Click here to Skip to main content
15,443,631 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I am trying to learn how to use certificates for mutual authentication over net tcp binding of WCF. My requirement is if client can produce correct certificate to the server , then only
client will be able to communicate otherwise not.

Below is the example of the project I created for the same.

1>First I created the certificates by the below commands

Creation of the Root Certificates
----------------------------------------------------------------------

makecert -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.cer -ss TrustedPeople -sr localmachine

Creation of the client certificate in My locations from the root certificate
---------------------------------------------------------------------------------------------
makecert -sk localhost -iv RootCATest.pvk -n "CN=localhost" -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe

Creation of the service certificate in trusted people location from the root certificate(I created this one in trusted people location otherwise server was throwing error that certificate not present in trusted people store )
--------------------------------------------------------------------------------------------------------
makecert -sk localhost -iv RootCATest.pvk -n "CN=localhost" -ic RootCATest.cer -sr localmachine -ss trustedpeople -sky exchange -pe

2>Below is the server and client code
-----------------------------------
Server code:
----------------------------------
namespace NetTcpBindingDemo
{
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

class Program
{
static void Main(string[] args)
{
var b = new NetTcpBinding();
b.Security.Mode = System.ServiceModel.SecurityMode.TransportWithMessageCredential;
b.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate;
b.Security.Transport.ProtectionLevel = ProtectionLevel.EncryptAndSign;

var sh = new ServiceHost(typeof(EchoService));
sh.AddServiceEndpoint(typeof(IEchoService), b, "net.tcp://localhost:56111/EchoService");
sh.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine,StoreName.TrustedPeople,X509FindType.FindByIssuerName, "RootCATest");

sh.Open();
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("EchoService has started.");
Console.ResetColor();
Console.ReadLine();
}
}
}
--------------------------------------------
Client Code:
--------------------------------------------
namespace NetTcpBindingDemo
{
using System.Diagnostics;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using System.ServiceModel;
using System.ServiceModel.Security;

internal class Program
{
private static void Main(string[] args)
{
var address = new EndpointAddress(new Uri("net.tcp://localhost:56111/EchoService"));

var b = new NetTcpBinding();
b.Security.Mode = SecurityMode.TransportWithMessageCredential;
b.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate;
b.Security.Transport.ProtectionLevel = ProtectionLevel.EncryptAndSign;

var channelFactory = new ChannelFactory<iechoservice>(b, address);
channelFactory.Credentials.ClientCertificate.SetCertificate(
StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByIssuerName, "RootCATest");

channelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.PeerTrust;
var client = channelFactory.CreateChannel(address);

// var client = new EchoServiceClient();
Console.ForegroundColor = ConsoleColor.Yellow;

var c = client as ICommunicationObject;
Console.WriteLine("Verifying Certificate...........");
c.Open();
Console.WriteLine("Certificate verification done...........");
client.Echo("Hello World\\n");
}
}
}
-------------------------------------------------------------------------

The interesting part is if I dnt set the certifciate in the client side then also client is able to communicate with server,even if I put a different certificate in client then also the same.

Please let me know what to do so that the client can authenticate correctly to the server using the certificates?
Posted
Comments
Prasad Khandekar 2-Jun-13 15:32pm     CRLF
Perhaps following articles might help you in correctly configuring your service/server. 1. http://msdn.microsoft.com/en-us/library/windowsazure/hh289316.aspx 2. http://www.iisadmin.co.uk/?p=11&page=6 3. http://blogs.msdn.com/b/saurabh_singh/archive/2007/04/14/how-to-setup-iis-and-ad-for-client-certificate-setup-and-authentication.aspx 4. http://ondrej.wordpress.com/2010/01/24/iis-7-and-client-certificates/ Regards,
Member 859721 3-Jun-13 0:57am     CRLF
Well, the most of the above links are configuring certificates with IIS. But I want to configure with nettcp. However I found that if the Security.Mode is changed to Transport in both client and server then the client certifiact needs to be configured in client otherwise in TransportWithMessageCredential mode the communication works without the client certificate. Can anyone explain the reason for this?
Member 859721 7-Jun-13 5:50am     CRLF
In Security.Mode in transport mode ,I created a service certificate ,imported to the store from .pfx file(containing the private key and public key). Then I exported from the the public key from it and created another certificate and added that in the store as client certificate. And I am getting the below error .Please help on this. The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:09.9470000'. I think I am not having clear concept of which certificate to use where. I have gone through many links but still I think its a bit unclear. I think server should use a certificate which is having only the private key. And the client should use the certificate with the pairing public key. We can create public key by exporting the same in the store. If my thinking is correct then the question is how to create a certificate with only private key. If I can get the overview(not in details) how this private and public key part used in server and client and how to create the respective certificates that will be very helpful.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900