Login/Register
The HTTP request was forbidden with client authentication scheme 'Anonymous'. The remote server returned an error: (403) Forbidden
Asked Answered
Solved c#wcfiisssl
L

7

14

I am trying to create a secure webservice.

Here is the contract and service implementation

[ServiceContract()]
public interface ICalculatorService
{
    [OperationContract()]
    int Add(int x, int y);
}

[ServiceBehavior(IncludeExceptionDetailInFaults=true)]
public class CalculatorService : ICalculatorService
{
    public int Add(int x, int y)
    {
        return x + y;
    }
}

Here i have the service code

var b = new WSHttpBinding(SecurityMode.Transport);
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
b.Security.Message.ClientCredentialType = MessageCredentialType.None;

Type contractType = typeof(ICalculatorService);
Type implementedContract = typeof(CalculatorService);
Uri baseAddress = new Uri("https://localhost:8006/CalculatorService");
ServiceHost sh = new ServiceHost(implementedContract);

sh.AddServiceEndpoint(contractType, b, baseAddress);

//ServiceMetadataBehavior sm = new ServiceMetadataBehavior();
//sm.HttpsGetEnabled = true;
//sm.HttpsGetUrl = new Uri("https://localhost:8006/CalculatorServiceMex");
//sh.Description.Behaviors.Add(sm);

sh.Credentials.Peer.PeerAuthentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerTrust;
        sh.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.TrustedPeople, X509FindType.FindBySubjectName, "localhost");

sh.Open();
Console.WriteLine("Service is Listening");
Console.ReadLine();
sh.Close();

Here is the client code

var b = new WSHttpBinding(SecurityMode.Transport);
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
b.Security.Message.ClientCredentialType = MessageCredentialType.None;

var factory = new ChannelFactory<ICalculatorService>(b);
factory.Credentials.Peer.PeerAuthentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerTrust;
        factory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.TrustedPeople, X509FindType.FindBySubjectName, "localhost");

var client = factory.CreateChannel(new EndpointAddress(new Uri("https://localhost:8006/CalculatorService")));

ServicePointManager.ServerCertificateValidationCallback =
   ((sender, certificate, chain, sslPolicyErrors) =>
            {
                return true;
            });

ICommunicationObject comObject = client as ICommunicationObject;
int result = -1;
try
{
  comObject.Open();
  result = client.Add(10, 2);
}
catch (Exception ex)
{

}
Console.WriteLine(string.Format("Service say 10 + 2 = {0}", -1));
Console.ReadLine();

The service runs fine and when the ServicePointManager.ServerCertificateValidationCallback check is made there are no policy errors, with the correct certificate chain built.

enter image description here

I have my CA in the trusted root and the server/client cert in the TrustedPeople store. Also if I navigate to the site from a browser I see a page returned. No errorsenter image description here

I have updated IIS to what I think are the required, bound the certificate in in IIS enter image description here

and via command line below. enter image description here

I've set the SSL settings to accept certificates enter image description here

and enabled anonymous authentication. enter image description here

Does anyone know what steps I've not done correctly or see anything amiss? I keep getting the same error "The HTTP request was forbidden with client authentication scheme 'Anonymous'."

Lambent answered 2/10, 2014 at 20:29 Comment(2)
I ran into this exception but it was due to my ssl certificate expiring.Charlesettacharleston
Is there any alternative to IIS for WCF. I HATE IIS, one day it works and the next it starts giving all sorts of errors that take all day to solve.Defraud
L
0

There is a registry entry located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL. Setting that value to 0 fixes the issue. Some other potential solutions are outlined in this here. I had an existing answer which cited Method 3 and had a number of upvotes from the page referenced but was removed for unknown reasons by a moderator. Reposting in case it helps someone else in the future.

Lambent answered 11/12, 2023 at 17:31 Comment(0)
N
5

Another reason for this is the certificate itself on the server you are hitting. Ensure you have imported the PRIVATE KEY. In MMC this will show up with a "Friendly Name". This took me days to figure out. Once I imported the private key the Anonymous error went away and all was well!

Nicolle answered 12/1, 2018 at 15:10 Comment(0)
W
0

When you host WCF service in IIS with security type transport and client credential type certificate, put your client certificate on Root store and enable anonymous authentication in IIS. Enable anonymous authentication in IIS. But most importantly, add your certificate to root store.

Wendiwendie answered 9/8, 2016 at 11:56 Comment(0)
W
0

If you run self hosted WCF service (without IIS) you can enable anonymous clients just by adding to the config file (in server) the next settings:

<behaviors>
    <serviceBehaviors>
        <behavior name="limitedAuthBehavior">
            <serviceAuthenticationManager authenticationSchemes="Anonymous, Basic, Digest, Negotiate"/>
            <!-- ... -->
        </behavior>
    </serviceBehaviors>
</behaviors>

Also, set clientCredentialType to "InheritedFromHost":

<bindings>
      <basicHttpBinding>
        <binding name="secureBinding">
          <security mode="Transport">
            <transport clientCredentialType="InheritedFromHost" />
          </security>
        </binding>
      </basicHttpBinding>
</bindings>

References:

Using Multiple Authentication Schemes with WCF

Understanding HTTP Authentication

Wintergreen answered 30/11, 2016 at 10:26 Comment(0)
H
0

We had this error message, and for us the solution was that Handler Mappings feature permissions had not been enabled for Script. You can enable this in IIS under Handler Mappings > Edit Feature Permissions, or by adding Script to the accessPolicy attribute of the handlers node in your web.config:

<system.webServer>
  <handlers accessPolicy="Script">
    ...
  </handlers>
</system.webServer>
Halutz answered 16/1, 2017 at 11:31 Comment(0)
E
0

I had this kind of error. The certificate was a sub-domain wild card one. I had to import the private key into "Trusted People" store for LocalMachine and this error disappeared. Like others have pointed out, you can also try importing the private key into "Trusted Root" store for LocalMachine.

Ephram answered 13/11, 2020 at 10:8 Comment(0)
H
0

I had this issue earlier and following below steps helped resolve the issue.

open a cmd in elevated and run below command netsh winhttp set proxy 127.0.0.1:8888

see if this fixes the issue, And turned on fiddler

Later reset it back using below command netsh winhttp reset proxy

Helsie answered 11/7, 2022 at 20:37 Comment(0)
L
0

There is a registry entry located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL. Setting that value to 0 fixes the issue. Some other potential solutions are outlined in this here. I had an existing answer which cited Method 3 and had a number of upvotes from the page referenced but was removed for unknown reasons by a moderator. Reposting in case it helps someone else in the future.

Lambent answered 11/12, 2023 at 17:31 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.