Click here to Skip to main content
Click here to Skip to main content

Use Mutual SSL Authentication in WCF

, 16 Mar 2012
Rate this:
Please Sign up or sign in to vote.
How to configure and use Mutual SSL Authentication in WCF.

Introduction

In this article, I will show you how to configure the client and service to use Mutual SSL authentication in WCF. If you're not familiar with the concept of Mutual SSL Authentication, I recommend you to read the article named An Introduction to Mutual SSL Authentication and then continue with this article.

Background

Windows Communication Foundation (WCF) is a framework for building service-oriented applications. Address, Binding, and Contract (ABC) are the fundamentals building blocks of all WCF applications. Binding controls three aspects of message communication:

  1. The suite of WS-* protocols, including WS-Security, WS-ReliableMessaging, and so on.
  2. The message encoding, such as XML 1.0, Message Transmission Optimization Mechanism (MTOM), and binary.
  3. The transport protocol, including HTTP, TCP, Named Pipe, and Microsoft Message Queuing (MSMQ).

Thus, Binding is the place to configure Mutual SSL Authentication. However, Mutual SSL Authentication is a transport level security and it can only provide "point-to-point" security between two endpoints (service and client). If there are intermediary systems between the client and the server, each intermediate point must forward the message over a new secured connection.

With regard to this fact, only those bindings that support transport security can be configured to use Mutual SSL authentication. The following list shows the standard bindings that support transport level security:

  • BasicHttpBinding
  • WSHttpBinding
  • WS2007HttpBinding
  • NetTcpBinding
  • NetNamedPipeBinding
  • NetMsmqBinding
  • NetPeerTcpBinding
  • MsmqIntegrationBinding

Configuration

Mutual SSL Authentication configuration in WCF is a two step process:

  1. Enable application to use transport security and use certificate as its credential in Bindings.
  2. Specify a valid certificate in Behaviors, which will be requested in the process of mutual authentication.

Binding configuration

Enabling an application to use transport security and use certificate as its credential in WCF is as easy as specifying the following settings to the <binding> section in both the client and service application configuration file:

  1. Specify "Transport" as the security mode.
  2. Specify "Certificate" as the clientCredentialType.

And the settings are applicable for all bindings, regardless of whether it is BasicHttpBinding, NetTcpBinding, or any other qualified Binding which supports transport level security.

The following diagram shows how to apply the settings in basicHttpBinding and netTcpBinding:

BasicHttpBinding

basicHttpBinding

NetTcpBinding

netTcpBinding

Behavior configuration

To configure the client and service applications to present their certificate in the process of mutual authentication, they need an endpoint and service behavior which specify the client certificate and service certificate, respectively.

Client configuration (EchoClient)

  • Endpoint Behavior is highlighted in the green color box.
  • Client Certificate is highlighted in the blue color box.

Client configuration

Service configuration (EchoService)

  • Service Behavior is highlighted in the green color box.
  • Service Certificate is highlighted in the blue color box.

Service configuration

Using the samples

I've created two demo projects, available from the link at the top of this article, which use the Mutual SSL Authentication in BasicHttpBinding and NetTcpBinding. In order to run the demo projects, you need to change the following settings in both the client and service projects:

  1. Change the host and domain name (demopc.mydomain.com) in the client and service endpoint addresses according to your environment setup.
  2. Optionally change the port (56111) in the client and service endpoint addresses if it has been occupied.
  3. Specify a valid client and service certificate which are available from your workstation certificate store.

History

  • 16th March, 2012: Initial version.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Elvin Cheng

Singapore Singapore
Elvin Cheng is currently living in Woodlands, Singapore. He has been developing applications with the .NET Framework, using C# and ASP.NET since October 2002. Elvin specializes in building Real-time monitoring and tracking information system for Semi-conductor manufacturing industry. During his spare time, he enjoys reading books, watching movie and gym.
Follow on   Twitter

Comments and Discussions

 
QuestionWireshark sniffing PinmemberMember 205900411-Dec-12 2:25 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web02 | 2.8.140814.1 | Last Updated 16 Mar 2012
Article Copyright 2012 by Elvin Cheng
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid