{error: (403) Forbidden."} WCF basicHttpBinding with Transport and Certificate Credential












0















I get the error "{"The remote server returned an error: (403) Forbidden."} The HTTP request was forbidden with client authentication scheme 'Anonymous'." when using basicHttpBinding with Transport security and certificate credential. My service is in amazon ec2 instance and my client app remotely connect to it over the internet. I am able to connect to the wcf service if my Transport credential is set to "None" in both the web.config of the service and app.config of the client. My service certificate is like "www.example.com" is installed on amazon ec2 "local machine store" and "Personal Folder". My client app certificate is just a self-signed certificate which I installed to its "local machine and Personal Folder" and also to the "Trusted People store" in the amazon ec2 instance where my wcf service is. I have also setup "https" to my IIS site bindings and I can reach the site through like "https://www.example.com"



Below is the web.config, app.config, and the code I have on the client app.



Service Web.config:



<?xml version="1.0"?>
<configuration>

<system.web>
<compilation debug="true" targetFramework="4.0" />
<customErrors mode="Off"/>
</system.web>
<system.serviceModel>

<bindings>
<basicHttpBinding>
<binding name="basicHttpBinding_Config" >
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>

<services>
<service name="MyProject.MyService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config"
contract="MyService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>

<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="LocalMachine"/>
</clientCertificate>
<serviceCertificate findValue="www.example.com" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>

<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>

</configuration>


Client app.config:



<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>

<bindings>
<basicHttpBinding>
<binding name="basicHttpBinding_Config" >
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://www.example.com/sub/Service1.svc"
binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config"
contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" />
</client>

<behaviors>
<endpointBehaviors>
<behavior>
<clientCredentials>
<clientCertificate findValue="clientKey"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName" />
</clientCredentials>

</behavior>
</endpointBehaviors>
</behaviors>

</system.serviceModel>
</configuration>


Client App Console Code:



static void Main(string args)
{
System.Net.ServicePointManager.ServerCertificateValidationCallback += delegate { return true; };

ServiceReference1.MyServiceClient client = new ServiceReference1.MyServiceClient();
string a = client.GetMethods(ref mh);
foreach (string s in a)
{
Console.WriteLine(s);
}
Console.ReadKey();

}


The Diagnostic Tracing returns below:



<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
<System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
<EventID>131077</EventID>
<Type>3</Type>
<SubType Name="Critical">0</SubType>
<Level>1</Level>
<TimeCreated SystemTime="2018-11-16T21:50:58.8220239Z" />
<Source Name="System.ServiceModel" />
<Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
<Execution ProcessName="ConsoleApplication1" ProcessID="22220" ThreadID="1" />
<Channel />
<Computer>DESKTOP-RPNI11M</Computer>
</System>
<ApplicationData>
<TraceData>
<DataItem>
<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Critical">
<TraceIdentifier>UnhandledException</TraceIdentifier>
<Description>Unhandled exception</Description>
<AppDomain>ConsoleApplication1.exe</AppDomain>
<Exception>
<ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>The HTTP request was forbidden with client authentication scheme 'Anonymous'.</Message>
<StackTrace>
Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object ins, Object outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
at ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request)
at ConsoleApplication1.ServiceReference1.OD_V416Client.ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72017
at ConsoleApplication1.ServiceReference1.OD_V416Client.GetMethods(MultiSpeakMsgHeader&amp; MultiSpeakMsgHeader) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72023
at ConsoleApplication1.Program.Main(String args) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Program.cs:line 43
</StackTrace>
<ExceptionString>System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---&gt; System.Net.WebException: The remote server returned an error: (403) Forbidden.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---

Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object ins, Object outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
at ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request)
at ConsoleApplication1.ServiceReference1.OD_V416Client.ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72017
at ConsoleApplication1.ServiceReference1.OD_V416Client.GetMethods(MultiSpeakMsgHeader&amp; MultiSpeakMsgHeader) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72023
at ConsoleApplication1.Program.Main(String args) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Program.cs:line 43</ExceptionString>
<InnerException>
<ExceptionType>System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>The remote server returned an error: (403) Forbidden.</Message>
<StackTrace>
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
</StackTrace>
<ExceptionString>System.Net.WebException: The remote server returned an error: (403) Forbidden.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)</ExceptionString>
</InnerException>
</Exception>
</TraceRecord>
</DataItem>
</TraceData>
</ApplicationData>
</E2ETraceEvent>


I did look to other similar issues but none has solve it yet, I'm continuously searching for the right solutions, I appreciate any help or advice the community provides.










share|improve this question





























    0















    I get the error "{"The remote server returned an error: (403) Forbidden."} The HTTP request was forbidden with client authentication scheme 'Anonymous'." when using basicHttpBinding with Transport security and certificate credential. My service is in amazon ec2 instance and my client app remotely connect to it over the internet. I am able to connect to the wcf service if my Transport credential is set to "None" in both the web.config of the service and app.config of the client. My service certificate is like "www.example.com" is installed on amazon ec2 "local machine store" and "Personal Folder". My client app certificate is just a self-signed certificate which I installed to its "local machine and Personal Folder" and also to the "Trusted People store" in the amazon ec2 instance where my wcf service is. I have also setup "https" to my IIS site bindings and I can reach the site through like "https://www.example.com"



    Below is the web.config, app.config, and the code I have on the client app.



