pau lopez

It's me again, I cannot map certificates to Windows accounts using WCF, I don't care about using IIS mapping or Active Directory mapping. I've not found anything interesting about in internet, I can't believe any developer has to map certificates to windows, only I've found this article that shows a sample about mappings for Transport Layer security...

http://staff.newtelligence.com/sergeys/CategoryView,category,WCF+(Indigo).as

p

x (see the at the end of the article)...

So,If you can help in any way, I think I've tested a lot of combinations using WCF and IIS Settings but nothing works, I cannot aling settings beetwen IIS and WCF.

Do you know the right configuration in WCF and IIS doing work this scenario or someone with the same problem



Re: Windows Communication Foundation (Indigo) Map Client Certificate to Windows Account

Govind Ramanathan - MSFT

Hi,

I was unable to access the link you have provided. You have mentioned that you are not worried about IIS mapping. How is your scneario setup Using IIS you can map Transport layer certificates. If you are using Message security IIS doesn't know how to map these as it doesn't have access to the certificates in the message.

- Govind






Re: Windows Communication Foundation (Indigo) Map Client Certificate to Windows Account

pau lopez

Sorry, I've posted incorrect url, the correct one is :

http://staff.newtelligence.com/sergeys/CategoryView,category,WCF+(Indigo).aspx

It explains about mapping client certficates to windows account using IIS feature, It's a good example but It doesn't work in my developing server.

I know I have to use certificates at transport level, I'm enabling security at transport level with basicHttpBinding and enabling the service authorization property mapClientCertificateToWindowsAccount. I don't care using IIS mapping feature or another one (I've read something about Active Directory Mapping), I need to get centralized the mappings between certificates and account to address authorization in my application and I don't want to implement a custom solution so I think windows infrastructure is so powerful doing this work. Anyway I've tested a lot of examples in internet but nothing works mapping accounts in automatic mode and there isn't any clear information about WCF and mapping certificates.

Thanks for your response , I hope you can help me :)





Re: Windows Communication Foundation (Indigo) Map Client Certificate to Windows Account

Hao Xu - MSFT

You can map client certificate to Windows account in three different ways: AD mapping, IIS mapping and UPN mapping (UPN in the certificate, probably not what you want for centralized control). If it doesn't work, I'd double check the AD or the IIS metabase setting. Please send out the error you are getting if you still have problems. One way to trouble shoot is to make sure the scenario works without the mapping.





Re: Windows Communication Foundation (Indigo) Map Client Certificate to Windows Account

azluu

I'm trying to do something similar with my setup.

My service's endpoint: https://myserver.com/wcf-certificate/service.svc

The "wcf-certificate" virtual directory's security is configured in the following ways: disable anonymous access, require SSL, require client certificates, and map "client.com" client certificate to a Windows account.

I keep seeing the following exception from the client side: "Unhandled Exception: System.ServiceModel.ServiceActivationException: The request
ed service, 'https://myserver.com/wcf-certificate/service.svc'
could not be activated. See the server's diagnostic trace logs for more informa
tion."

Any thoughts

Here's my sample service's web.config:
< xml version="1.0" encoding="utf-8" >
<configuration>
<system.serviceModel>
<services>
<service name="Microsoft.ServiceModel.Samples.CalculatorService"
behaviorConfiguration="CalculatorServiceBehavior">
<!-- use base address provided by host -->
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="Binding1"
contract="Microsoft.ServiceModel.Samples.ICalculator" />
</service>
</services>

<bindings>
<basicHttpBinding>
<binding name="Binding1">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>

<behaviors>
<serviceBehaviors>
<behavior name="CalculatorServiceBehavior">
<serviceMetadata httpsGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="True" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>

And here's the client's app.config:
< xml version="1.0" encoding="utf-8" >
<configuration>
<system.serviceModel>
<client>
<endpoint address="https://myserver.com/wcf-certificate/service.svc"
binding="basicHttpBinding"
bindingConfiguration="Binding1"
behaviorConfiguration="ClientCertificateBehavior"
contract="Microsoft.ServiceModel.Samples.ICalculator" />
</client>

<bindings>
<basicHttpBinding>
<binding name="Binding1">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>

<behaviors>
<endpointBehaviors>
<behavior name="ClientCertificateBehavior">
<clientCredentials>
<clientCertificate findValue="client.com"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>




Re: Windows Communication Foundation (Indigo) Map Client Certificate to Windows Account

azluu

The ServiceActivationException goes away if I do the following:
1) *Enable anonymous access.
2) Require SSL.
3) Require client certificates.
4) *Disable client certificate mapping.

Of course, without the ability to map a client certificate to a Windows account, I won't be able to do much with my service insofar as impersonation is concerned.




Re: Windows Communication Foundation (Indigo) Map Client Certificate to Windows Account

azluu

I found that if I enable client certificate mapping for my site, then I have to add the following to my service's web.config, inside the Behavior element, so the service knows where to look on the server for the client certificate. But when I check for the current security context's Windows Identity, it is blank, when I was expecting to see the identity of the Windows account that the client certificate was mapped to.

<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" />
</clientCertificate>
</serviceCredentials>




Re: Windows Communication Foundation (Indigo) Map Client Certificate to Windows Account

azluu

Please scratch my last post. Subsequent testing shows that the serviceCredentials clientCertificate setting is irrelevant. If client certificate mapping is working properly, then the server already has the client certificate it needs to compare against the client certificate that's presented by the client. The question is: if there are discrepancies between the two client certificates, does IIS quietly ignore the problem and hence the client mapping fails silently Anyone know how I can debug this to find out for sure




Re: Windows Communication Foundation (Indigo) Map Client Certificate to Windows Account

Rick G. Garibay

Hi Hao,

Are there any good walk-throughs that show how to do cert mapping in a self-hosted (non-IIS) scenario

Is the idea that you can have a subsystem authenticate the caller, and then the windows account is impersonated from there such that you actually authorize and ACL the account

Many thanks,

Rick






Re: Windows Communication Foundation (Indigo) Map Client Certificate to Windows Account

Rick G. Garibay

Hi azlu,

Did you ever get this to work






Re: Windows Communication Foundation (Indigo) Map Client Certificate to Windows Account

azluu

Hi Rick,
Unfortunately, once I found out that my company's production environment required SSL-certs to be installed at the load balancer rather than at the individual servers, I had another problem to solve: how to get WCF to allow clear-text credentials at the underlying servers. I found this post to be most helpful: http://forums.microsoft.com/MSDN/ShowPost.aspx PostID=763963&SiteID=1. But no, I never did get the client certificate to Windows account mapping to work.