I must be doing something wrong because I cannot believe this has been such a huge pain. Earlier this summer I created a set of components to do custom authentication for WCF (UserName token). My component does the authentication against AD and then sets up a custom .NET User object with the user’s groups loaded from AD. It works quite nicely and it allows me to do authorization inside my code using .NET’s code access security attributes. Very little plumbing on part.
However, one of the pains was dealing with certificates. When you start using the UserName token WCF forces you to have certificates. I could go create a custom binding of my own to get around this, but I think that would be a bigger pain that what I did.
First I created a customer certificate validator that skips the validation step. I got the start for my code from here (http://www.devatwork.nl/index.php/2007/05/31/wcf-username-authentication/). However, even so you have to have a certificate on the server in order to do anything. And this is where the trouble begins. You follow the directions from above and it works great on your workstation. Then it comes time to move it to the integration server so the rest of the team can hit it too. Guess what – it don’t work now. I was using the casinni server on my workstation so getting to the certificate was not an issue.
The integration server doesn’t have the certificate. So you install it. It still doesn’t work – access denied. So you google forever and end up going through about eight different blog posts and forum threads in order to figure out how to give NetworkService access to the certificate so you can get on with the fun of actually coding.
To save you from the googling here are the steps:
On your workstation:
1. Create the certificate using the following command: makecert –r –pe –n”CN=servername” –sr LOCALMACHINE –ss My –sky exchange
Servername is the name of the server you are going to put the certificate one (Ducati1098R for instance).
2. Export the certificate with its private key from the key container:
a. Open the Certificates MMC Plug-in for the Computer Account
b. Navigate to the Peronal > Certificates folder.
c. Right click on the certificate and select All Tasks > Export
d. Click Next, select "Yes, export the private key", click Next, check the "Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above)" and "Delete the private key if the export is successful" checkboxes, click Next, enter your private key password, click Next, enter the name of the file name you want to export the certificate as (it will append .pfx to the end), click Next, click Finish.
3. Copy the pfx file to the server
4. Import the certificate in to the server’s key container:
certutil -p password -importPFX filename.pfx
5. Set the access rights to the certificate. Give ASPNET and NetworkService access:
Winhttpcertcfg –g –c LOCAL_MACHINE\MY –s servername.pier1.com –a NetworkService
Winhttpcertcfg –g –c LOCAL_MACHINE\MY –s servername.pier1.com –a ASPNET
Change servername to the name of the server (Ducati1098R)
You should now be able to bring up the test page for the service. Open the ProductService.svc file in a web-browser. (http://Ducati1098R /webservices/service.svc)
Now you probably have a dozen other issues, but they should not have anything to do with the service certificate.
Oooops – forgot, don’t forget to set the WCF serviceCertificate value in the web.config file.
Here are the various resources I used to figure this out:
· Access Control Lists Permissions and Generating Personal Information Exchange x.509 certificates
· Create your own .pfx file for ClickOnce
· WinHttpCertCfg.exe, a Certificate Configuration Tool
· Working with Certificates
· How to call a Web service by using a client certificate for authentication in an ASP.NET Web application
The only thing I can guess is that I’m doing something wrong. It seems so wrong that I had to dance through so much stuff to do something the platform requires. Or perhaps I just didn’t read the right documents and ended up reproducing work that was already done. Either way….
Hope this keeps you from experiencing the same pain I did.