    Service Web.config:



    <?xml version="1.0"?>
    <configuration>

    <system.web>
    <compilation debug="true" targetFramework="4.0" />
    <customErrors mode="Off"/>
    </system.web>
    <system.serviceModel>

    <bindings>
    <basicHttpBinding>
    <binding name="basicHttpBinding_Config" >
    <security mode="Transport">
    <transport clientCredentialType="Certificate"/>
    </security>
    </binding>
    </basicHttpBinding>
    </bindings>

    <services>
    <service name="MyProject.MyService">
    <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config"
    contract="MyService" />
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
    </service>
    </services>

    <behaviors>
    <serviceBehaviors>
    <behavior>
    <serviceMetadata httpGetEnabled="true"/>
    <serviceDebug includeExceptionDetailInFaults="true"/>
    <serviceCredentials>
    <clientCertificate>
    <authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="LocalMachine"/>
    </clientCertificate>
    <serviceCertificate findValue="www.example.com" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
    </serviceCredentials>
    </behavior>
    </serviceBehaviors>
    </behaviors>

    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    </system.serviceModel>
    <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
    </system.webServer>

    </configuration>


    Client app.config:



    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
    <system.serviceModel>

    <bindings>
    <basicHttpBinding>
    <binding name="basicHttpBinding_Config" >
    <security mode="Transport">
    <transport clientCredentialType="Certificate"/>
    </security>
    </binding>
    </basicHttpBinding>
    </bindings>
    <client>
    <endpoint address="https://www.example.com/sub/Service1.svc"
    binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config"
    contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" />
    </client>

    <behaviors>
    <endpointBehaviors>
    <behavior>
    <clientCredentials>
    <clientCertificate findValue="clientKey"
    storeLocation="LocalMachine"
    storeName="My"
    x509FindType="FindBySubjectName" />
    </clientCredentials>

    </behavior>
    </endpointBehaviors>
    </behaviors>

    </system.serviceModel>
    </configuration>


    Client App Console Code:



    static void Main(string args)
    {
    System.Net.ServicePointManager.ServerCertificateValidationCallback += delegate { return true; };

    ServiceReference1.MyServiceClient client = new ServiceReference1.MyServiceClient();
    string a = client.GetMethods(ref mh);
    foreach (string s in a)
    {
    Console.WriteLine(s);
    }
    Console.ReadKey();

    }


    The Diagnostic Tracing returns below:



    <E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
    <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
    <EventID>131077</EventID>
    <Type>3</Type>
    <SubType Name="Critical">0</SubType>
    <Level>1</Level>
    <TimeCreated SystemTime="2018-11-16T21:50:58.8220239Z" />
    <Source Name="System.ServiceModel" />
    <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
    <Execution ProcessName="ConsoleApplication1" ProcessID="22220" ThreadID="1" />
    <Channel />
    <Computer>DESKTOP-RPNI11M</Computer>
    </System>
    <ApplicationData>
    <TraceData>
    <DataItem>
    <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Critical">
    <TraceIdentifier>UnhandledException</TraceIdentifier>
    <Description>Unhandled exception</Description>
    <AppDomain>ConsoleApplication1.exe</AppDomain>
    <Exception>
    <ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
    <Message>The HTTP request was forbidden with client authentication scheme 'Anonymous'.</Message>
    <StackTrace>
    Server stack trace:
    at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
    at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
    at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
    at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
    at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
    at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object ins, Object outs, TimeSpan timeout)
    at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
    at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
    Exception rethrown at [0]:
    at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
    at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
    at ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request)
    at ConsoleApplication1.ServiceReference1.OD_V416Client.ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72017
    at ConsoleApplication1.ServiceReference1.OD_V416Client.GetMethods(MultiSpeakMsgHeader&amp; MultiSpeakMsgHeader) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72023
    at ConsoleApplication1.Program.Main(String args) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Program.cs:line 43
    </StackTrace>
    <ExceptionString>System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---&gt; System.Net.WebException: The remote server returned an error: (403) Forbidden.
    at System.Net.HttpWebRequest.GetResponse()
    at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
    --- End of inner exception stack trace ---

    Server stack trace:
    at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
    at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
    at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
    at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
    at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
    at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object ins, Object outs, TimeSpan timeout)
    at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
    at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
    at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
    at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
    at ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request)
    at ConsoleApplication1.ServiceReference1.OD_V416Client.ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72017
    at ConsoleApplication1.ServiceReference1.OD_V416Client.GetMethods(MultiSpeakMsgHeader&amp; MultiSpeakMsgHeader) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72023
    at ConsoleApplication1.Program.Main(String args) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Program.cs:line 43</ExceptionString>
    <InnerException>
    <ExceptionType>System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
    <Message>The remote server returned an error: (403) Forbidden.</Message>
    <StackTrace>
    at System.Net.HttpWebRequest.GetResponse()
    at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
    </StackTrace>
    <ExceptionString>System.Net.WebException: The remote server returned an error: (403) Forbidden.
    at System.Net.HttpWebRequest.GetResponse()
    at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)</ExceptionString>
    </InnerException>
    </Exception>
    </TraceRecord>
    </DataItem>
    </TraceData>
    </ApplicationData>
    </E2ETraceEvent>


    I did look to other similar issues but none has solve it yet, I'm continuously searching for the right solutions, I appreciate any help or advice the community provides.










    share|improve this question



























      0












      0








      0








      I get the error "{"The remote server returned an error: (403) Forbidden."} The HTTP request was forbidden with client authentication scheme 'Anonymous'." when using basicHttpBinding with Transport security and certificate credential. My service is in amazon ec2 instance and my client app remotely connect to it over the internet. I am able to connect to the wcf service if my Transport credential is set to "None" in both the web.config of the service and app.config of the client. My service certificate is like "www.example.com" is installed on amazon ec2 "local machine store" and "Personal Folder". My client app certificate is just a self-signed certificate which I installed to its "local machine and Personal Folder" and also to the "Trusted People store" in the amazon ec2 instance where my wcf service is. I have also setup "https" to my IIS site bindings and I can reach the site through like "https://www.example.com"



      Below is the web.config, app.config, and the code I have on the client app.



