Workflow Application: How to configure a WCF Service workflow application for Certificate Authentication

Development Workflow Applications
1

This article shows how to configure a WCF Service client and server with X.509 Certificate authentication. This is the second part of the Workflow Application: How to use a WCF Service as a workflow application with basicHttpBinding or wsHttpBinding FAQ .

We’ll assume that the WorkflowAppWCFSample web site/app and the workflow application (including the client proxy .NET DLL) has been created and configured, and functions properly in Anonymous authentication.

  1. Create and install a service certificate.

    This example is based on a temporary service certificate installed in the local store. See the How to: Create and Install Temporary Certificates in WCF for Message Security During Development MSDN article for instructions on how to do this.

  2. Create and install the client certificate for authentication.

    See Step 7 in the How to: Use Certificate Authentication and Message Security in WCF Calling from Windows Forms MSDN article for instructions on how to do this.

  3. Configure the WCF Service website/app.

    Edit the WorkflowAppWCFSample web.config file and replace the entire <system.serviceModel> node with the following:

    <system.serviceModel>
    <bindings>
        <wsHttpBinding>
            <binding name="WSHttpBinding_IService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="104857600" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
            <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="104857600" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
            <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
            <security>
                <message clientCredentialType="Certificate" />
            </security>
        </binding>
    </wsHttpBinding>
</bindings>
<services>
    <service name="WorkflowAppWCFSample.Service" behaviorConfiguration="ServiceBehavior">
        <endpoint address="" binding="wsHttpBinding" contract="WorkflowAppWCFSample.IService" bindingConfiguration="WSHttpBinding_IService">
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
    </service>
</services>
<behaviors>
    <serviceBehaviors>
        <behavior name="ServiceBehavior">
            <serviceMetadata httpGetEnabled="true"/>
            <serviceDebug includeExceptionDetailInFaults="false"/>
            <serviceCredentials>
                <serviceCertificate findValue="CN=tempCert"/>
            </serviceCredentials>
        </behavior>
    </serviceBehaviors>
</behaviors>
</system.serviceModel>

  4. Configure WorkflowGen for the WCF Service client proxy.

    Edit the WorkflowGen web.config and replace the complete <system.serviceModel> node with the following:

    <system.serviceModel>
    <behaviors>
        <endpointBehaviors>
            <behavior name="wsHttpBehavior_IService">
                <clientCredentials>
                    <clientCertificate findValue="CN=tempCert" storeLocation="LocalMachine" />
                </clientCredentials>
            </behavior>
        </endpointBehaviors>
    </behaviors>
    <bindings>
        <wsHttpBinding>
            <binding name="WSHttpBinding_IService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="104857600" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="104857600" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
                <security>
                <message clientCredentialType="Certificate" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" />
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://localhost/wfgen/WfApps/WebServices/WorkflowAppWCFSample/Service.svc" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService" behaviorConfiguration="wsHttpBehavior_IService" contract="WorkflowAppWCFSampleTest.IService" name="WSHttpBinding_IService">
            <identity>
                <certificate encodedValue="[Base64String]" />
            </identity>
        </endpoint>
    </client>
</system.serviceModel>

Notes

  • The certificate encoded value (<certificate encodedValue="[Base64String]" />) must be replaced with the one from your certificate.

  • Normally, you can use the svcutil tool to generate a client configuration file called output.config, which will contain the certificate encoded value.

  • Download the following files and save them in the folder that contains the svcutl.exe tool:

    • Save http://localhost/wfgen/WfApps/WebServices/WorkflowAppWCFSample/Service.svc?wsdl as Service.wsd.

    • Save http://localhost/wfgen/WfApps/WebServices/WorkflowAppWCFSample/Service.svc?xsd=xsd0 as Service0.xsd.

    • Save http://advca2pc18/wfgen/WfApps/WebServices/WorkflowAppWCFSample/Service.svc?xsd=xsd1 as Service1.xsd.

    • Save http://advca2pc18/wfgen/WfApps/WebServices/WorkflowAppWCFSample/Service.svc?xsd=xsd2 as Service2.xsd.

  • Command prompt

    svcutil.exe *.wsdl *.xsd