Having spent a lot of time reasoning about WCF and certificate based authentication, here's a scoop.This forces WCF to expect a client side certificate for message based security:<behavior name="DefaultBehavior" returnUnknownExceptionsAsFaults="false" >
<serviceCredentials>
<serviceCertificate
x509FindType="FindBySubjectName"
findValue="MyCertificate"
storeLocation="LocalMachine"
storeName="My"/>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="Online"/>
</clientCertificate>
</serviceCredentials>
<metadataPublishing enableGetWsdl="true" enableMetadataExchange="true" enableHelpPage="true"/>
</behavior>What it says is that the client certificate must validate according to the complete certificate chain. In broader terms it forces the caller to use the certificate that is 'validatable' on the service side. This means the following:
Read more: Matevz Gacnik's Weblog
<serviceCredentials>
<serviceCertificate
x509FindType="FindBySubjectName"
findValue="MyCertificate"
storeLocation="LocalMachine"
storeName="My"/>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="Online"/>
</clientCertificate>
</serviceCredentials>
<metadataPublishing enableGetWsdl="true" enableMetadataExchange="true" enableHelpPage="true"/>
</behavior>What it says is that the client certificate must validate according to the complete certificate chain. In broader terms it forces the caller to use the certificate that is 'validatable' on the service side. This means the following:
- The certificate must be present at the time of request generation (client side)
- The certificate must be valid according to expiration period and certificate generation (checking done on server side)
- The certificate chain (issuing CAs path) must be valid (certificateValidationMode="ChainTrust")
- The certificate must not be obsolete and/or revoked (revocationMode="Online")
Other authentication options of certificateValidationMode and revocationMode include:
- certificateValidationMode can take a velue of ChainTrust, PeerTrust, ChainOrPeerTrust, None or Custom. None means that no certificate checking is done, Custom allows one to plug in a custom X509CertificateValidator (new, System.IdentityModel.Selectors namespace), PeerTrust forces a public key of the client certificate to be present in the 'Trusted People' certificate store on the service side and ChainTrust requests that the client cert can be validated against the root certificates on the server side. ChainOrPeerTrust just executes the OR operator on the last two.
Remark: PeerTrust and ChainOrPeerTrust are also subjected to another attribute called trustedStoreLocation. If peer trust is demanded, one can specify where the public keys are present, meaning either in LocalMachine or CurrentUser store.
Read more: Matevz Gacnik's Weblog
0 comments:
Post a Comment