This is just something to remind myself next time I need to implement a WCF service using the BasicHttpBinding with transport-only security (SSL + client certificates)':
- WCF expects that the "Require SSL" option in IIS is enabled.
- If Metadata Exchange is needed, configure the MEX endpoint with a custom binding with the right settings; otherwise the service won't start.
- Remember to set httpsGetEnabled="true" option in the <serviceMetadata> service behavior instead of the usual httpGetEnabled attribute.
- WCF does not understand the "Accept Client Certificates" option in IIS. It treats it the same as "Ignore Client Certificates" option.
To use client certificates:
- Enable the "Require Client Certificates" option in IIS
- On the service side, use a custom binding to set the requireClientCertificate option of the httpsTransport binding element:
<textMessageEncoding messageVersion="Soap11" />
- On the client side, use basicHttpBinding with the security mode set to "Transport" and the option clientCredentialType set to "Certificate" on the <transport/> element.