A self-signed certificate is used for authentication in the WCF application. The server specified:
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
...
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/>
</clientCertificate>
The certificate is enabled correctly on the client:
<endpointBehaviors>
<behavior name="wsHttpCertificateBehavior">
<clientCredentials>
<clientCertificate findValue="<Thumbprint>" storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
On the client, the certificate is added to the trusted root certificates. When calling service methods, an error occurs: the calling user's identity was not verified by the service. I don't understand what else you need to specify for verification. If you remove the certificate and specify
<security mode= "None"/>
the client hangs when calling the service method. I don't understand why. I've been fighting this for a week. Please help me!
This is a demo using X.509 self-signed certificate verification:
<system.serviceModel>
<services>
<service name="Microsoft.Samples.X509CertificateValidator.CalculatorService" behaviorConfiguration="CalculatorServiceBehavior">
<!-- use host/baseAddresses to configure base address provided by host -->
<host>
<baseAddresses>
<add baseAddress="http://localhost:8001/servicemodelsamples/service"/>
</baseAddresses>
</host>
<!-- use base address specified above, provide one endpoint -->
<endpoint address="certificate" binding="wsHttpBinding" bindingConfiguration="Binding" contract="Microsoft.Samples.X509CertificateValidator.ICalculator"/>
</service>
</services>
<bindings>
<wsHttpBinding>
<!-- X509 certificate binding -->
<binding name="Binding">
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="CalculatorServiceBehavior">
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<!--
The serviceCredentials behavior allows one to specify authentication constraints on client certificates.
-->
<clientCertificate>
<!--
Setting the certificateValidationMode to Custom means that if the custom X509CertificateValidator
does NOT throw an exception, then the provided certificate will be trusted without performing any
validation beyond that performed by the custom validator. The security implications of this
setting should be carefully considered before using Custom in production code.
-->
<authentication certificateValidationMode="Custom" customCertificateValidatorType="Microsoft.Samples.X509CertificateValidator.CustomX509CertificateValidator, service"/>
</clientCertificate>
<!--
The serviceCredentials behavior allows one to define a service certificate.
A service certificate is used by a client to authenticate the service and provide message protection.
This configuration references the "localhost" certificate installed during the setup instructions.
-->
<serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
This is the configuration file of the service, we need to specify the location of the certificate.
serviceHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.Custom;
serviceHost.Credentials.ClientCertificate.Authentication.CustomCertificateValidator = new CustomX509CertificateValidator();
We custom verify the self-signed certificate.
public class CustomX509CertificateValidator : System.IdentityModel.Selectors.X509CertificateValidator
{
// This Validation function accepts any X.509 Certificate that is self-issued. As anyone can construct such
// a certificate this custom validator is less secure than the default behavior provided by the
// ChainTrust X509CertificateValidationMode. The security implications of this should be carefully
// considered before using this validation logic in production code.
public override void Validate(X509Certificate2 certificate)
{
// Check that we have been passed a certificate
if (certificate == null)
throw new ArgumentNullException("certificate");
// Only accept self-issued certificates
if (certificate.Subject != certificate.Issuer)
throw new SecurityTokenException("Certificate is not self-issued");
}
}
If you need a complete example of this demo you can download it in this link:
https://www.microsoft.com/en-us/download/details.aspx?id=21459
Related
I´m trying to test a WCF service with mutual certificates authentication using a client on C# and it works; now I want to test the service using SOAP UI.
This is the service configuration:
<system.serviceModel>
<services>
<service behaviorConfiguration="ServiceBehavior" name="WS_XXXXX.WcfXXXX">
<endpoint address=""
binding="customBinding" bindingConfiguration="XXXSoap" bindingNamespace=""
contract="IXXXSoap" >
</endpoint>
<host>
<baseAddresses>
<add baseAddress="http://localhost:47037/"/>
</baseAddresses>
</host>
</service>
</services>
<bindings>
<customBinding>
<binding name="XXXSoap">
<security authenticationMode="SecureConversation"
requireSignatureConfirmation="false"
canRenewSecurityContextToken="true"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11"
requireDerivedKeys="false" >
<secureConversationBootstrap
authenticationMode="MutualCertificate"
requireSignatureConfirmation="true"
canRenewSecurityContextToken="true"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11"
requireDerivedKeys="false">
</secureConversationBootstrap>
</security>
<textMessageEncoding messageVersion ="Soap11WSAddressingAugust2004" >
</textMessageEncoding>
<httpTransport />
</binding>
</customBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior" >
<serviceCredentials>
<serviceCertificate findValue="WCfClient"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
I read some info on how to test a WCF service with service certificate on SOAPUI; but because of the WCF configuration (mutual certificates), I don´t know how to configure the SOAP UI for test the WCF web service.
Thanks in advance.