      Service Web.config:



      <?xml version="1.0"?>
      <configuration>

      <system.web>
      <compilation debug="true" targetFramework="4.0" />
      <customErrors mode="Off"/>
      </system.web>
      <system.serviceModel>

      <bindings>
      <basicHttpBinding>
      <binding name="basicHttpBinding_Config" >
      <security mode="Transport">
      <transport clientCredentialType="Certificate"/>
      </security>
      </binding>
      </basicHttpBinding>
      </bindings>

      <services>
      <service name="MyProject.MyService">
      <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config"
      contract="MyService" />
      <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
      </services>

      <behaviors>
      <serviceBehaviors>
      <behavior>
      <serviceMetadata httpGetEnabled="true"/>
      <serviceDebug includeExceptionDetailInFaults="true"/>
      <serviceCredentials>
      <clientCertificate>
      <authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="LocalMachine"/>
      </clientCertificate>
      <serviceCertificate findValue="www.example.com" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
      </serviceCredentials>
      </behavior>
      </serviceBehaviors>
      </behaviors>

      <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
      </system.serviceModel>
      <system.webServer>
      <modules runAllManagedModulesForAllRequests="true"/>
      </system.webServer>

      </configuration>


      Client app.config:



      <?xml version="1.0" encoding="utf-8" ?>
      <configuration>
      <system.serviceModel>

      <bindings>
      <basicHttpBinding>
      <binding name="basicHttpBinding_Config" >
      <security mode="Transport">
      <transport clientCredentialType="Certificate"/>
      </security>
      </binding>
      </basicHttpBinding>
      </bindings>
      <client>
      <endpoint address="https://www.example.com/sub/Service1.svc"
      binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config"
      contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" />
      </client>

      <behaviors>
      <endpointBehaviors>
      <behavior>
      <clientCredentials>
      <clientCertificate findValue="clientKey"
      storeLocation="LocalMachine"
      storeName="My"
      x509FindType="FindBySubjectName" />
      </clientCredentials>

      </behavior>
      </endpointBehaviors>
      </behaviors>

      </system.serviceModel>
      </configuration>


      Client App Console Code:



      static void Main(string args)
      {
      System.Net.ServicePointManager.ServerCertificateValidationCallback += delegate { return true; };

      ServiceReference1.MyServiceClient client = new ServiceReference1.MyServiceClient();
      string a = client.GetMethods(ref mh);
      foreach (string s in a)
      {
      Console.WriteLine(s);
      }
      Console.ReadKey();

      }


      The Diagnostic Tracing returns below:



      <E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
      <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
      <EventID>131077</EventID>
      <Type>3</Type>
      <SubType Name="Critical">0</SubType>
      <Level>1</Level>
      <TimeCreated SystemTime="2018-11-16T21:50:58.8220239Z" />
      <Source Name="System.ServiceModel" />
      <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
      <Execution ProcessName="ConsoleApplication1" ProcessID="22220" ThreadID="1" />
      <Channel />
      <Computer>DESKTOP-RPNI11M</Computer>
      </System>
      <ApplicationData>
      <TraceData>
      <DataItem>
      <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Critical">
      <TraceIdentifier>UnhandledException</TraceIdentifier>
      <Description>Unhandled exception</Description>
      <AppDomain>ConsoleApplication1.exe</AppDomain>
      <Exception>
      <ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
      <Message>The HTTP request was forbidden with client authentication scheme 'Anonymous'.</Message>
      <StackTrace>
      Server stack trace:
      at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
      at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
      at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
      at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
      at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
      at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object ins, Object outs, TimeSpan timeout)
      at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
      at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
      Exception rethrown at [0]:
      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
      at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
      at ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request)
      at ConsoleApplication1.ServiceReference1.OD_V416Client.ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72017
      at ConsoleApplication1.ServiceReference1.OD_V416Client.GetMethods(MultiSpeakMsgHeader&amp; MultiSpeakMsgHeader) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72023
      at ConsoleApplication1.Program.Main(String args) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Program.cs:line 43
      </StackTrace>
      <ExceptionString>System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---&gt; System.Net.WebException: The remote server returned an error: (403) Forbidden.
      at System.Net.HttpWebRequest.GetResponse()
      at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
      --- End of inner exception stack trace ---

      Server stack trace:
      at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
      at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
      at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
      at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
      at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
      at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object ins, Object outs, TimeSpan timeout)
      at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
      at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

