Configure a WCF Service with SSL and consume from Silverlight via HTTPS(including cross-domain scenario)

Recently we have worked on few issues where we had to configure WCF services with SSL so that we could consume them from Silverlight via HTTPS. Rather than let good research go to waste, I am posting the steps here. We will divide the concept in following blocks:

  • Configure your IIS site with SSL

  • Configure WCF service to use SSL

  • Configure Silverlight application to call WCF service via HTTPS

Configure your IIS site with SSL

1. Open IIS Manager

2. Click on your Server node. On the right pane, under IIS group, double click on "Server Certificates"

3. Here we will use a Self-Signed certificate to keep it simple. Click on  "Create Self-Signed Certificate" in the Actions pane and give it a name  "MyCertificate":

 

4. Select your site (for example, "SecureSite" here). Right click on the site and choose "Edit Bindings"

 

5. Add a Site Binding. Choose the "MyCertificate" we created earlier. I am using  "All Unassigned" IP address, which you can replace with a real IP address.

6. Verify that your SSL binding is working on "SecureSite" by Browsing to it.

7. Since our certificate was self-signed and not issued by a trusted certificate authority, you will be prompted with following warning. Let us choose "Continue to Website" which will basically bypass the certificate warning and displays the startup page. Note: Internet Explorer has built-in code that lets you ignore the certificate, but you will need to manually code your non-browser clients to tackle this certificate issue.

8. Select your site. Double click on "SSL Settings" in the IIS pane.

9. Check "Require SSL"

This completes turning SSL at the site level. Don't forget to check this page out for additional SSL tips/tricks.

Configure WCF service to use SSL

  1. We have a WCF service called "Hello.svc" that resides in IIS-application called "SecureWCF" which belongs to "SecureSite".

    The "Hello.svc" is very simple with a lone method called Greetings(…) that takes a parameter and returns a string:

  1. Configure Web.config with appropriate values, the most important ones needed for HTTPS are highlighted below.

    When "Transport" mode is used for security, the security is provided using HTTPS and the service must be configured with SSL certificate.  If you try to browse the .svc without  "Transport", you may receive this error: "The provided URI scheme 'https' is invalid; expected 'http' "

    The request for serviceMetadata needs to be configured for HTTPS.  We also need to make sure that the baseAddress is using HTTPS.  Also notice that we have used relative addresses for endpoints. You must always use relative endpoint addresses for IIS-hosted service endpoints.

  2. Make sure SSL is "Required" at the service level.

  3. Now test your .svc with https, it should give you the proper wsdl:

Configure Silverlight application to call WCF service via HTTPS

  1. We have created a Silverlight application hosted inside "SecureSLClient.Web" residing in the "Default Web Site" (which is non-HTTPS).

    The Silverlight app is very simple. It takes a text input from user, calls the WCF service asynchronously passing the user input and receives a text reply and displays it back to the user.

  2. If you have added the WCF reference via Visual Studio’s “Add Service Reference”, then your ServiceReference.ClientConfig should already been configured for HTTPS access. Just double check that ServiceReference.ClientConfig has appropriate values, the most important ones needed for HTTPS are highlighted below.

    Notice, instead of localhost, we have used FQDN to call the service. This is the same FQDN that the Server SSL Certificate was issued to. If the Client endpoint address does not match with the Server SSL Certificate, then you will get a similar error: "Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost'"

  3. If you browse to your .svc at this point, you may get an error similar to this if the runtime determines that your Silverlight and WCF sites belongs to separate web domains: "An error occurred while trying to make a request to URI 'https://......com/abc/xyz.svc'. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services.". If this happens, you need to add clientaccesspolicy.xml into the root of your .svc site.

Here is your clientaccesspolicy.xml. Notice the domain uri settings for HTTPS.

  1. This should complete al the configuration. If you now browse to your Silverlight application, Click on the button, you should get a greetings back from your secured WCF service: