c# - WCF showing 403 Forbidden using SSL and client certificates -

-

we having problem wcf - getting error below when trying connect. there tons of suggestions various configurations, having tried them use help.

we using https transport security, using real ssl certificate got godaddy. seems installed , working when browse web pages on site. no authentication, can connect our wcf service.

for authentication, using client certificates created ourselves. these client certificates working fine before switched https, when using message security self-signed server certificate (which pain because had clients install server certificate).

error http request forbidden client authentication scheme 'anonymous'. inner exception: remote server returned error: (403) forbidden

server configuration file

<system.servicemodel>   <bindings>     <wshttpbinding>       <binding name="newbinding0">         <security mode="transport">           <transport clientcredentialtype="certificate" />         </security>       </binding>     </wshttpbinding>   </bindings>   <services>     <service name="wcfservice1.service1">       <endpoint address="" binding="wshttpbinding" bindingconfiguration="newbinding0" contract="wcfservice1.iservice1" />     </service>   </services>   <behaviors>     <servicebehaviors>       <behavior name="">         <servicemetadata httpgetenabled="true" httpsgetenabled="true" />         <servicedebug includeexceptiondetailinfaults="true" />         <servicecredentials>           <clientcertificate>             <authentication certificatevalidationmode="peertrust" />           </clientcertificate>           <servicecertificate findvalue="....." x509findtype="findbythumbprint" />         </servicecredentials>       </behavior>     </servicebehaviors>   </behaviors>   <protocolmapping>     <add scheme="https" binding="wshttpbinding" bindingconfiguration="newbinding0" />   </protocolmapping>   <servicehostingenvironment aspnetcompatibilityenabled="true" multiplesitebindingsenabled="true" /> </system.servicemodel>

client configuration file

<system.servicemodel>     <behaviors>         <endpointbehaviors>             <behavior name="newbehavior0">                 <clientcredentials>                     <clientcertificate findvalue="customuser1"                         storename="trustedpeople" x509findtype="findbysubjectname" />                 </clientcredentials>             </behavior>         </endpointbehaviors>     </behaviors>     <bindings>         <wshttpbinding>             <binding name="newbinding0">                 <security mode="transport">                     <transport clientcredentialtype="certificate" />                 </security>             </binding>         </wshttpbinding>     </bindings>     <client>         <endpoint address="https://www.insertoursitename.com/wcfservice1/service1.svc"             behaviorconfiguration="newbehavior0" binding="wshttpbinding"             bindingconfiguration="newbinding0" contract="servicereference1.iservice1"             name="wshttpbinding_iservice1" />     </client> </system.servicemodel>

my problem similar yours, , i'll describe scenario before answering question.

  1. created simple wcf service (using custom binding, that's irrelevant).
  2. created self-signed rootca using makecert, , generated 2 certs tempcertserver.cer used ssl encryption, configure iis require https, etc. --> tested part, worked ok browser different computer.
  3. the second cert tempcertclient.cer used client-cert presented iis, configure iis require client-cert, etc. --> tested part browser (best use ie since can clear ssl state). prompt choose client cert, never connects, error same per question: "the http request forbidden client authentication scheme 'anonymous'. inner exception: remote server returned error: (403) forbidden."
  4. replaced tempcertclient proper cert (from known ca), there no issue, connection established , wcf page shown; no matter tried self-signed client cert, getting above error.

wasted whole day++ trying various settings, reading blogs on registry changes, placing cert server-side under different cert stores, changing config file settings, etc, no resolution.

the answer simple, inspect localcomputer\trusted root certification authorities server-side, , remove non-root ca's (i.e. should not there, issuedto not equals issuedby)

the client-cert did not need installed on server, root ca can validate has installed in localcomputer\trusted root certification authorities server-side.


Comments

Post a Comment

Popular posts from this blog

python - mat is not a numerical tuple : openCV error -

-
i have write down code showing error ma not getting it: please help: showing mat not numerical tuple: import cv import cv2 capture = cv2.videocapture("j.3gp") while(1): _, frame1 = capture.read() grayimage1 = cv2.cvtcolor(frame1, cv2.color_bgr2gray) _, frame2 = capture.read() grayimage2 = cv2.cvtcolor(frame2, cv2.color_bgr2gray) differenceimage = cv2.absdiff(grayimage1,grayimage2) thresholdimage = cv2.threshold(differenceimage,25,255,cv2.thresh_binary) cv2.imshow("difference image", differenceimage) cv2.imshow("threshold image", thresholdimage) cv2.imshow("image", frame1) k = cv2.waitkey(30) & 0xff error arising : ----------------------------------------------------------------------------------------- traceback (most recent call last): file "desk.py", line 15, in <module> cv2.imshow("threshold image", thresholdimage) typeerror: mat not numerical tuple
Read more

c# - MSAA finds controls UI Automation doesn't -

-
i'm working on automating windows application. i'm using teststack white framework. i've hit problem. program has 'window' object cannot see inside of. white shows no controls inside of it. inspect.exe shows no controls inside of either when running in ui automation mode. if switch inspect msaa see controls inside fine. there anyway me use msaa c# handle on these controls? if can identify msaa functions need, can use p/invoke call them c#. here's example article doing msaa: http://www.codeproject.com/articles/38906/ui-automation-using-microsoft-active-accessibility also, pinvoke.net can used identify iaccessible (msaa) functions: http://www.pinvoke.net/search.aspx?search=iaccessible&namespace=[all] here's answer along lines: msaa com-based? finally, alternative p/invoke, might able use tlbimp.exe create wrapper assembly oleacc.dll, , access msaa functions through it. i'm not sure if works msaa, it's worth try. as e
Read more

wordpress - .htaccess: RewriteRule: bad flag delimiters -

-
pulling hair out on one. have following .htaccess file custom redirects in addition wordpress's default settings. when tested on local wamp server worked fine after moving production i'm not getting rewriterule: bad flag delimiters error in server log , after while site goes down internal server error any appreciated. in advance! <ifmodule mod_rewrite.c> rewriteengine on rewritebase / rewriterule ^rockford_weddings___welcome\.html$ /wedding/ [r=301,l] rewriterule ^blog/?$ /journal/ [r=301,l] rewriterule ^blog/(.*)$ /$1 [r=301,l] rewriterule ^portraitinvestment/?$ /portraitinvestment\.pdf [r=301,l] rewriterule ^weddinginvestment/?$ /weddinginvestment\.pdf [r=301,l] rewriterule ^holidaycards2014/?$ /holidaycards2014\.pdf [r=301,l] </ifmodule> # begin wordpress <ifmodule mod_rewrite.c> rewriteengine on rewritebase / rewriterule ^index\.php$ - [l] rewritecond %{request_filename} !-f rewritecond %{request_filename} !-d rewriterule . /index.php [l] </
Read more