      Exception rethrown at [0]:
      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
      at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
      at ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request)
      at ConsoleApplication1.ServiceReference1.OD_V416Client.ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72017
      at ConsoleApplication1.ServiceReference1.OD_V416Client.GetMethods(MultiSpeakMsgHeader&amp; MultiSpeakMsgHeader) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72023
      at ConsoleApplication1.Program.Main(String args) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Program.cs:line 43</ExceptionString>
      <InnerException>
      <ExceptionType>System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
      <Message>The remote server returned an error: (403) Forbidden.</Message>
      <StackTrace>
      at System.Net.HttpWebRequest.GetResponse()
      at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
      </StackTrace>
      <ExceptionString>System.Net.WebException: The remote server returned an error: (403) Forbidden.
      at System.Net.HttpWebRequest.GetResponse()
      at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)</ExceptionString>
      </InnerException>
      </Exception>
      </TraceRecord>
      </DataItem>
      </TraceData>
      </ApplicationData>
      </E2ETraceEvent>


      I did look to other similar issues but none has solve it yet, I'm continuously searching for the right solutions, I appreciate any help or advice the community provides.










      share|improve this question
















      I get the error "{"The remote server returned an error: (403) Forbidden."} The HTTP request was forbidden with client authentication scheme 'Anonymous'." when using basicHttpBinding with Transport security and certificate credential. My service is in amazon ec2 instance and my client app remotely connect to it over the internet. I am able to connect to the wcf service if my Transport credential is set to "None" in both the web.config of the service and app.config of the client. My service certificate is like "www.example.com" is installed on amazon ec2 "local machine store" and "Personal Folder". My client app certificate is just a self-signed certificate which I installed to its "local machine and Personal Folder" and also to the "Trusted People store" in the amazon ec2 instance where my wcf service is. I have also setup "https" to my IIS site bindings and I can reach the site through like "https://www.example.com"



      Below is the web.config, app.config, and the code I have on the client app.



      Service Web.config:



      <?xml version="1.0"?>
      <configuration>

      <system.web>
      <compilation debug="true" targetFramework="4.0" />
      <customErrors mode="Off"/>
      </system.web>
      <system.serviceModel>

      <bindings>
      <basicHttpBinding>
      <binding name="basicHttpBinding_Config" >
      <security mode="Transport">
      <transport clientCredentialType="Certificate"/>
      </security>
      </binding>
      </basicHttpBinding>
      </bindings>

      <services>
      <service name="MyProject.MyService">
      <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config"
      contract="MyService" />
      <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
      </services>

      <behaviors>
      <serviceBehaviors>
      <behavior>
      <serviceMetadata httpGetEnabled="true"/>
      <serviceDebug includeExceptionDetailInFaults="true"/>
      <serviceCredentials>
      <clientCertificate>
      <authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="LocalMachine"/>
      </clientCertificate>
      <serviceCertificate findValue="www.example.com" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
      </serviceCredentials>
      </behavior>
      </serviceBehaviors>
      </behaviors>

      <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
      </system.serviceModel>
      <system.webServer>
      <modules runAllManagedModulesForAllRequests="true"/>
      </system.webServer>

      </configuration>


      Client app.config:



      <?xml version="1.0" encoding="utf-8" ?>
      <configuration>
      <system.serviceModel>

      <bindings>
      <basicHttpBinding>
      <binding name="basicHttpBinding_Config" >
      <security mode="Transport">
      <transport clientCredentialType="Certificate"/>
      </security>
      </binding>
      </basicHttpBinding>
      </bindings>
      <client>
      <endpoint address="https://www.example.com/sub/Service1.svc"
      binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config"
      contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" />
      </client>

      <behaviors>
      <endpointBehaviors>
      <behavior>
      <clientCredentials>
      <clientCertificate findValue="clientKey"
      storeLocation="LocalMachine"
      storeName="My"
      x509FindType="FindBySubjectName" />
      </clientCredentials>

      </behavior>
      </endpointBehaviors>
      </behaviors>

      </system.serviceModel>
      </configuration>


      Client App Console Code:



      static void Main(string args)
      {
      System.Net.ServicePointManager.ServerCertificateValidationCallback += delegate { return true; };

      ServiceReference1.MyServiceClient client = new ServiceReference1.MyServiceClient();
      string a = client.GetMethods(ref mh);
      foreach (string s in a)
      {
      Console.WriteLine(s);
      }
      Console.ReadKey();

      }


      The Diagnostic Tracing returns below:



      <E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
      <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
      <EventID>131077</EventID>
      <Type>3</Type>
      <SubType Name="Critical">0</SubType>
      <Level>1</Level>
      <TimeCreated SystemTime="2018-11-16T21:50:58.8220239Z" />
      <Source Name="System.ServiceModel" />
      <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
      <Execution ProcessName="ConsoleApplication1" ProcessID="22220" ThreadID="1" />
      <Channel />
      <Computer>DESKTOP-RPNI11M</Computer>
      </System>
      <ApplicationData>
      <TraceData>
      <DataItem>
      <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Critical">
      <TraceIdentifier>UnhandledException</TraceIdentifier>
      <Description>Unhandled exception</Description>
      <AppDomain>ConsoleApplication1.exe</AppDomain>
      <Exception>
      <ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
      <Message>The HTTP request was forbidden with client authentication scheme 'Anonymous'.</Message>
      <StackTrace>
      Server stack trace:
      at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
      at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
      at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
      at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
      at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
      at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object ins, Object outs, TimeSpan timeout)
      at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
      at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
      Exception rethrown at [0]:
      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
      at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
      at ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request)
      at ConsoleApplication1.ServiceReference1.OD_V416Client.ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72017
      at ConsoleApplication1.ServiceReference1.OD_V416Client.GetMethods(MultiSpeakMsgHeader&amp; MultiSpeakMsgHeader) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72023
      at ConsoleApplication1.Program.Main(String args) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Program.cs:line 43
      </StackTrace>
      <ExceptionString>System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---&gt; System.Net.WebException: The remote server returned an error: (403) Forbidden.
      at System.Net.HttpWebRequest.GetResponse()
      at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
      --- End of inner exception stack trace ---

