Configure IIS for WCF service with SSL and transport security
This article will help you to configure IIS for WCF service with SSL and achieve WCF Transport security. It uses a WCF service, create a SSL certificate using IIS Server Certificates with WCF service hosted in IIS.
In Windows Communication Foundation Transport security is dependent on the binding and transport being used. It requires an SSL certificate to be registered with IIS. For a production environment, you must obtain the certificate from third party certificate issuer like Verisign. In Transport Security server and clients are configured with X.509 certificates to allow verification of other parties. For development environment you can create Self Signed Certificate
Advantages of Transport Security in WCF Services
- Improved interoperability as it does not require both parties to understand XML level security.
- Improvement in overall performance as compare to Message level security.
- Streaming is possible whereas in Message level security it is not possible.
We can implement an SSL for WCF service in two ways
- If you are hosting WCF service in IIS you can use IIS infrastructure to set up SSL.
- If your WCF service is self-hosted you can create SSL certificate using HttpCfg.exe and use it for service binding.
Step by step configuration of IIS for WCF Service with SSL
Create Self Signed SSL certificate
In this step, we will create a self-signed certificate using IIS manager.
Open the IIS manager using inetmgr command. Select <server name > from connection pane which is at the left side of the IIS manager.
Double click on Server Certificates from the middle pane of IIS manager.
From actions (right side) pane of IIS manager click on Self Signed Certificate.
You will get a new window where you have to the certificate name. Give name as NorthwindCertificates.
Create and Host your WCF Service
Endpoint configuration for Transport security
Open the WCF service library application created in the previous step. Open app.config file from NorthwindServices application to make changes for WCF endpoint to allow transport security with SSL.
Add bindingConfiguration which sets attributes for basicHttpBinding and sets its security mode. There are three types of security modes available in WCF Message for message level security, Transport for transport level security and TransportWithMessageCredential for providing security over a transport with encrypted messages or you can set it as None to disable security of WCF service.
Set clientCredentialType as None to specify anonymous authentication which does not perform client authentication. The possible values for clientCredentialType are None, Basic, Digest, Ntlm, Windows.
Change serviceBehaviors for allowing https request by setting httpsGetEnabled="true".
Your Service endpoint will be
<system.serviceModel>
<services>
<service name="NorthwindServices.ProductService">
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding"
contract="NorthwindServices.IProducts"/>
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
Configure SSL Certificate for WCF Service
Host your WCF service in IIS . In IIS manager right click on the site which you created for hosting and click on Edit Bindings.... From the new window, you should be able to see HTTP binding configured.
Now click on Add button and select https from type dropdown of Add Site Binding window.
From the SSL Certificate drop down select NorthwindCertificate which you created in first step. Click Ok and close Site Bindings window.
Publish your WCF service once again to https://localhost/ address.
Client application for SSL secured WCF service
Create a client application for this SSL secured WCF service and Add Service Reference to https://localhost/ProductServiceHost.svc.
Add below code to the client application which calls WCF service and get Product details for ProductID 1.
namespace NorthwindClient
{
class Program
{
static void Main(string[] args)
{
ProductServiceRef.ProductsClient client
= new ProductServiceRef.ProductsClient();
string category = client.GetCategoryName(1);
string name = client.GetProductName(1);
int qty = client.GetProductQty(1);
Console.WriteLine("Product Name : " + name);
Console.WriteLine("Product Qty : " + qty.ToString());
Console.WriteLine("Product Category : " + category);
Console.Read();
}
}
}
Execute the client application you might get SecurityNegotiationException with Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost' . To resolve this issue open the app.config file of the client application and replace localhost from endpoint address with your computer name.
https://localhost/ProductServiceHost.svc
Change it to
https://<your computer name>/ProductServiceHost.svc
Blog Search
clientCredentialType can be "Certificate" too.
yes ... you can use Certificate as well