When we use mutual certificate mode to authenticate the client and protect the server communication. We need to establish the trust relationship between the client and the server, then we provide the client certificate on the clients-side when calling the service. For some kinds of WCF created with message security, we might need to on the client-side provide the service certificate that the server-side used.
Anyhow, we at least a client certificate on the client-side. In SOAPUI, we are able to configure the client certificate for one request or all request.
Here are steps details.
1. Export your certificate that your client needs to provide by using the export wizard.
2. Please tick “export the private key” option.
3. Input your password.
4. Set up the certificate for all request. the menu locates in the main toolbar File > Preferences.
Result.
For sending https request for one, please refer to the below link. It is similar to these steps.
https://www.soapui.org/docs/functional-testing/sending-https-requests.html
Feel free to let me know if the problem still exists.
I created a self hosted WCF REST server (w/o IIS). When I enable SSL support, I am keep asked for a Client Certification when I test the site in Chrome.
Below is my app.config of which I believe I disabled the client authentication. Is there anything that I am missing here?
photo :
Chrome asking for client certificate
App.config code :
<system.serviceModel>
<services>
<service behaviorConfiguration="ADConnectorLibrary.Service1Behavior" name="ADConnectorLibrary.ADConnectorLibrary">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpTransportSecurity" behaviorConfiguration="web" contract="ADConnectorLibrary.IADConnectorLibrary" >
</endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
<host>
<baseAddresses>
<add baseAddress="https://ADDRESS:8888/ADConnectorLibrary/"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ADConnectorLibrary.Service1Behavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="False"/>
**<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="None" />
</clientCertificate>
</serviceCredentials>**
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="web">
<webHttp/>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding name="webHttpTransportSecurity">
<security mode="Transport">
**<transport clientCredentialType="None" />**
</security>
</binding>
</webHttpBinding>
</bindings>
The only thing you need to do is disable the SSL setting when hosting the service in IIS.
On my side, I create a console application to host the service and bind the sslcert to the specified port with the following command. when the client calls it via browser, it does not pop up a dialog box and prompted me to select the client certificate.
netsh http add sslcert ipport=0.0.0.0:8000
certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6
appid={00112233-4455-6677-8899-AABBCCDDEEFF}
Maybe we don't need to open the support client certificate,or disable it.
clientcertnegotiation=disable
Here is the official document, wish it is useful to you.
https://learn.microsoft.com/en-us/windows/desktop/http/add-sslcert
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-configure-a-port-with-an-ssl-certificate
Feel free to let me know if there is anything I can help with.
Since you are using TransportSecurity, I believe you need to assign a certificate to your service otherwise it will not be able to encrypt the message via SSL over HTTPS.
Likewise the client would have to trust that certificate, or will get one of these reponses when the client tries to access the service via HTTPS in a brower, and calls from code will fail.
You probably need to use netsh, since you are not using IIS. You might need to reseach netsh a bit to fit your needs.
Something like this to register the cert to the port and map to the application guid: This is a pure made up example: netsh http add sslcert ipport=127.0.0.1:8000 certhash=c20ed305ea705cc4e36b317af6ce35dc03cfb83d appid={c9670020-5288-47ea-70b3-5a13da258012} clientcertnegotiation=enable
you probably don't need this since you are not apply a certificate:
**<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="None" />
</clientCertificate>
</serviceCredentials>**
I have implemented WCF service with Custom validation by overloading 'UserNamePasswordValidator' and using message security but on my devlopment machine there is no certificate but on LIVE environment there is SSL certificate. So i hosted the service on LIVE server with below code still i am getting below error
'The service certificate is not provided. Specify a service certificate in ServiceCredentials'
'<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="customBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<userNameAuthentication
userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="Myassembly.UserNameValidator,Myservice"/>
<serviceCertificate findValue="MyCertName" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings >
<wsHttpBinding>
<binding name="RequestUserName" >
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" minFreeMemoryPercentageToActivateService="0" />
<services>
<service name="CRMServices" behaviorConfiguration="customBehavior">
<!--For basic http binding endpoint-->
<endpoint address="" binding="wsHttpBinding"
bindingConfiguration="RequestUserName"
contract="ICRMServices">
<!--<identity>
<dns value="localhost" />
</identity>-->
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel> '
I have applied SSL to the deployed WCF service but when try to access the hosted URL it is giving '404' and in event viewer it is showing
'InvalidOperationException
Cannot find the X.509 certificate using the following search criteria: StoreName 'TrustedPeople', StoreLocation 'CurrentUser', FindType 'FindBySubjectName', FindValue 'Mycert'. at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target, Boolean throwIfMultipleOrNoMatch '
Please help me
It can not find the certificate. You specified:
<serviceCertificate findValue="MyCertName" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
So it will look in TrustedPeople in CurrentUser store for a certificate with MyCertName in Subject.