      Server stack trace:
      at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
      at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
      at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
      at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
      at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
      at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object ins, Object outs, TimeSpan timeout)
      at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
      at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

      Exception rethrown at [0]:
      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
      at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
      at ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request)
      at ConsoleApplication1.ServiceReference1.OD_V416Client.ConsoleApplication1.ServiceReference1.IOD_V416.GetMethods(GetMethodsRequest request) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72017
      at ConsoleApplication1.ServiceReference1.OD_V416Client.GetMethods(MultiSpeakMsgHeader&amp; MultiSpeakMsgHeader) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Service ReferencesServiceReference1Reference.cs:line 72023
      at ConsoleApplication1.Program.Main(String args) in D:WorkfolderProjects2MyProjectWCF_AppMyService - Copy (3)ConsoleApplication1Program.cs:line 43</ExceptionString>
      <InnerException>
      <ExceptionType>System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
      <Message>The remote server returned an error: (403) Forbidden.</Message>
      <StackTrace>
      at System.Net.HttpWebRequest.GetResponse()
      at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
      </StackTrace>
      <ExceptionString>System.Net.WebException: The remote server returned an error: (403) Forbidden.
      at System.Net.HttpWebRequest.GetResponse()
      at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)</ExceptionString>
      </InnerException>
      </Exception>
      </TraceRecord>
      </DataItem>
      </TraceData>
      </ApplicationData>
      </E2ETraceEvent>


      I did look to other similar issues but none has solve it yet, I'm continuously searching for the right solutions, I appreciate any help or advice the community provides.







      wcf basichttpbinding






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 16 '18 at 22:23







      user2717643

















      asked Nov 13 '18 at 14:43









      user2717643user2717643

      13




      13
























          2 Answers
          2






          active

          oldest

          votes


















          0














          EDIT:



          Probably better to use a sha2 cert:



          makecert -len 2048 -r -a sha256 -sv private.pvk -n CN=yoursubjectname cert.cer
          pvk2pfx -spc cert.cer -pvk private.pvk -pfx out.pfx


          Install the private cert(.pfx) on the host, set in IIS app, and install the public cert on the client(.cer), you will have to install in both personal and trusted people stores.



          EDIT: I think you also need to give your behavior a name in the host and client config and assign that behavior to your endpoints.



          Host:



          <behavior name="serviceBahavior"> 
          <service name="MyProject.MyService" behaviorConfiguration="serviceBahavior">


          Client:



          <behavior name="clientBahavior">
          <endpoint address="https://www.example.com/sub/Service1.svc"
          binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config"
          contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" behaviorConfiguration="clientBahavior" />


          I think since you are using <security mode="Transport"> you will need to make your mex as HTTPS:



           <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />


          Also set in your behavior the serviceMetadata



          from:
          <serviceMetadata httpGetEnabled="true"/>



          to <serviceMetadata httpsGetEnabled="true"/>



          Also, make sure your transport in the client config matches the host config:



          <transport clientCredentialType="Certificate"/>






          share|improve this answer


























          • Thank you for your response Popo, I changed my mex to https and serviceMetadata to httpsGetEnabled, also the clientCredentialsType to Certificate in the client config, however, the error remains.

            – user2717643
            Nov 14 '18 at 2:20











          • @user2717643 I updated my answer, see if that solves your problem.

            – Popo
            Nov 14 '18 at 19:16











          • Thanks again Popo, I followed your suggestion and my service config now looks below:

            – user2717643
            Nov 15 '18 at 18:41











          • <services> <service name="MyProject.MyService" behaviorConfiguration="MyBehavior" > <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config" contract="MyService" /> <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" /> </service> </services>

            – user2717643
            Nov 15 '18 at 18:47











          • <client> <endpoint address="example.com/sub/Service1.svc" behaviorConfiguration="clientBehavior" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config" contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" /> </client>

            – user2717643
            Nov 15 '18 at 18:47



















          0














          I found the following solution that works for this error I encountered.



          First, I created a certificate as follows:



          makecert -n "CN=MyRootSigningKey" -r -sv MyRootSigningKey.pvk MyRootSigningKey.cer



          Second, I treat this as my root key and install it in my AWS service under the certificate store "Trusted Root Certification Authorities" using mmc.



