views:

79

answers:

0

I have a WCF application hosted on IIS 6 that needs to

  1. Have 2-way SSL authentication
  2. Validate client certificate content with some client host information
  3. Validate client certificate is issued by the valid subCA.

I was able to do 1) successfully. I am trying to achieve 2) and 3) by following this - basically creating a class that inherits X509CertificateValidator and overriding the Validate method with my own validation implementation(step 2 and 3). I followed the MSDN instructions exactly however, it seem that the Validate method is not being called. I purposely throw a SecurityAccessDeniedException in the overidden Validate method and no exception is thrown when I tried to access the service via my browser. I can still access my website with any client certificate.

I also read this thread but it didn't really help. Any help would be greatly appreciated!

Here's my configuration:

<system.serviceModel>
<services>
  <service behaviorConfiguration="SimpleServiceBehavior"
           name="SampleNameSpace.SampleClass">
    <endpoint address=""
              binding="basicHttpBinding"
                  bindingConfiguration="NewBinding0"
                  contract="SampleNameSpace.ISampleClass" />
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="SimpleServiceBehavior">
      <serviceMetadata httpsGetEnabled="true" policyVersion="Default" />
      <serviceCredentials>
        <clientCertificate>
            <authentication certificateValidationMode="Custom" customCertificateValidatorType="SampleNameSpace.MyX509CertificateValidator, SampleAssembly"/>
          </clientCertificate>
        </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
<bindings>
  <basicHttpBinding>
    <binding name="NewBinding0">
      <security mode="Transport">
        <transport clientCredentialType="Certificate" />
      </security>
    </binding>
  </basicHttpBinding>
</bindings>