Thursday, August 12, 2010

Setting up Client Certificate Authentication in WCF

Recently I had an opportunity to setup Client Cert Authentication for a WCF service I created. I think it would be good to share this info with others and also for my future reference.In WCF Message Level and Transport Level security can be used.

In Client Certificate Authentication:

1) Client has a .pfx cert file. They install the cert on their side using the .pfx file and password.
2) Client provides the .cer file  to the Server team through some offline process (Read Email)
3) Server team maps the certificate that client provided on their IIS server as a client certificate. This requires a windows account for mapping the certificate on the Server side in IIS. This change gets reflected in the ApplicationHost.config file.
4) When Client makes the request, they need to find the certificate in their LocalStore and add that cert to the Http Request.
5) When the request comes to the Server, it checks the certificate from the request and validates it with the one installed on the IIS by the server team, if both match then the request goes through.

Steps for Configuring Client Cert Authentication--

1) Enable Client Certificate Mapping Authentication using Role Services Wizard ( by adding role services).
2) Open the .cer file in a notepad and copy the encoded text only.
3) In IIS (inetmgr) map this cert to a windows account , this can be done using the Configuration Editor. Configuration Editor is a separate power pack install . Configuration Editor is basically a GUI which sits on top of ApplicationHost.config file. It allows you to modify the settings specified in this file.

Once the cert is mapped in IIS, WCF service should use the Transport Level security mode.

Configuration looks similar to this:

This is all you have to do expose a WCF service which uses Client Certificate Authentication.


No comments: