Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / February 2008

Tip: Looking for answers? Try searching our database.

WCF Claim question : different claimset on IIS then when selfhosted

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Kristof - 26 Jan 2008 07:31 GMT
Hey,

I have a strange situation.
I have created a WCF service that takes a client certificate (coming
from a smartcard).
When I check the AuthorizationContext and look for the claimset
corresponding to that certificate I can find it.
Then I look to the issuer of that claimset, looking if it was issued
by the right authority:
When I run this service in a console (selfhosted) I get a
System.IdentityModel.Claims.X509CertificateClaimSet as the issuer of
the client certificate. when I run the same service in IIS (same code,
app.config=>web.config) I get a
System.IdentityModel.Claims.X509CertificateClaimSet.X500DistinguishedNameClaimSet
as issuer containing much less information!!

How can this be? The behavior is different but it's the same service ...
Is it a rights issue?

Thanks in advance
Kristof
Reply to this Message
Dominick Baier - 28 Jan 2008 05:45 GMT
whats you binding and binding configuration?

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Hey,
>
[quoted text clipped - 17 lines]
> Thanks in advance
> Kristo
Reply to this Message
Kristof - 04 Feb 2008 07:50 GMT
Hey,

I took me many hours more  to finally realize that the problem was
that the certificates belonging to the client certificate trust chain
were not readable from the “NETWORK SERVICE” account. I copied them
over to the Local computer store and all worked great.
(Well I had some other issues, but they are also solved now  )

The conclusion is that when WCF can’t read the certificates in the
chain, I has much less information to fill up the issuer claimset and
so it becomes an other claimset type! It’s logical once you have found
it …

Thanks
Kristof Clevers
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.