Secure WCF service with basicHttpBinding

Question

PC: Windows 8.1 + all updates, VS 2012 + all updates.

I've created a WCF service which I have tested and it works. I want to use this service against a Windows Phone 8 application therefore need to create a basicHttpBinding service which accepts a username and password in order to access the data. Here are the steps I've taken after completing the service which successfully runs on IIS.

1. Created an SSL (followed steps here http://msdn.microsoft.com/en-us/library/hh556232.aspx)

2. Changed my web.config file so it contains:

   <system.serviceModel>
   <services>
     <service behaviorConfiguration="NewBehavior1" name="Service">
       <endpoint address="" binding="basicHttpBinding" contract="IService"     bindingConfiguration="NewBinding1" />
       <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
     </service>
   </services>
   <bindings>
     <basicHttpBinding>
       <binding name="NewBinding1">
         <security mode="TransportWithMessageCredential" />
       </binding>
     </basicHttpBinding>
   </bindings>
   <behaviors>
     <serviceBehaviors>
       <behavior name="MEX">
         <serviceMetadata/>
       </behavior>
       <behavior name="NewBehavior1">
         <serviceMetadata httpGetEnabled="true"/>
         <serviceCredentials>
           <userNameAuthentication userNamePasswordValidationMode="Custom"
         customUserNamePasswordValidatorType="Service, Services" />
         </serviceCredentials>
       </behavior>
     </serviceBehaviors>
   </behaviors>
   <serviceHostingEnvironment aspNetCompatibilityEnabled="true"     multipleSiteBindingsEnabled="true" />
   

3. Navigated to http://localhost/Service/Service.svc and got a 403.4 message (can't access without SSL) which is correct so I replaced the http with https and I could view the service page.

4. Knowing that it works using https I open up the WCF Test Client tool and navigate to the same URL and get the error (please note I've shortened some of the error and left in the main areas)

   Error: Cannot obtain Metadata from https://localhost/Service/service.svc If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address.
   Metadata contains a reference that cannot be resolved: 'https://localhost/Service/service.svc'.
   Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost'.
   The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
   The remote certificate is invalid according to the validation procedure.HTTP GET Error

5. I exported the certificate from IIS and installed it on the local machine and user under the Trusted Root Certification Authorities. Made no difference

So now I'm a little lost as whatever I've tried doesn't seem to work. Could anyone advise?

Answer 1

I'll give this a try ... there are several potential reasons for this behavior.

A) If you're client test tool is built within IE and your SSL cert is self-signed, you'll always have problems with IE not accepting the certificate, and adding the cert to your client's "trusted" group won't help. IE hates self-signed certs and going through MS's Import routine is a waste of time.

B) If your client test tool is a self-built application, you shouldn't need to add the certificate to the trusted group even if it's self-signed. But you might need to add this to your code (for testing) in order to avoid the self-signed certificate glitch:

System.Net.ServicePointManager.CertificatePolicy = New TrustAllCertificatePolicy()

C) Assuming you're using a self-signed certificate, be careful how you create the certificate. This was a problem for me until I came up with these commands:

rem creates root authority file and cert in currentuser\root and gives it the right to sign certs 
makecert.exe -a sha1 -n CN=CAS_Temp_Authority %Host_Authority_Cert_Name% -sr LocalMachine -ss Root -sky signature -pe -r -sk MyNewKey -cy authority  

rem creates ssl cert, puts it in the currentuser\root authority and signs it based on the other certificate
makecert.exe  -n cn=%Host_URL% %Host_Cert_Name% -is root -ic %Host_Authority_Cert_Name%  -sky exchange -pe -sv %Host_Cert_PrivateKey% -eku 1.3.6.1.5.5.7.3.1

rem make the pfx file that will allow you to copy certs around with private keys
pvk2pfx -pvk %Host_Cert_PrivateKey% -spc %Host_Cert_Name% -pfx %Host_Cert_PFX% -f

As you can imagine, the "authority" cert (*.cer file) generated from that goes into your "trusted root..." store, the other exchange cert goes into your Local Machine / My store, but you want to import it as the *.pfx file, not the *.cer file. At least that worked for me.

Lastly, if A) and B) don't help you might try changing your SecurityMode from TransportWithMessageCredential to regular Transport and see if that makes a difference.

Good luck. Sorting out these WCF/SSL issues is tough for everyone.

Answer 2

Sorry, I might be completely wrong but I noticed that you configured your behavour like this:

<behavior name="NewBehavior1">
  <serviceMetadata httpGetEnabled="true"/>
  <serviceCredentials>
    <userNameAuthentication userNamePasswordValidationMode="Custom"
  customUserNamePasswordValidatorType="Service, Services" />
  </serviceCredentials>

I suppose if you want to use https you have to configure it like this:

<serviceMetadata httpsGetEnabled="true"/>enter code here

(httpS enable for service metadata).

I'd try, but I'm not 100% sure it will work for you, depending on the rest of your configuration