The HTTP request was forbidden with client authentication scheme 'Anonymous'
I am trying to configure a WCF server\client to work with SSL
I get the following exception:
The HTTP request was forbidden with client authentication scheme 'Anonymous'
I have a self hosted WCF server. I have run hhtpcfg both my client and server certificates are stored under Personal and Trusted People on the Local Machine
Here is the server code:
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
binding.Security.Mode = WebHttpSecurityMode.Transport;
_host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;
_开发者_如何转开发host.Credentials.ClientCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
_host.Credentials.ClientCertificate.Authentication.TrustedStoreLocation = StoreLocation.LocalMachine;
_host.Credentials.ServiceCertificate.SetCertificate("cn=ServerSide", StoreLocation.LocalMachine, StoreName.My);
Client Code:
binding.Security.Mode = WebHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
WebChannelFactory<ITestClientForServer> cf =
new WebChannelFactory<ITestClientForServer>(binding, url2Bind);
cf.Credentials.ClientCertificate.SetCertificate("cn=ClientSide", StoreLocation.LocalMachine, StoreName.My);
ServicePointManager.ServerCertificateValidationCallback
+= RemoteCertificateValidate;
Looking at web_tracelog.svclog and trace.log reveals that the server cannot autheticate the client certificate My certificate are not signed by an Authorized CA but this is why I added them to the Trusted People....
What Am I missing? What am I missing?
The trick was to make the Client Certificate valid,
To do that you have two option:
1) make it self signed and then put it under the "Trusted Root Certification Authority".
Obviously in production you would like your client certificate to be signed by a trusted CA and not self signed. see http://msdn.microsoft.com/en-us/library/ms733813.aspx
2) Sign your client certificate by another certificate you created (let's call it MyCA) and put MyCA in the "Trusted Root Certification Authority" and have the client certificate in the "Trusted People". This way your development environment is even more close to the deployment.
How to create and sign the certificates: Look under http://msdn.microsoft.com/en-us/library/bfsktky3.aspx
Here is the series of commands I used:
1)makecert -r -pe -ss My -sr LocalMachine -a sha1 -sky exchange -n cn=MyCA -sv "MyCAPrivate.pvk"
2) makecert -pe -ss My -sr LocalMachine -a sha1 -sky exchange -n cn=SignedClientCertificate -iv "MyCAPrivate.pvk" -ic "MyCAPublic.cer"
The reason I was receiving this error was because in my webconfig, the web services had the URL of http://localhost/myservicename.svc
and on our dev server we had a FQDN http://dev.myname.com/myservicename.svc.
Double check your web.configs to ensure the URLS to the web services are pointing to the proper location.
精彩评论