          Third, I created a self-signed cert using the root key "MyRootSigningKey" as follows:



          makecert -sk MySignedKeyName -iv MyRootSigningKey.pvk -n "CN=MySignedKey" -ic MyRootSigningKey.cer -sr localmachine -ss my -sky exchange -pe



          Last, I reference the self signed cert "MySignedKey" in my client app config like below:



          <client>        
          <endpoint address="https://www.example.com/sub/Service1.svc" behaviorConfiguration="clientBehavior"
          binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_MyService"
          contract="ServiceReference1.MyService" />

          </client>

          <behaviors>
          <endpointBehaviors>
          <behavior name="clientBehavior">
          <clientCredentials>
          <clientCertificate findValue="MySignedKey"
          storeLocation="LocalMachine"
          storeName="My"
          x509FindType="FindBySubjectName" />
          </clientCredentials>

          </behavior>
          </endpointBehaviors>
          </behaviors>





          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53283498%2ferror-403-forbidden-wcf-basichttpbinding-with-transport-and-certificate-c%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            EDIT:



            Probably better to use a sha2 cert:



            makecert -len 2048 -r -a sha256 -sv private.pvk -n CN=yoursubjectname cert.cer
            pvk2pfx -spc cert.cer -pvk private.pvk -pfx out.pfx


            Install the private cert(.pfx) on the host, set in IIS app, and install the public cert on the client(.cer), you will have to install in both personal and trusted people stores.



            EDIT: I think you also need to give your behavior a name in the host and client config and assign that behavior to your endpoints.



            Host:



            <behavior name="serviceBahavior"> 
            <service name="MyProject.MyService" behaviorConfiguration="serviceBahavior">


            Client:



            <behavior name="clientBahavior">
            <endpoint address="https://www.example.com/sub/Service1.svc"
            binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config"
            contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" behaviorConfiguration="clientBahavior" />


            I think since you are using <security mode="Transport"> you will need to make your mex as HTTPS:



             <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />


            Also set in your behavior the serviceMetadata



            from:
            <serviceMetadata httpGetEnabled="true"/>



            to <serviceMetadata httpsGetEnabled="true"/>



            Also, make sure your transport in the client config matches the host config:



            <transport clientCredentialType="Certificate"/>






            share|improve this answer


























            • Thank you for your response Popo, I changed my mex to https and serviceMetadata to httpsGetEnabled, also the clientCredentialsType to Certificate in the client config, however, the error remains.

              – user2717643
              Nov 14 '18 at 2:20











            • @user2717643 I updated my answer, see if that solves your problem.

              – Popo
              Nov 14 '18 at 19:16











            • Thanks again Popo, I followed your suggestion and my service config now looks below:

              – user2717643
              Nov 15 '18 at 18:41











            • <services> <service name="MyProject.MyService" behaviorConfiguration="MyBehavior" > <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config" contract="MyService" /> <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" /> </service> </services>

              – user2717643
              Nov 15 '18 at 18:47











            • <client> <endpoint address="example.com/sub/Service1.svc" behaviorConfiguration="clientBehavior" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config" contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" /> </client>

              – user2717643
              Nov 15 '18 at 18:47
















            0














            EDIT:



            Probably better to use a sha2 cert:



            makecert -len 2048 -r -a sha256 -sv private.pvk -n CN=yoursubjectname cert.cer
            pvk2pfx -spc cert.cer -pvk private.pvk -pfx out.pfx


            Install the private cert(.pfx) on the host, set in IIS app, and install the public cert on the client(.cer), you will have to install in both personal and trusted people stores.



            EDIT: I think you also need to give your behavior a name in the host and client config and assign that behavior to your endpoints.



            Host:



            <behavior name="serviceBahavior"> 
            <service name="MyProject.MyService" behaviorConfiguration="serviceBahavior">


            Client:



            <behavior name="clientBahavior">
            <endpoint address="https://www.example.com/sub/Service1.svc"
            binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config"
            contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" behaviorConfiguration="clientBahavior" />


            I think since you are using <security mode="Transport"> you will need to make your mex as HTTPS:



             <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />


            Also set in your behavior the serviceMetadata



            from:
            <serviceMetadata httpGetEnabled="true"/>



            to <serviceMetadata httpsGetEnabled="true"/>



            Also, make sure your transport in the client config matches the host config:



            <transport clientCredentialType="Certificate"/>






            share|improve this answer


























            • Thank you for your response Popo, I changed my mex to https and serviceMetadata to httpsGetEnabled, also the clientCredentialsType to Certificate in the client config, however, the error remains.

              – user2717643
              Nov 14 '18 at 2:20











            • @user2717643 I updated my answer, see if that solves your problem.

              – Popo
              Nov 14 '18 at 19:16











            • Thanks again Popo, I followed your suggestion and my service config now looks below:

              – user2717643
              Nov 15 '18 at 18:41











            • <services> <service name="MyProject.MyService" behaviorConfiguration="MyBehavior" > <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config" contract="MyService" /> <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" /> </service> </services>

              – user2717643
              Nov 15 '18 at 18:47











            • <client> <endpoint address="example.com/sub/Service1.svc" behaviorConfiguration="clientBehavior" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config" contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" /> </client>

              – user2717643
              Nov 15 '18 at 18:47














            0












            0








            0







            EDIT:



            Probably better to use a sha2 cert:



            makecert -len 2048 -r -a sha256 -sv private.pvk -n CN=yoursubjectname cert.cer
            pvk2pfx -spc cert.cer -pvk private.pvk -pfx out.pfx


            Install the private cert(.pfx) on the host, set in IIS app, and install the public cert on the client(.cer), you will have to install in both personal and trusted people stores.



            EDIT: I think you also need to give your behavior a name in the host and client config and assign that behavior to your endpoints.