When you run WCF service in visual studio, it runs under your account so current user would be OK in that case. But when you deploy a service on IIS, it will run under aplication pool user (by default it is IIS APPPOOL\DefaultAppPool user).
I would
check where (in what store) the certificate you want to use is. I bet it is in the LocalMachine\Personal store. You can use mmc to check that
If I could choose where to put a service certificate, it would be LocalMachine\Personal. I would set access rights to private key corresponding to the certificate for the app pool user that the service runs under. Can be done in mmc.
I would select x509FindType="FindByThumbrint" as my search criteria. You can be pretty sure that only one certificate will be in the store.
I'm developping a proof of concept for a WCF web service using SSL and certificates for mutual authentication.
So, I have 2 certificates both provided by a valid certification authority (these are production certificates, not development). Here are the chains and the store locations for the certificates :
Server Certificate Chain
Issuer Root CA
Intermediate 1 CA
Server Authentication certificate
I don't know if this detail is important or not : server certificate is a wildcard certificate for the domain (*.mydomain.com)
Client Certificate Chain
Issuer Root CA
Intermediate 2 CA
Client Authentication certificate
Issuer Root CA is common root CA for both certificates.
Intermediates certificates are differents.
Store Location
Issuer Root CA have been imported into Trusted Root CA on both server and client machines
Intermediate CA 1 & 2 have been imported into Intermediate CA on both server and client
Issuer and intermediates certificates have both public keys only.
Server certificate have been imported into Personal on server machine. This certificate have a private key.
Server certificate have been imported into Personal on client machine. This certificate have a public key only.
Client authentication certificate have been imported into Personal on both server and clients machines. These certificates have both private keys.
I created a simple WCF application project hosted in IIS 8.5 with framework C# 4.0.
I use the example classes provided by default at the project creation, I have just renamed it into DemoService.svc.
Then, I created the client (I use a winform application for target users to have a graphical interface to view results) and add the web service reference.
Then, I modified the service configuration to set up mutual authentication. All is done via web.config :
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="demoServiceBehavior">
<serviceAuthorization principalPermissionMode="UseWindowsGroups"></serviceAuthorization>
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="*.mydomain.com"/>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" mapClientCertificateToWindowsAccount="true"
trustedStoreLocation="LocalMachine"/>
<certificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"
findValue="myservice.mydomain.com"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="demoServiceBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate"></transport>
</security>
</binding>
</basicHttpBinding>
</bindings>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true">
<serviceActivations>
<add service="WcfMutualAuthenticationServiceDemo.DemoService" relativeAddress="DemoService.svc" />
</serviceActivations>
</serviceHostingEnvironment>
<services>
<service name="WcfMutualAuthenticationServiceDemo.DemoService" behaviorConfiguration="demoServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="https://myservice.mydomain.com/"/>
</baseAddresses>
</host>
<endpoint name="demoServiceEndpoint"
address=""
binding="basicHttpBinding"
bindingConfiguration="demoServiceBinding"
contract="WcfMutualAuthenticationServiceDemo.IDemoService"></endpoint>
</service>
</services>
</system.serviceModel>
I modified the client configuration to set up mutual authentication too :
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="demoClientBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"
findValue="myservice.dekra-automotivesolutions.com"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="demoClientBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate"></transport>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://myservice.mydomain.com/DemoService.svc"
behaviorConfiguration="demoClientBehavior"
binding="basicHttpBinding"
bindingConfiguration="demoClientBinding"
contract="DemoServiceValidReference.IDemoService"
name="demoServiceEndpoint" />
</client>
</system.serviceModel>
When I call the web service via the client, it return an exception :
System.ServiceModel.Security.SecurityNegotiationException: Could not
establish secure channel for SSL/TLS with authority
'myservice.mydomain.com'. --->
System.Net.WebException: The request was aborted: Could not create
SSL/TLS secure channel. at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan
timeout) --- End of inner exception stack trace ---
After investigation, I found an entry in the server's event viewer :
Handling an exception. Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: The
X.509 certificate CN=myservice.mydomain chain building failed. The
certificate that was used has a trust chain that cannot be verified.
Replace the certificate or change the certificateValidationMode. A
certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider.
at
System.IdentityModel.Selectors.X509CertificateChain.Build(X509Certificate2
certificate) at
System.IdentityModel.Selectors.X509CertificateValidator.ChainTrustValidator.Validate(X509Certificate2
certificate) at
System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken
token) at
System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken
token) at
System.ServiceModel.Channels.HttpsChannelListener1.CreateSecurityProperty(X509Certificate2
certificate, WindowsIdentity identity, String authType) at
System.ServiceModel.Channels.HttpsChannelListener1.ProcessAuthentication(IHttpAuthenticationContext
authenticationContext) at
System.ServiceModel.Activation.HostedHttpContext.OnProcessAuthentication()
at
System.ServiceModel.Channels.HttpRequestContext.ProcessAuthentication()
at
System.ServiceModel.Channels.HttpChannelListener1.HttpContextReceivedAsyncResult1.Authenticate()
at
System.ServiceModel.Channels.HttpChannelListener1.HttpContextReceivedAsyncResult1.ProcessHttpContextAsync()
Regarding this exception, I found that the issue is on the chain validation of the client authentication certificate, but I don't know why.
