Search This Blog

24 June 2010

Consuming an AIF WebServices (wsHttpBinding) with SSL and a dummy certificate

Here’s a quick “How-To” for consuming AIF-WebServices in a wsHttpBinding configuration with SSL and a dummy user. It’s always better to have a small documentation for those kind of tasked and I know that I will forget this in a few days without it. So why not sharing this? :-)1) Implement the SSL in IIS

2) The certification authority needs to be registered on the client:

http://<localhost>/certsrv

image

Save the CA certificate and import this certificate on the client with the certmgr.msc:

image

image

image

3) My AIF WebService in this example is configured for a transport security. Now the WebService is ready to be consumed. Consuming the AIF WebService with transport security requires that the clientCredentialType (line 11 in the following app.config excerpt)) attribute of the Transport element is set to “Ntlm”. By default this is set to “Windows”. The desciption for this attribute on msdn:

NTLM. This option is available with the HTTP protocol only. The client is authenticated by using a challenge-response scheme against Windows accounts. NTLM authentication is well suited for a workgroup environment and is more secure than Basic authentication. The service is authenticated by using an SSL certificate.

Here are the security settings for IIS6 and IIS7:

image image

The wsHttpBinding configuration on the client:

  













The client configuration using the wsHttpBinding:

  





Using the dummy certificate will be rejected by WCF with the following error:



Could not establish trust relationship for the SSL/TLS secure channel with authority '10.166.3.2'.


A workaround is to use the RemoteCertificateValidationCallback to validate the certificate explictely as this is done in the following code


:
  

private void Form1_Load(object sender, EventArgs e)
{
System.Net.ServicePointManager.ServerCertificateValidationCallback +=
new System.Net.Security.RemoteCertificateValidationCallback(ValidateCert);
}

This will inform the WCF that there are no errors:

  
private bool ValidateCert(object sender,
X509Certificate cert,
X509Chain chain,
System.Net.Security.SslPolicyErrors error)
{
return true;
}

Then, the AIF WebService is ready to be consumed:

  
private void button1_Click(object sender, EventArgs e)
{

A01ServiceServiceClient proxy = new A01ServiceServiceClient();
proxy.ClientCredentials.Windows.ClientCredential.Domain = "CONTOSO";
proxy.ClientCredentials.Windows.ClientCredential.UserName = "Administrator";
proxy.ClientCredentials.Windows.ClientCredential.Password = "pass@word1";
string message = proxy.HelloWorld("toto");
proxy.Close();
MessageBox.Show(message);
}

2 comments:

  1. Hello Florian,
    Is there a way to implement System.Net.ServicePointManager.ServerCertificateValidationCallback +=
    new System.Net.Security.RemoteCertificateValidationCallback(ValidateCert);
    in Dynamics AX? It appears that it is impossible to reach System.Net.Security.RemoteCertificateValidationCallback within Axapta.

    ReplyDelete
  2. You are right. is is not possible in Ax 2009 to work with delegates and CLR events (it will be in Ax 2012). Until then, you can write a CLR class that get's the desired object and returns it in a X++ compatible way. You can send me your current implementation as Xpo via mail, so I can become more concrete.

    ReplyDelete