            Host:



            <behavior name="serviceBahavior"> 
            <service name="MyProject.MyService" behaviorConfiguration="serviceBahavior">


            Client:



            <behavior name="clientBahavior">
            <endpoint address="https://www.example.com/sub/Service1.svc"
            binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config"
            contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" behaviorConfiguration="clientBahavior" />


            I think since you are using <security mode="Transport"> you will need to make your mex as HTTPS:



             <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />


            Also set in your behavior the serviceMetadata



            from:
            <serviceMetadata httpGetEnabled="true"/>



            to <serviceMetadata httpsGetEnabled="true"/>



            Also, make sure your transport in the client config matches the host config:



            <transport clientCredentialType="Certificate"/>






            share|improve this answer















            EDIT:



            Probably better to use a sha2 cert:



            makecert -len 2048 -r -a sha256 -sv private.pvk -n CN=yoursubjectname cert.cer
            pvk2pfx -spc cert.cer -pvk private.pvk -pfx out.pfx


            Install the private cert(.pfx) on the host, set in IIS app, and install the public cert on the client(.cer), you will have to install in both personal and trusted people stores.



            EDIT: I think you also need to give your behavior a name in the host and client config and assign that behavior to your endpoints.



            Host:



            <behavior name="serviceBahavior"> 
            <service name="MyProject.MyService" behaviorConfiguration="serviceBahavior">


            Client:



            <behavior name="clientBahavior">
            <endpoint address="https://www.example.com/sub/Service1.svc"
            binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config"
            contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" behaviorConfiguration="clientBahavior" />


            I think since you are using <security mode="Transport"> you will need to make your mex as HTTPS:



             <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />


            Also set in your behavior the serviceMetadata



            from:
            <serviceMetadata httpGetEnabled="true"/>



            to <serviceMetadata httpsGetEnabled="true"/>



            Also, make sure your transport in the client config matches the host config:



            <transport clientCredentialType="Certificate"/>







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Nov 17 '18 at 17:30

























            answered Nov 13 '18 at 22:37









            PopoPopo

            2,04242246




            2,04242246













            • Thank you for your response Popo, I changed my mex to https and serviceMetadata to httpsGetEnabled, also the clientCredentialsType to Certificate in the client config, however, the error remains.

              – user2717643
              Nov 14 '18 at 2:20











            • @user2717643 I updated my answer, see if that solves your problem.

              – Popo
              Nov 14 '18 at 19:16











            • Thanks again Popo, I followed your suggestion and my service config now looks below:

              – user2717643
              Nov 15 '18 at 18:41











            • <services> <service name="MyProject.MyService" behaviorConfiguration="MyBehavior" > <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config" contract="MyService" /> <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" /> </service> </services>

              – user2717643
              Nov 15 '18 at 18:47











            • <client> <endpoint address="example.com/sub/Service1.svc" behaviorConfiguration="clientBehavior" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config" contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" /> </client>

              – user2717643
              Nov 15 '18 at 18:47



















            • Thank you for your response Popo, I changed my mex to https and serviceMetadata to httpsGetEnabled, also the clientCredentialsType to Certificate in the client config, however, the error remains.

              – user2717643
              Nov 14 '18 at 2:20











            • @user2717643 I updated my answer, see if that solves your problem.

              – Popo
              Nov 14 '18 at 19:16











            • Thanks again Popo, I followed your suggestion and my service config now looks below:

              – user2717643
              Nov 15 '18 at 18:41











            • <services> <service name="MyProject.MyService" behaviorConfiguration="MyBehavior" > <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config" contract="MyService" /> <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" /> </service> </services>

              – user2717643
              Nov 15 '18 at 18:47











            • <client> <endpoint address="example.com/sub/Service1.svc" behaviorConfiguration="clientBehavior" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config" contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" /> </client>

              – user2717643
              Nov 15 '18 at 18:47

















            Thank you for your response Popo, I changed my mex to https and serviceMetadata to httpsGetEnabled, also the clientCredentialsType to Certificate in the client config, however, the error remains.

            – user2717643
            Nov 14 '18 at 2:20





            Thank you for your response Popo, I changed my mex to https and serviceMetadata to httpsGetEnabled, also the clientCredentialsType to Certificate in the client config, however, the error remains.

            – user2717643
            Nov 14 '18 at 2:20













            @user2717643 I updated my answer, see if that solves your problem.

            – Popo
            Nov 14 '18 at 19:16





            @user2717643 I updated my answer, see if that solves your problem.

            – Popo
            Nov 14 '18 at 19:16













            Thanks again Popo, I followed your suggestion and my service config now looks below:

            – user2717643
            Nov 15 '18 at 18:41





            Thanks again Popo, I followed your suggestion and my service config now looks below:

            – user2717643
            Nov 15 '18 at 18:41













            <services> <service name="MyProject.MyService" behaviorConfiguration="MyBehavior" > <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config" contract="MyService" /> <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" /> </service> </services>

            – user2717643
            Nov 15 '18 at 18:47





            <services> <service name="MyProject.MyService" behaviorConfiguration="MyBehavior" > <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config" contract="MyService" /> <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" /> </service> </services>

            – user2717643
            Nov 15 '18 at 18:47













            <client> <endpoint address="example.com/sub/Service1.svc" behaviorConfiguration="clientBehavior" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config" contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" /> </client>

            – user2717643
            Nov 15 '18 at 18:47





            <client> <endpoint address="example.com/sub/Service1.svc" behaviorConfiguration="clientBehavior" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_Config" contract="ServiceReference1.MyService" name="BasicHttpBinding_MyService" /> </client>

            – user2717643
            Nov 15 '18 at 18:47













            0














            I found the following solution that works for this error I encountered.