At this point, I'm stuck !
I don't know what's wrong with my certificates, and I don't know how to find a solution.
I truly hope that someone could help me fixing this issue.
Edit :
We have tested with another client certificate for the certification chain to be the same on server and client certificates, it don't change anything.
Solution was found today : configuration is OK on client and server.
It was a misconfiguration on the IIS server certificate mapping, the functionnality was not configured but not enabled.
The client machine has the "TicketSalesClient" certificate in "My" storage of current user and the "TicketSalesServer" certificate in "TrustedPeople" storage of current user. The server machine has "TicketSalesClient" certificate in "TrustedPeople" storage of local machine and the "TicketSalesServer" certificate in "My" storage of local machine.
The service runs under IIS 7. Below is the web.config file:
<system.serviceModel>
<services>
<service behaviorConfiguration="secureBehavior" name="InternetRailwayTicketSales.TicketSalesImplementations.TicketSalesService">
<endpoint address="TicketSalesService"
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding" contract="InternetRailwayTicketSales.TicketSalesInterface.ITicketSales" />
<endpoint address="TicketSalesServiceSecureMex"
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding"
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="https://localhost:443/TicketSales/" />
</baseAddresses>
</host>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="secureBehavior">
<serviceThrottling maxConcurrentInstances="5000" maxConcurrentSessions="5000" />
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="True" />
<serviceCredentials>
<serviceCertificate findValue="TicketSalesServer"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName"/>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
The service in IIS is configured for SSL and certificate requiring.
1)Now when I try to add service reference in the client I receieve: "The HTTP request was forbidden with client authentication scheme 'Anonymous'. The remote server returned an error: (403) Forbidden."
2)If I try to request the metadata endpoint using browser I firstly apply the SSL certificate and then receieve an error that "The credentials do not give the right to view this directory or page." As I understand this is because I can't give the client credentials through the browser.
3)I tried to use svcutil with configuration file which contains client credentials:
<configuration>
<system.serviceModel>
<client>
<endpoint
behaviorConfiguration="ClientCertificateBehavior"
binding="basicHttpBinding"
bindingConfiguration="Binding1"
contract="IMetadataExchange"
name="https" />
</client>
<bindings>
<basicHttpBinding>
<binding name="Binding1">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="ClientCertificateBehavior">
<clientCredentials>
<clientCertificate findValue="TicketSalesClient"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
And then:
svcutil https://veryLongAddress.svc?wsdl /config:svcutilConf.config
And the response is that the "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure"
So what am I doing wrong?
Seems like your certificates installation is fine. Can you try as shown below and see the output. Try to browse to the service from IE and you should be able to see the service and its wsdl.
Go to IE and then
Tools --> Internet Options --> Security --> Internet --> Custom Level
Tools --> Internet Options --> Security --> Intranet --> Custom Level
Now scroll down to Misc section to find the option "Dont Prompt for client certificate selection when no certificate is present or only one certificate is present" to Diable.
Now restart IE and browse to the service and IE should ask you to select a client certificate from the personal store and you need to select mvc.localhost.
If TicketSalesClient cert is not visible then your client certificate is not in the appropriate store.
The reason for this is that the file you are using to install the certificates do matter as well as the purpose for which the certificate has been created. You can find the purpose of each certificate when you double click them in the certificate store you have a column that is called Intended Purpose. Make sure its for your client certificate.
When hosting the service in IIS all endpoints must have the same transport security configuration. I played with this before and I ended with redefining binding for WSDL GET (yes it has also internal binding defined). So modify your bindings on service to:
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
<customBinding>
<binding name="wsdlBinding">
<textMessageEncoding messageVersion="None" />
<httpsTransport requireClientCertificate="true" />
</binding>
</customBinding>
And in service behaviors use:
<serviceMetadata httpsGetEnabled="true"
httpsGetBinding="customBinding"
httpsGetBindingConfiguration="wsdlBinding" />
This should force WSDL get to require client certificate and it "should" work from browser (unless there is some other problem).
When we host WCF service in IIS with security type transport and client credential type certificate, Then put your client certificate on Root store and enable anonymous authentication in IIS. Enable anonymous authentication in IIS But most important, add your certificate to root store.