From time to time I have to deal with certificate based authentication, when developing WCF services and from time to time I’m falling into the same pit.
Today I was configuring WCF service to use certificates for authentication (via AD certificate mapping). After configuring the IIS and WCF I’ve tried to access the SVC help page/metadata, but was getting 403.7 Forbidden: Client certificate required from IIS. The IIS logs contained something like this:
<date time> W3SVC1 <IP> GET /site/service.svc – 443 – <IP> <Browser> 403 7 64
Bing came out with the support KB article on this issue, but all possible causes were dealt with: CA was trusted, certs were not revoked or expired. And then it hit me – “not expired”, yes, of course – how the IIS checks the revocation of the certificate? Simply by looking into the certificates CRL distribution points information (if it is present there) and it must be accessible and reachable from IIS, which hosts the service. To check if everything is ok, just copy CRL’s URL from the certificate and try to open it via browser on IIS hosting service.
In my situation that was the problem, which was fixed easily by entering appropriate DNS records.
Of course, it is possible to switch off the certificate revocation checking on IIS, but that’s completely NOT recommended.
I hope everyone had a great time yesterday during the Microsoft Partner Conference and enjoyed all the sessions you’ve attended and all the opportunities to talk to each other.
As I was giving a presentation on Windows Server AppFabric (not the cloudy one) to the developers. 45 minutes – is too small period of time to cover all the features and usage patterns good enough, so I have tried to bring the main ideas so that you can look after them later.
As a follow up, I’ve decided to put a list of reference materials available on the web so you can read those at your pace in comfort of whatever environment you like
Windows Server AppFabric:
Other things I’ve mentioned during the presentation:
Yesterday, I’ve heard some comments that AppFabric is a complex beast and I must agree that it’s true in some way, but taking the other angle – it takes a lot of concerns regarding persistence, correlation, monitoring (incl. via SCOM) diagnostics, scalability, caching, management, tracking from developers head and makes it almost “out-of-the-box experience”. And from personal experience I know that developers like to talk about implementing business features, but hate even to think about “diagnostics” or “management”.
So, to sum up: consider Windows Server AppFabric as an “application server” that certainly requires attention and effort in understanding, setting up and configuration, but in return in can give a lot of “infrastructure” services like scale-out, persistence, management, monitoring, diagnostics, etc. for your services.