            First, I created a certificate as follows:



            makecert -n "CN=MyRootSigningKey" -r -sv MyRootSigningKey.pvk MyRootSigningKey.cer



            Second, I treat this as my root key and install it in my AWS service under the certificate store "Trusted Root Certification Authorities" using mmc.



            Third, I created a self-signed cert using the root key "MyRootSigningKey" as follows:



            makecert -sk MySignedKeyName -iv MyRootSigningKey.pvk -n "CN=MySignedKey" -ic MyRootSigningKey.cer -sr localmachine -ss my -sky exchange -pe



            Last, I reference the self signed cert "MySignedKey" in my client app config like below:



            <client>        
            <endpoint address="https://www.example.com/sub/Service1.svc" behaviorConfiguration="clientBehavior"
            binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_MyService"
            contract="ServiceReference1.MyService" />

            </client>

            <behaviors>
            <endpointBehaviors>
            <behavior name="clientBehavior">
            <clientCredentials>
            <clientCertificate findValue="MySignedKey"
            storeLocation="LocalMachine"
            storeName="My"
            x509FindType="FindBySubjectName" />
            </clientCredentials>

            </behavior>
            </endpointBehaviors>
            </behaviors>





            share|improve this answer




























              0














              I found the following solution that works for this error I encountered.



              First, I created a certificate as follows:



              makecert -n "CN=MyRootSigningKey" -r -sv MyRootSigningKey.pvk MyRootSigningKey.cer



              Second, I treat this as my root key and install it in my AWS service under the certificate store "Trusted Root Certification Authorities" using mmc.



              Third, I created a self-signed cert using the root key "MyRootSigningKey" as follows:



              makecert -sk MySignedKeyName -iv MyRootSigningKey.pvk -n "CN=MySignedKey" -ic MyRootSigningKey.cer -sr localmachine -ss my -sky exchange -pe



              Last, I reference the self signed cert "MySignedKey" in my client app config like below:



              <client>        
              <endpoint address="https://www.example.com/sub/Service1.svc" behaviorConfiguration="clientBehavior"
              binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_MyService"
              contract="ServiceReference1.MyService" />

              </client>

              <behaviors>
              <endpointBehaviors>
              <behavior name="clientBehavior">
              <clientCredentials>
              <clientCertificate findValue="MySignedKey"
              storeLocation="LocalMachine"
              storeName="My"
              x509FindType="FindBySubjectName" />
              </clientCredentials>

              </behavior>
              </endpointBehaviors>
              </behaviors>





              share|improve this answer


























                0












                0








                0







                I found the following solution that works for this error I encountered.



                First, I created a certificate as follows:



                makecert -n "CN=MyRootSigningKey" -r -sv MyRootSigningKey.pvk MyRootSigningKey.cer



                Second, I treat this as my root key and install it in my AWS service under the certificate store "Trusted Root Certification Authorities" using mmc.



                Third, I created a self-signed cert using the root key "MyRootSigningKey" as follows:



                makecert -sk MySignedKeyName -iv MyRootSigningKey.pvk -n "CN=MySignedKey" -ic MyRootSigningKey.cer -sr localmachine -ss my -sky exchange -pe



                Last, I reference the self signed cert "MySignedKey" in my client app config like below:



                <client>        
                <endpoint address="https://www.example.com/sub/Service1.svc" behaviorConfiguration="clientBehavior"
                binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_MyService"
                contract="ServiceReference1.MyService" />

                </client>

                <behaviors>
                <endpointBehaviors>
                <behavior name="clientBehavior">
                <clientCredentials>
                <clientCertificate findValue="MySignedKey"
                storeLocation="LocalMachine"
                storeName="My"
                x509FindType="FindBySubjectName" />
                </clientCredentials>

                </behavior>
                </endpointBehaviors>
                </behaviors>





                share|improve this answer













                I found the following solution that works for this error I encountered.



                First, I created a certificate as follows:



                makecert -n "CN=MyRootSigningKey" -r -sv MyRootSigningKey.pvk MyRootSigningKey.cer



                Second, I treat this as my root key and install it in my AWS service under the certificate store "Trusted Root Certification Authorities" using mmc.



                Third, I created a self-signed cert using the root key "MyRootSigningKey" as follows:



                makecert -sk MySignedKeyName -iv MyRootSigningKey.pvk -n "CN=MySignedKey" -ic MyRootSigningKey.cer -sr localmachine -ss my -sky exchange -pe



                Last, I reference the self signed cert "MySignedKey" in my client app config like below:



                <client>        
                <endpoint address="https://www.example.com/sub/Service1.svc" behaviorConfiguration="clientBehavior"
                binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_MyService"
                contract="ServiceReference1.MyService" />

                </client>

                <behaviors>
                <endpointBehaviors>
                <behavior name="clientBehavior">
                <clientCredentials>
                <clientCertificate findValue="MySignedKey"
                storeLocation="LocalMachine"
                storeName="My"
                x509FindType="FindBySubjectName" />
                </clientCredentials>

                </behavior>
                </endpointBehaviors>
                </behaviors>






                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 22 '18 at 15:47









                user2717643user2717643

                13




                13






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53283498%2ferror-403-forbidden-wcf-basichttpbinding-with-transport-and-certificate-c%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Florida Star v. B. J. F.

                    Danny Elfman

                    Lugert, Oklahoma