C3} </code></pre> <p>The server service side is done, and it starts and works. Now I create a client:</p> <pre><code><bindings> <wsHttpBinding> <binding name="SecurityTest" > <security mode="Transport"> <transport clientCredentialType="Certificate" /> </security> </binding> </wsHttpBinding> </bindings> <client> <endpoint name="testPoint" address="https://localhost:8732/MyService/" binding="wsHttpBinding" bindingConfiguration="SecurityTest" behaviorConfiguration="ep" contract="MyNamespace.IContract"> </endpoint> </client> <behaviors> <endpointBehaviors> <behavior name="ep" > <clientCredentials> <clientCertificate findValue="local" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" /> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> </code></pre> <p>When I start it and consume the service method, I get an error:</p> <blockquote> <p>MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'" when accessing credential secured WCF service from remote computer</p> </blockquote> <p>I what to ask if I understand everything well in this scheme, and maybe to get advice, how to solve this error.</p> <ol> <li><p>Does my service uses local.cer to encrypt messages on transport level?</p></li> <li><p>Do I have to add <code>MyAuthority.cer</code> to Trusted published catalog on each client machine in order my clients could decrypt the messages without creating personal validation handlers?</p></li> <li><p>Does my client in current example uses the local.cer as his credentials, and this certificate would be send to the service side?</p></li> <li><p>How does server side handles the client certificate? Does it check if it was signed by MyAuthority.cer or it checks it with the ssl certificate? How I can see what the certificate is checked with?</p></li> <li><p>Why do I get the error?</p></li> </ol> <p>Thanks in advance</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload