Unable to authenticate WCF service with certificate when hosted to Azure App Service

Question

We have migrated WCF services from windows server to App service. Authentication to WCF services is happening using certificates.

In App services authentication using client certificate is causing an issue. Azure adds additional component due to which the validation does not happen properly.

What could be the possible reason and approach to address this. Or are there any other authentication mechanism that can be used. For now we cannot use AD authentication due to some constraints.

Answer 1

You can try to verify the identity based on the encodevalue of the certificate.

Use Notepad++ to view encodevalue enter image description here

Server configuration

    <system.serviceModel>
    <bindings>
        <wsHttpBinding>
            <binding name="WSHttpBinding_IService1">
                <security mode="Message">
                    <transport clientCredentialType="Windows" proxyCredentialType="None"
                        realm="" />
                    <message clientCredentialType="Certificate" negotiateServiceCredential="true"
                        algorithmSuite="Default" />
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://127.0.0.1:8732/WcfAuthentications/Service1/"
            binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService1"
            contract="ServiceReference1.IService1" name="WSHttpBinding_IService1" behaviorConfiguration="Service1Nehavior">
            <identity>
                <certificate encodedValue="MIIC8zCCAd+gAwIBAgIQiBrkayNb7L1Gt/k0O75GoTAJBgUrDgMCHQUAMBQxEjAQ
BgNVBAMTCVFpWW91VGVzdDAeFw0yMzA0MjUwOTM4MzVaFw0zOTEyMzEyMzU5NTla
MBQxEjAQBgNVBAMTCVFpWW91VGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMviXOUMkwqDrgkTwSwywaAAfEA3FMut2D8cdAISG6SC/YIhkPErlGCs
puTiSOkQkvuDzqDLQOnv1SlcnstiYcnpWZiYKtguft9BjtexOL9dEvnOQHrZ+NFK
UPp+qigBXbY1fYxnC8bM4+/mi0VpnIEE0j4V6iwYdmzz8Vn6vlHmQJZJLO9U3yFm
IsiWXlyapxf90YHzo7e96Sfq3Nc14U9SwC3D1HplCGXsagXmJKHol006GTlm8D8Q
NYCGzEC8tiJGCThNAbzqly0OltP+W4vGldx/VFNiOmi9m8s2BKo2bn6pPgpzXemY
aMspOYNlqRupWQJ+J5QRhidg8Dv40skCAwEAAaNJMEcwRQYDVR0BBD4wPIAQWZX0
kG6A1OjKl/66pxMha6EWMBQxEjAQBgNVBAMTCVFpWW91VGVzdIIQiBrkayNb7L1G
t/k0O75GoTAJBgUrDgMCHQUAA4IBAQAbFrgIDe7w4xRnT1q1zG7t01Dy9Zkk5M71
77MzaADZJjmd+0JkPxRw2bjepWKtQ0cHh0riMs7ImS0TbF14NQnLzy0k2XfN4SKJ
mos3VA2bijxcWEt//Mcq+1xQ8lGQhnPZEhXG5Kt1CRr3rF6uCOri8TvZPOGfQUhv
UWqy6s52883763AFbHRRu2DqQiZ3KanFDwQq21w6ypRbEL82Mu01B8OMZVkeFkju
GdZ9YfY+tfKQuLuKgtZJc4xL+mbgqN6ASaIHzmogJ0Q4NrgQnVjaR6NzZmqOWfqh
iuXyHLZOJNcvmvzWyBjC5FG1PnFOoO83ZkYY3wsHZb7FjMg3FWqM" />
            </identity>
        </endpoint>
    </client>
  <behaviors>
    <endpointBehaviors>
      <behavior name="Service1Nehavior">
        <clientCredentials>
          <clientCertificate findValue="QiYouTest" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="TrustedPeople" />
        </clientCredentials>
      </behavior>
    </endpointBehaviors>
  </behaviors>
</system.serviceModel>

As long as the certificate can be found in the client's place, it will work.