Matevž Gačnik's Weblog

WCF: certificateValidationMode and revocationMode

Having spent a lot of time reasoning about WCF and certificate based authentication, here's a scoop.

This forces WCF to expect a client side certificate for message based security:

What it says is that the client certificate must validate according to the complete certificate chain. In broader terms it forces the caller to use the certificate that is 'validatable' on the service side. This means the following:

The certificate must be present at the time of request generation (client side)
The certificate must be valid according to expiration period and certificate generation (checking done on server side)
The certificate chain (issuing CAs path) must be valid (certificateValidationMode="ChainTrust")
The certificate must not be obsolete and/or revoked (revocationMode="Online")

Other authentication options of certificateValidationMode and revocationMode include:

certificateValidationMode can take a velue of ChainTrust, PeerTrust, ChainOrPeerTrust, None or Custom. None means that no certificate checking is done, Custom allows one to plug in a custom X509CertificateValidator (new, System.IdentityModel.Selectors namespace), PeerTrust forces a public key of the client certificate to be present in the 'Trusted People' certificate store on the service side and ChainTrust requests that the client cert can be validated against the root certificates on the server side. ChainOrPeerTrust just executes the OR operator on the last two.
Remark: PeerTrust and ChainOrPeerTrust are also subjected to another attribute called trustedStoreLocation. If peer trust is demanded, one can specify where the public keys are present, meaning either in LocalMachine or CurrentUser store.
revocationMode takes the following value list: None, Online or Cached. None is saying that CRL (Certificate Revocation List) is not checked. Online demands that service checks (at every request) whether the certificate is still valid and thus not revoked. Offline says that the certificate should only be checked against the cached CRL.
Remark: Online does not mean that CRL will be downloaded from the CA CRL endpoint at every request. It means it will check a local copy of it at every request. Every CRL has a validity period, when it expires, it is downloaded again.

The <metadataPublishing> element is there just to allow WSDL/MetadataExchange endpoints to exist. It also allows the familiar service HTML page to pop up if you hit the endpoint (courtesy of enableHelpPage="true").

Another remark: Current February 2006 WCF CTP bits do not reflect the naming used in this post. For example revocationMode="Cached" was renamed from revocationMode=Offline", but don't be afraid of using it, nevertheless.

Categories: .NET 3.0 - WCF

Thursday, 27 April 2006 20:33:59 (Central Europe Standard Time, UTC+01:00)

Comments

Wednesday, 11 July 2007 22:52:22 (Central Europe Standard Time, UTC+01:00)

Hi,
I read your artical which was of real help for me.I have one query related to WCF.

I am trying to use WsHttpBinding with security mode as Transport and ClientCredentialType as Certificate. In the service behavior I have Https enabled. IIS is configured to use the certificate.

If I turn off the anonymous access (which is what i want), then try to access service from code I am getting this error

" Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost'. "

and if I try to browse my service from IIS with anonymous access off I get this error

"Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service."

To use certificates with Transport/Message security mode, How do i prevent using anonymous access with Certificate?

Any help is appreciated.

Thanks and Regards

Darpan Dewan

Darpan Dewan

All comments require the approval of the site owner before being displayed.