When you read the MS documentation, this looks like a trivial thing to do, but of course there are always some things that just don’t work as you’d like them to work. I got it working thanks to some excellent articles:
http://msdn.microsoft.com/en-us/library/aa354513.aspx describes the major steps to create a user/password validation function, and to inform your web service of the existence of this function (web.config settings of course). Don’t forget to create the certificate that’s mentioned in the setup instructions.
Then I installed the service on a web server, and tried to start it. Even after installing the certificate I got this error: CryptographicException: Keyset does not exist Searching a bit further led to this article:
http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/24e3d00d-02b8-4541-8e5d-eb28b7e817a9 in which they say that you have to grant private key permissions to your network service account. Unfortunately they don’t describe how to do that. This article however describes it pretty well and accurate:
http://stackoverflow.com/questions/425688/how-to-set-read-permission-on-the-private-key-file-of-x-509-certificate-from-ne , using this line:
winhttpcertcfg -g -c LOCAL_MACHINE\My -s test -a NetworkService
Now only I had to find the winhttpcertcfg tool to finish my quest. It is here:
The full script to install the certificate on the server, and grant the necessary access to it:
set SERVER_NAME=localhost
echo %SERVER_NAME%
echo ******************
echo making server cert
echo ******************
makecert.exe -sr LocalMachine -ss MY -a sha1 -n CN=%SERVER_NAME% -sky exchange –pe
certmgr.exe -add -r LocalMachine -s My -c -n %SERVER_NAME% -r CurrentUser -s TrustedPeople
winhttpcertcfg -g -c LOCAL_MACHINE\My -s %SERVER_NAME% -a NetworkService