Securing a WCF service with a username / password

When you read the MS documentation, this looks like a trivial thing to do, but of course there are always some things that just don’t work as you’d like them to work. I got it working thanks to some excellent articles:

http://msdn.microsoft.com/en-us/library/aa354513.aspx describes the major steps to create a user/password validation function, and to inform your web service of the existence of this function (web.config settings of course). Don’t forget to create the certificate that’s mentioned in the setup instructions.

Then I installed the service on a web server, and tried to start it. Even after installing the certificate I got this error: CryptographicException: Keyset does not exist Searching a bit further led to this article:

http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/24e3d00d-02b8-4541-8e5d-eb28b7e817a9 in which they say that you have to grant private key permissions to your network service account. Unfortunately they don’t describe how to do that. This article however describes it pretty well and accurate:

http://stackoverflow.com/questions/425688/how-to-set-read-permission-on-the-private-key-file-of-x-509-certificate-from-ne , using this line:

winhttpcertcfg -g -c LOCAL_MACHINE\My -s test -a NetworkService

Now only I had to find the winhttpcertcfg tool to finish my quest. It is here:

http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667-c748e422833f&displaylang=en 

The full script to install the certificate on the server, and grant the necessary access to it:

set SERVER_NAME=localhost

echo %SERVER_NAME%

echo ******************

echo making server cert

echo ******************

makecert.exe -sr LocalMachine -ss MY -a sha1 -n CN=%SERVER_NAME% -sky exchange –pe

certmgr.exe -add -r LocalMachine -s My -c -n %SERVER_NAME% -r CurrentUser -s TrustedPeople

winhttpcertcfg -g -c LOCAL_MACHINE\My -s %SERVER_NAME% -a NetworkService

 

About Gaston

MCT, MCSD, MCDBA, MCSE, MS Specialist
This entry was posted in Geen categorie. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s