Click here to Skip to main content
14,874,239 members
Articles / Programming Languages / C# 3.0
Posted 16 Mar 2012

Tagged as


28 bookmarked

Use Mutual SSL Authentication in WCF

Rate me:
Please Sign up or sign in to vote.
4.13/5 (6 votes)
16 Mar 2012CPOL3 min read
How to configure and use Mutual SSL Authentication in WCF.


In this article, I will show you how to configure the client and service to use Mutual SSL authentication in WCF. If you're not familiar with the concept of Mutual SSL Authentication, I recommend you to read the article named An Introduction to Mutual SSL Authentication and then continue with this article.


Windows Communication Foundation (WCF) is a framework for building service-oriented applications. Address, Binding, and Contract (ABC) are the fundamentals building blocks of all WCF applications. Binding controls three aspects of message communication:

  1. The suite of WS-* protocols, including WS-Security, WS-ReliableMessaging, and so on.
  2. The message encoding, such as XML 1.0, Message Transmission Optimization Mechanism (MTOM), and binary.
  3. The transport protocol, including HTTP, TCP, Named Pipe, and Microsoft Message Queuing (MSMQ).

Thus, Binding is the place to configure Mutual SSL Authentication. However, Mutual SSL Authentication is a transport level security and it can only provide "point-to-point" security between two endpoints (service and client). If there are intermediary systems between the client and the server, each intermediate point must forward the message over a new secured connection.

With regard to this fact, only those bindings that support transport security can be configured to use Mutual SSL authentication. The following list shows the standard bindings that support transport level security:

  • BasicHttpBinding
  • WSHttpBinding
  • WS2007HttpBinding
  • NetTcpBinding
  • NetNamedPipeBinding
  • NetMsmqBinding
  • NetPeerTcpBinding
  • MsmqIntegrationBinding


Mutual SSL Authentication configuration in WCF is a two step process:

  1. Enable application to use transport security and use certificate as its credential in Bindings.
  2. Specify a valid certificate in Behaviors, which will be requested in the process of mutual authentication.

Binding configuration

Enabling an application to use transport security and use certificate as its credential in WCF is as easy as specifying the following settings to the <binding> section in both the client and service application configuration file:

  1. Specify "Transport" as the security mode.
  2. Specify "Certificate" as the clientCredentialType.

And the settings are applicable for all bindings, regardless of whether it is BasicHttpBinding, NetTcpBinding, or any other qualified Binding which supports transport level security.

The following diagram shows how to apply the settings in basicHttpBinding and netTcpBinding:





Behavior configuration

To configure the client and service applications to present their certificate in the process of mutual authentication, they need an endpoint and service behavior which specify the client certificate and service certificate, respectively.

Client configuration (EchoClient)

  • Endpoint Behavior is highlighted in the green color box.
  • Client Certificate is highlighted in the blue color box.

Client configuration

Service configuration (EchoService)

  • Service Behavior is highlighted in the green color box.
  • Service Certificate is highlighted in the blue color box.

Service configuration

Using the samples

I've created two demo projects, available from the link at the top of this article, which use the Mutual SSL Authentication in BasicHttpBinding and NetTcpBinding. In order to run the demo projects, you need to change the following settings in both the client and service projects:

  1. Change the host and domain name ( in the client and service endpoint addresses according to your environment setup.
  2. Optionally change the port (56111) in the client and service endpoint addresses if it has been occupied.
  3. Specify a valid client and service certificate which are available from your workstation certificate store.


  • 16th March, 2012: Initial version.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Elvin Cheng
Singapore Singapore
Elvin Cheng is currently living in Woodlands, Singapore. He has been developing applications with the .NET Framework, using C# and ASP.NET since October 2002. Elvin specializes in building Real-time monitoring and tracking information system for Semi-conductor manufacturing industry. During his spare time, he enjoys reading books, watching movie and gym.

Comments and Discussions

QuestionWCF is sending Kerberos requests to domain controller when using Certificates and Transport SecurityMode Pin
Member 144722843-Apr-20 4:45
MemberMember 144722843-Apr-20 4:45 
QuestionThe HTTP request was forbidden with client authentication scheme 'Anonymous'. Pin
Member 105569821-Jun-14 21:26
MemberMember 105569821-Jun-14 21:26 
AnswerRe: The HTTP request was forbidden with client authentication scheme 'Anonymous'. Pin
Member 105569824-Jun-14 21:55
MemberMember 105569824-Jun-14 21:55 
AnswerRe: The HTTP request was forbidden with client authentication scheme 'Anonymous'. Pin
euhm3-May-15 22:13
Membereuhm3-May-15 22:13 
Questionc# wcf client communicating with a java webservice Pin
kernelboss14-Jan-14 23:31
Memberkernelboss14-Jan-14 23:31 
QuestionProblem in creation of the certificates for the above demo. Pin
Member 8597216-Jun-13 23:46
MemberMember 8597216-Jun-13 23:46 
Questioncertificate not find Pin
nikudale9-Apr-13 6:08
Membernikudale9-Apr-13 6:08 
QuestionWireshark sniffing Pin
Member 205900411-Dec-12 2:25
MemberMember 205900411-Dec-12 2:25 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.