All geek questions in one place

How to configure a WCF service to only accept one client identified by an x509 certificate

I have a WCF client / WCF application that relies on secure communication between two machines, and I want to use the x509 certificates installed in the certificate store to identify the server and client with each other. I do this by setting up the binding as <security authenticationMode="MutualCertificate"/> . There is only a client machine.

The server has a certificate issued for the .mydomain.com server installed on the local computer / personal storage, and the client has a certificate issued to the .mydomain.com client installed in the same place. In addition, the server has a public client certificate in the local computer / proxies, and the client has a public server certificate in the local computer / proxies.

Finally, the client is configured to verify the server certificate. I did this using the system.servicemodel/behaviors/endpointBehaviors/clientCredentials/serviceCertificate/defaultCertificate in the configuration file.

So far so good, it all works. My problem is that I want to specify in the server configuration file that only clients who identify with the client.mydomain.com certificate from the trust store of certificates are allowed to connect.

The correct information is available on the server using ServiceSecurityContext , but I am looking for a way to indicate in app.config that WCF should perform this check instead of checking the security context from the code.

Is it possible? Any clues would be appreciated.

By the way, my server configuration file looks like this:

 <?xml version="1.0" encoding="utf-8" ?> <configuration> <system.serviceModel> <services> <service name="MyServer.Server" behaviorConfiguration="CertificateBehavior"> <endpoint contract="Contracts.IMyService" binding="customBinding" bindingConfiguration="SecureConfig"> </endpoint> <host> <baseAddresses> <add baseAddress="http://localhost/SecureWcf"/> </baseAddresses> </host> </service> </services> <behaviors> <serviceBehaviors> <behavior name="CertificateBehavior"> <serviceCredentials> <serviceCertificate storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="server.mydomain.com"/> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> <bindings> <customBinding> <binding name="SecureConfig"> <security authenticationMode="MutualCertificate"/> <httpTransport/> </binding> </customBinding> </bindings> </system.serviceModel> </configuration>
+4
source share
2 answers

There seems to be no way to do what I want using web.config.

I ended up adding behavior with this tag:

 <clientCertificate> <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="CurrentUser" revocationMode="NoCheck"/> </clientCertificate>

Then add the client certificate to the user’s "trust" certificate store that runs on the server.

+2
source

Check out the WCF Security Guidance page on Codeplex - great and very useful stuff!

In particular, check out How-To and, more specifically,

How To - Use Certificate Authentication and Message Protection in a WCF Call from Windows Forms

It explains in detail how to set up a WCF service that requires its clients to present a valid certificate and how to verify it. If you want to allow only one client, deploy this certificate only specifically for this one client.

Hope this helps!

+1
source

Source: https://habr.com/ru/post/1301498/

More articles:


All Articles