Share via

<authentication> of <clientCertificate> Element

  • Article

Specifies authentication behaviors for client certificates used by a service.

<system.serviceModel>

  <behaviors>

    <serviceBehaviors>

      <behavior> of <serviceBehaviors>

        <serviceCredentials> Element

          <clientCertificate> of <serviceCredentials>

                                    
                                    <authentication
                                
                                    
                                    customCertificateValidatorType="namespace.typeName, [,AssemblyName] [,Version=version number] [,Culture=culture] [,PublicKeyToken=token]"
                                
                                    
                                    certificateValidationMode="ChainTrust/None/PeerTrust/PeerOrChainTrust/Custom"
                                
                                    
                                    includeWindowsGroups="Boolean"
                                
                                    
                                    mapClientCertificateToWindowsAccount="Boolean"
                                
                                    
                                    revocationMode="NoCheck/Online/Offline"
                                
                                    
                                    trustedStoreLocation="CurrentUser/LocalMachine" 
                                
                                    
                                    />

Attributes and Elements

The following sections describe attributes, child elements, and parent elements

Attributes

Attribute Description

customCertificateValidatorType

Optional string. A type and assembly used to validate a custom type. This attribute must be set when certificateValidationMode is set to Custom.

certificateValidationMode

Optional enumeration. Specifies one of three modes used to validate credentials. If set to Custom, then a customCertificateValidator must also be supplied. The default is ChainTrust.

includeWindowsGroups

Optional Boolean. Specifies if Windows groups are included in the security context. Setting this attribute to true has a performance impact, as it results in a full group expansion. Set this attribute to false if you do not need to establish the list of groups a user belongs to.

mapClientCertificateToWindowsAcccount

Boolean. Specifies whether the client can be mapped to a Windows identity using the certificate. Active Directory must be enabled to do this. For more information about using the Active Directory feature, see http://technet2.microsoft.com/WindowsServer/en/Library/0602148e-1a8f-4917-bb01-6fd342aba7161033.mspx.

revocationMode

Optional enumeration. One of the modes used to check for a revoked certificate lists (RCL). The default is Online.

trustedStoreLocation

Optional enumeration. One of the two system store locations: LocalMachine or CurrentUser. This value is used when a service certificate is negotiated to the client. Validation is performed against the Trusted People store in the specified store location. The default is CurrentUser.

customCertificateValidatorType Attribute

Value Description

String

Specifies the type name and assembly and other data used to find the type.

certificateValidationMode Attribute

Value Description

Enumeration

One of the following values: None, PeerTrust, ChainTrust, PeerOrChainTrust, Custom.

For more information, see Working with Certificates.

revocationMode Attribute

Value Description

Enumeration

One of the following values: NoCheck, Online, Offline. For more information, see Working with Certificates.

trustedStoreLocation Attribute

Value Description

Enumeration

One of the following values: LocalMachine or CurrentUser. The default is CurrentUser. If the client application is running under a system account then the certificate is typically under LocalMachine. If the client application is running under a user account then the certificate is typically in CurrentUser.

Child Elements

None.

Parent Elements

Element Description

<clientCertificate> of <serviceCredentials>

Defines an X.509 certificate used to authenticate a client to a service.

Remarks

The <authentication> element corresponds to the X509ClientCertificateAuthentication class.

Example

The following code specifies an X.509 certificate and a custom validation type in the <authentication> element.

<serviceBehaviors>
 <behavior name="myServiceBehavior">
  <clientCertificate>
   <certificate 
         findValue="www.cohowinery.com" 
         storeLocation="CurrentUser" 
         storeName="TrustedPeople"
         x509FindType="FindByIssuerName" />
   <authentication customCertificateValidatorType="MyTypes.Coho"
    certificateValidationMode="Custom" 
    revocationMode="Offline"
    includeWindowsGroups="false" 
    mapClientCertificateToWindowsAccount="true" />
  </clientCertificate>
 </behavior>
</serviceBehaviors>

Insert content here.

See Also

Reference

X509ClientCertificateAuthentication
X509CertificateValidationMode

Other Resources

Working with Certificates

Footer image

Send comments about this topic to Microsoft.
© Microsoft Corporation. All rights reserved.