This is just something to remind myself next time I need to implement a WCF service using the BasicHttpBinding with transport-only security (SSL + client certificates)':

  • WCF expects that the "Require SSL" option in IIS is enabled.
  • If Metadata Exchange is needed, configure the MEX endpoint with a custom binding with the right settings; otherwise the service won't start.
  • Remember to set httpsGetEnabled="true" option in the service behavior instead of the usual httpGetEnabled attribute.
  • WCF does not understand the "Accept Client Certificates" option in IIS. It treats it the same as "Ignore Client Certificates" option.

To use client certificates:

    • Enable the "Require Client Certificates" option in IIS
    • On the service side, use a custom binding to set the requireClientCertificate option of the httpsTransport binding element:

      <bindings>

         <customBinding>

            <binding name="sslBasicHttp">

               <textMessageEncoding messageVersion="Soap11" />

               <httpsTransport requireClientCertificate="true"/>

            binding>

         customBinding>

      bindings>

    • On the client side, use basicHttpBinding with the security mode set to "Transport" and the option clientCredentialType set to "Certificate" on the
      element.


Tomas Restrepo

Software developer located in Colombia. Sr. PFE at Microsoft.