I can find out few similar questions on SO regarding this, but I am quite unsure about the answer to this. I get more and more confused as I read through different posts on this. So asking this for my satisfaction.
I have a WCF Service hosted on IIS. and I have a client which connects to this service and invokes a method. I now try to use certificates to make use of transport security.
On the client side I have a config
<bindings>
<basicHttpBinding>
<binding name="testBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate" proxyCredentialType="Basic"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="testBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="client007"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
On the server side I have a configuration
<behaviors>
<serviceBehaviors>
<behavior name="testServiceBehavior">
<serviceMetadata httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="testServiceBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
Now, the scenario I want is, only the client which has its public key installed on the trusted people of the server can only access the service.
But in my case, whether I install a public key in the trusted people or not. I can access the service with any certificate I self create.
I checked the anonymous authentication was enabled, is it because of this? When I disable anonymous access I get a error saying
the http request is unauthorized with client authentication the authentication received from the server was basic realm
How do I make sure only that client whose public key is on the server can access the service?
Does this kind of validation not work with transport security? Please help me. thanks
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 太酷不给撩 的文章《Transport Security with WCF, IIS, along with clien》','https://www.manongdao.com/article-903699.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}