Skip to main content

Connecting to SOAP service with certificate authentication

I have rarely worked with certificate based authentication, so when I got this neat little SOAP service with certificate authentication in my hands I gladly accepted the challenge. All I got was the URL to the service with a certificate and the password. I also got an example written in PHP:

$client = new SoapClient("https://url.to.service/", array(
        'local_cert' => 'client_certificate.pem', 'passphrase' => 'PASSPHRASE',
        'cache_wsdl' => WSDL_CACHE_NONE
));

This of course looks very easy, but we all know that it's not really that easy if I want to use .NET and WCF. First of all the PEM-certificate cannot natively be used in .NET. Second of all I don't have the WSDL for the service. Here are the steps I had to go through to be able to successfully connect to the SOAP service.

Convert the certificate
The certificate I received was a PEM certificate which included both the private and public key. .NET does not natively support the PEM format, so I had to convert the certificate to a type that is usable in my application. For this purpose I used Win32OpenSSL and the command is really straight forward:

openssl pkcs12 -export -in client_certificate.pem -out client_certificate.pfx

I was prompted for the current password and then prompted to enter a password for the new certificate. This results in a PFX certificate ready to use in .NET and that is compatible with the SOAP service.

Connecting to the service
By installing the PFX-certificate in the certificate store on my computer I am able to connect to the service URL. This also means that I can use the Add service reference Wizard in Visual Studio to generate the service client classes. However, I don't want to make the users install the certificate on their computers, but instead include the certificate in the application that will consume the service.

Another issue is that the SSL-certificate is not issued by a trusted source. This means that a secure connection cannot be established. An ugly but surely effective hack is to override the ServerCertificateValidationCallback and simply returning true for all certificates on validation. Note that this override is effective for the entire application!

ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;

When that little obstacle is overcome, it is actually a very straight path to connect to the service. First we will have to add the certificate to the solution and set it as Embedded Resource. The next step is to read the resource and add the certificate to the service binding.

var resource = typeof(MyService).Assembly.GetManifestResourceStream("client_certificate.pfx");
using(var stream = new MemoryStream())
{
    resource.CopyTo(stream);
    _certificate = new X509Certificate2(stream.ToArray(), "PASSWORD");
}

When connecting all we need to do is create a BasicHttpBinding and setting the ClientCredentialType to Certificate. We also have to add the certificate to the ClientCertificate property on the service.

public void Connect()
{
    var binding = new BasicHttpBinding(BasicHttpSecurityMode.Transport);
    binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;

    var endpointAddress = new EndpointAddress("https://url.to.service/");

    _service = new ServiceClient(binding, endpointAddress);
    _service.ClientCredentials.ClientCertificate.Certificate = _certificate;
    _service.Open();
}

That is about everything that needs to be done. With the certificate added to the project and to the binding the authentication is handled with the certificate and the supplied password. The service works great on any computer without having to install the certificate or entering any credentials. Of course this is not the most secure solution out there, but it sure gets the job done!

Comments

Popular posts from this blog

Binding Enum with DescriptionAttribute in WPF

Binding an enumeration to a ComboBox can be done in several ways. In most cases you don't want to display the value itself, but a more user friendly description. One common approach is to use the DescriptionAttribute on the Enum values to supply a description for each value.  This is all possible in a very MVVM friendly way. First step is to add the  DescriptionAttribute  to the values of the enumeration. public enum MyValues { [Description("First value")] First, [Description("Second value")] Second } To retrieve the description from the enum we use a simple extension method. This method returns the value of the DescriptionAttribute if it exists, otherwise the string representation of the enum value is returned. public static string GetDescription(this Enum value) { var fieldInfo = value.GetType().GetField(value.ToString()); var attribute = fieldInfo.GetCustomAttributes(typeof(DescriptionAttribute), false).FirstOrDefault() as

Programming AD with C#.NET – part 4

Our transition to the  System.DirectoryServices.Protocols  has in the whole gone very smooth, but there have been some issues with one environment that contains subdomains. Most things are working fine, but writing to a subdomain does not work in the same way as it did before. What is generally bad with the  System.DirectoryServices.Protocols is the documentation, which is practically non-existent. But most things can  be figured out anyway since most classes just are wrappers for the wldap32.dll, which in turn is way better documented. I would like to have as little bindings to a specific server as possible but still be able to access the domain. In the  LdapConnection  it is possible to set the identifier to null and use the executing computer as a starting point to find a domain controller. But sometimes I must know that I am using a Global Catalog, and with more and more RODC in the environment I sometimes must know that I am working against a writeable domain controller.

User.Identity returns old login name after name change

When a person gets married or makes a name change for some other reason this usually means that the login name for the Active Directory-account changes as well. This is rarely a problem, but it turned out to cause some issues on our web server, where the  User.Identity  property was still returning the old login name. The user logged on with the new login name, but was identified by the web application as the old login name. The reason this occurs is because the  User.Identity  property relies on the  LsaLookupSids  method to convert the user SID to a login name. The method first calls the local  LSA-cache , which is not synchronized with the Active Directory. For this purpose a simple reboot of the web server to clear the  LSA-cache  propably would have sufficed. But since we didn't want to take the application offline rebooting was not an option. Instead, it is possible to set the registry value  LsaLookupCacheMaxSize in HKLM\SYSTEM\CurrentControlSet\Control\Lsa. If this val