Configure IIS for WCF service with SSL and transport security

This article will help you to configure IIS for WCF service with SSL and achieve WCF Transport security. It uses a WCF service, create a SSL certificate using IIS Server Certificates with WCF service hosted in IIS.

In Windows Communication Foundation Transport security is depend on the binding and transport being used. It requires SSL certificate to be registered with IIS. For production environment you must obtain the certificate from third party certificate issuer like Verisign. In Transport Security server and clients are configured with X.509 certificates to allow verification of other party. For development purpose you can create Self Signed Certificate

Advantages of Transport Security

  • Improved interoperability as it does not required for both parties to understand XML level security.
  • Improvement in overall performance as compare to Message level security.
  • Streaming is possible where as in Message level security it is not possible.

We can implement SSL for WCF service in two ways

  • If you are hosting WCF service in IIS you can use IIS infrastructure to set up SSL.
  • If your WCF service is self-hosted you can create SSL certificate using HttpCfg.exe and use it for service binding.

Step by step configuration of IIS for WCF Service with SSL

Create Self Signed SSL certificate

In this step we will create self-signed certificate using IIS manager.

Open IIS manager using inetmgr command. Select <server name > from connection pane which is at left side of IIS manager.

Double click on Server Certificates from middle pane of IIS manager.

From actions (right side) pane of IIS manager click on Self Signed Certificate.

You will get a new window where you have to enter certificate name. Give name as NorthwindCertificates.

Create and Host your WCF Service

Create a WCF service.

Endpoint configuration for Transport security

Open the WCF service library application created in previous step. Open app.config file from NorthwindServices application to make changes for WCF endpoint to allow transport security with ssl.

Add bindingConfiguration which sets attributes for basicHttpBinding and set its security mode. There are three type of security modes avilable in WCF Message for message level security, Transport for transport level security and TransportWithMessageCredential for providing security over transport with encrypted messages or you can set it as None to disable security of WCF service.

Set clientCredentialType as None to specify anonymous authentication which does not perform client authetication. The possible values for clientCredentialType are None, Basic, Digest, Ntlm, Windows.

Change serviceBehaviors for allowing https request by setting httpsGetEnabled="true".

Your Service endpoint will be

      <service name="NorthwindServices.ProductService">
        <endpoint address=""

        <endpoint address="mex"
                  contract="IMetadataExchange" />
        <binding name="secureHttpBinding">
          <security mode="Transport">
            <transport clientCredentialType="None"/>
          <serviceMetadata httpsGetEnabled="true"/>          
          <serviceDebug includeExceptionDetailInFaults="false"/>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

Configure SSL Certificate for WCF Service

Host your WCF service in IIS. In IIS manager right click on the site which you created for hosting and click on Edit Bindings.... From the new window you should be able to see http binding configured.

Now click on Add button and select https from type dropdown of Add Site Binding window.

From SSL Certificate drop down select NorthwindCertificate which you created in first step. Click Ok and close Site Bindings window.

IIS Edit bindings for WCF

Publish your WCF service once again to https://localhost/ address.

Publish WCF service for https

Client application for SSL secured WCF service

Create a client application for this SSL secured WCF service and Add Service Reference to https://localhost/ProductServiceHost.svc.

Add below code to client application which calls WCF service and get Product details for ProductID 1.

namespace NorthwindClient
    class Program
        static void Main(string[] args)
            ProductServiceRef.ProductsClient client
                 = new ProductServiceRef.ProductsClient();
            string category = client.GetCategoryName(1);
            string name = client.GetProductName(1);
            int qty = client.GetProductQty(1);
            Console.WriteLine("Product Name : " + name);
            Console.WriteLine("Product Qty : " + qty.ToString());
            Console.WriteLine("Product Category : " + category);

Execute the client application you might get SecurityNegotiationException with Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost'. To resolve this issue open app.config file of client application and replace localhost from endpoint address with your computer name.

Change it to
                https://<your computer name>/ProductServiceHost.svc

Download source code.

Speak your mind :
Leave a comment for this article on
User profile picture on

by dasiths at 9/26/2016 7:42:00 PM
clientCredentialType can be "Certificate" too.
post comment on
User profile picture on

by Laxmikant at 9/27/2016 12:26:00 AM
yes ... you can use Certificate as well
post comment on
User profile picture on

by Laxmikant at 9/27/2016 12:34:00 AM
yes ... you can use Certificate as well
post comment on