{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 迷人小祖宗 的问题《The HTTP request was forbidden with client authent》','https://www.manongdao.com/q-304613.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am trying to create a secure webservice.
Here is the contract and service implementation
[ServiceContract()]
public interface ICalculatorService
{
[OperationContract()]
int Add(int x, int y);
}
[ServiceBehavior(IncludeExceptionDetailInFaults=true)]
public class CalculatorService : ICalculatorService
{
public int Add(int x, int y)
{
return x + y;
}
}
Here i have the service code
var b = new WSHttpBinding(SecurityMode.Transport);
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
b.Security.Message.ClientCredentialType = MessageCredentialType.None;
Type contractType = typeof(ICalculatorService);
Type implementedContract = typeof(CalculatorService);
Uri baseAddress = new Uri("https://localhost:8006/CalculatorService");
ServiceHost sh = new ServiceHost(implementedContract);
sh.AddServiceEndpoint(contractType, b, baseAddress);
//ServiceMetadataBehavior sm = new ServiceMetadataBehavior();
//sm.HttpsGetEnabled = true;
//sm.HttpsGetUrl = new Uri("https://localhost:8006/CalculatorServiceMex");
//sh.Description.Behaviors.Add(sm);
sh.Credentials.Peer.PeerAuthentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerTrust;
sh.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.TrustedPeople, X509FindType.FindBySubjectName, "localhost");
sh.Open();
Console.WriteLine("Service is Listening");
Console.ReadLine();
sh.Close();
Here is the client code
var b = new WSHttpBinding(SecurityMode.Transport);
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
b.Security.Message.ClientCredentialType = MessageCredentialType.None;
var factory = new ChannelFactory<ICalculatorService>(b);
factory.Credentials.Peer.PeerAuthentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerTrust;
factory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.TrustedPeople, X509FindType.FindBySubjectName, "localhost");
var client = factory.CreateChannel(new EndpointAddress(new Uri("https://localhost:8006/CalculatorService")));
ServicePointManager.ServerCertificateValidationCallback =
((sender, certificate, chain, sslPolicyErrors) =>
{
return true;
});
ICommunicationObject comObject = client as ICommunicationObject;
int result = -1;
try
{
comObject.Open();
result = client.Add(10, 2);
}
catch (Exception ex)
{
}
Console.WriteLine(string.Format("Service say 10 + 2 = {0}", -1));
Console.ReadLine();
The service runs fine and when the ServicePointManager.ServerCertificateValidationCallback check is made there are no policy errors, with the correct certificate chain built.
I have my CA in the trusted root and the server/client cert in the TrustedPeople store. Also if I navigate to the site from a browser I see a page returned. No errors
I have updated IIS to what I think are the required, bound the certificate in in IIS
and via command line below.
I've set the SSL settings to accept certificates
and enabled anonymous authentication.
Does anyone know what steps I've not done correctly or see anything amiss? I keep getting the same error "The HTTP request was forbidden with client authentication scheme 'Anonymous'."
We had this error message, and for us the solution was that Handler Mappings feature permissions had not been enabled for Script. You can enable this in IIS under Handler Mappings > Edit Feature Permissions, or by adding
Scriptto theaccessPolicyattribute of thehandlersnode in your web.config:If you run self hosted WCF service (without IIS) you can enable anonymnous clients by adding to confing file (in server) the folowings:
Also, set clientCredentialType to "InheritedFromHost":
References:
Using Multiple Authentication Schemes with WCF
Understanding HTTP Authentication
Another reason for this is the certificate itself on the server you are hitting. Ensure you have imported the PRIVATE KEY. In MMC this will show up with a "Friendly Name". This took me days to figure out. Once I imported the private key the Anonymous error went away and all was well!
When you host WCF service in IIS with security type transport and client credential type certificate, put your client certificate on Root store and enable anonymous authentication in IIS. Enable anonymous authentication in IIS. But most importantly, add your certificate to root store.