WCF: Transport Layer Security - with client certificates

WCF-Transport Layer Security -  with client certificates

Requiremnt:

1. HTTPS/SSL Channel
2. Authentication mode
   1. Certificate
   2. Windows / NTLM

WCF HOST:

1. IIS

Certificates Authentication on Transport Layer - IIS

Requirement:

1. SSL  Channel (using Server/SSL certificate)
   1. Adding a Https binding on IIS and assigning the required SSL certificate.
2. Client to have private key of client certificate
3. Server to have TRUST for client certificate

Trust:

1. Peer Trust
2. Chain Trust

PeerTrust (Forces a public key of the client certificate to be present in the 'Trusted People' certificate store on the service side)

ChainTrust (Certificate must validate according to the complete certificate chain)

Architecture:

Passing client certificate:

1. Via Code

       2.  Via Config

 Handling Certificate Authentication (IIS)

When we say we want to handle authentication @ transport layer, it would be the responsibility of our host (IIS) to help us authenticate the incoming request over a client certificate.

We call this process as Client Mapping.

Client Mapping

1. One to one mapping
2. Many to one mapping

Mapping is a process of assigning an identity to the incoming request.

Now when we use client credential type as certificate, the incoming request has only identity as “client certificate”, but on IIS how will I come to know who is the client ?

Because to access the resource or service on IIS machine, the incoming request should have an valid identity who is allowed to access that resource.

This valid identity could be a local account, domain account or service account.

Reference to learn one to one and many to one mapping:

http://blogs.msdn.com/b/saurabs/archive/2012/05/23/wcf-transport-security-iis-handling-client-certificates.aspx

Based on the mapping done and rules set, incoming client certificate will be mapped to the selected identity and will be authorized based on that only.

Once it is authorized the request will reach to service.

Observing the SSL handshake for Client certificate over Transport layer.

The certificate handshake document will present the complete process involved for the key exchange between server and client.

They both starts talking over the SSL channel once the handshake is successful.

http://blogs.msdn.com/b/saurabs/archive/2012/04/27/monitor-certificate-ssl-handshake.aspx

Hope the document helps understanding the role of IIS and SSL channel for adding Transport layer security.