Enabling certificate based authentication for WCF service using netTcpBinding
Asked Answered
M

1

9

I have a WCF service which is exposed using a single endpoint with netTcpBinding which sits on Server A, hosted on IIS7.5/WAS on our internal LAN on our domain.

This service is then consumed by an ASP.NET web client application sitting on Server B, also hosted on IIS7.5 with an external hosting provider outside of our domain, and linked to our LAN via a VPN secured to allow only traffic between Server A and Server B.

During development while I was testing the concept I ran the web client application on another IIS server internally on our domain using binding security mode="Transport" and transport clientCredentialType="Windows" which worked fine.

I then moved the web client application to the external Server B for further proof-of-concept testing setting the binding security mode="None", as obviously with this server being outside of our domain I cannot use Windows authentication, and it still works fine.

What I need to do now, to enable the switch back to using transport security is to set the clientCredentialType="Certificate", as you cannot have transport security with clientCredentialType="None".

This is where I have started to come unstuck. I seem to be going around in circles as to where in the web.config of the service and the client web.config to define the certificate and where to store which bits of the certificate.

Essentially what I'm trying to do is authenticate that Server B is indeed Server B calling the service on Server A, thus preventing any spoofing or DNS subversion issues, which could result in the service at Server A being illegally accessed.

My thinking is that I need to create a certificate for Server B to which Server A holds the public key to validate it? If this is the case Server B already has a wildcard SSL certificate installed on it as it serves various applications of ours as subdomains. Could this certificate be used for the WCF authentication?

None of the SO questions I've found seem to cover this, and all the various websites and book examples I've found aren't that clear. It's starting look like WCF configuration is somewhat of a black art.

This is all built using .NET 4 and Visual Basic. Any help would be greatly appreciated.

Moule answered 25/8, 2011 at 12:2 Comment(0)
H
6

This MSDN example has examples of how to configure netTcpBinding with certificates in both code and config. Just pick the scenario that suits you. The certificate should be issued by a public (commercial) certificate authority like VeriSign or Thwate so it will be trusted by your external host provider and your internal server.

Hunger answered 25/8, 2011 at 12:47 Comment(6)
Thanks for the link. I'm not really interested in message security, as it's only point to point transport security would be enough. So I'm assuming I can amend the example linked about to just use mode="Transport". Am I right in thinking that the cert defined in the endpoint behavior of the service needs to be installed on Server A (with the service) and then the cert defined in the client web.config installed on Server B (with the client app)? If the cert is issued by trusted CA do I still need to install public keys on the opposite servers?Moule
Yes, netTcpBinding can be configured for transport mode only. The certificate will need to be installed on both servers. The hosting provider may want to do it themselves or allow you to install it. The web.config on server B will just refer to whichever cert store the host provider designates for their server.Hunger
OK. The hosted server is a dedicated server with RDP access so I can add whatever certs required. The hosted server does already have a wildcard cert installed which is used for the hosted IIS sites. I'm assuming this could be used for the client application. But then the internal server (Server A) would need it's own cert, and then the public keys from both certs installed on the opposing server? Or is the public key bit not required?Moule
Both the WCF client (server B) and service (server A) need to refer to the same certificate (installed separately on each machine). This MSDN example shows how your client certificate show be configured for netTcpBinding with transport security. The service would be similarly set up except the certificate would be configured in the serviceBehaviors element instead of the endpointBehaviors element. WCF handles getting the public keys and such as long as it is pointed to the correct certificate.Hunger
Ah, that makes more sense. Let me have a go at setting that up and I'll get back to you.Moule
OK, after much tweaking of config files and location of certificates I've finally got it working. Thanks for all the help.Moule

© 2022 - 2024 — McMap. All rights reserved.