Operate HTTPS (WCF) Webservices in IIS 6 under Windows Server 2003
In general any corporate relevant communication should be secured, by utilizing HTTPS. Thus an IIS Admin has to provide the infrastructure for applications in order to use this infrastructure. This means that the IIS provides a SSL Certificate as well as configuring the proper Host Header value.
The following sample explains the steps to provide this infrastructure. It’s based on a self signed SSL Certificate and a sample WCF based Webservice. It just focuses on explaining the infrastructure part. It does not explain how to implement secure WCF Services.
First you have to enable SSL communication for the site you want to secure. Thus, open the "IIS Manager" from the "Administrative Tools" and select the site you want to manage.
Press the right mouse button and select "Properties". Then press the "Advanced" button within the "Web site identification" section on the "Web Site" tab.
As you can see, this dialog lets you specify a custom "Host header value" for the unsecured simple HTTP communication, but not for SSL based communication. In order to show you how to configure a custom host header value for HTTPS communication I will create a self signed certificate first.
Therefore you have to install the "IIS 6 Resource Kit Tools" available at http://www.microsoft.com/downloads/details.aspx?familyid=56FC92EE-A71A-4C73-B628-ADE629C89499&displaylang=en.
Then bring up the "SelfSSL" Console and create a self signed certificate by using the "selfssl.exe" tool like this: "SELFSSL /N:CN=michael-test.local /T /V:365".
Now change to the "Directory Security" Tab an select "Server Certificate". Click "Next", select "Assign an existing certificate" and click "Next" again. Then select the just generated self signed certificate from the list and click "Next". Ensure the SSL port is set to 443 and click "Next". Finally click "Next", followed by "Finish".
Go back to the "Web Site" tab and press the "Advanced" button within the "Web site identification" section again. As you can see, the "Add …" button in the "Multiple SSL identities for this Web site" section is enabled now. So press this button and specify the SSL port you have configured before (it should be 443). Confirm this dialog by pressing "OK". Finally close the "Properties" Window as well, by pressing "OK".
So, when I request the wsdl document for my deployed sample webservice, I get the following:
|
<wsdl:service name="HelloWorldService"> |
It seems that the host name for the HTTP based service port will be resolved correctly, but the HTTPS based service port its name is not as expected. Rather the actual machine’s name will be used.
To address this issue we have to utilize the "adsutil.vbs" script as shown in the following sample. The script’s documentation can be found at http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d3df4bc9-0954-459a-b5e6-7a8bc462960c.mspx?mfr=true.
%systemroot%\system32\cscript.exe //nologo %systemdrive%inetpub\adminscripts\adsutil.vbs set /w3svc/<website id>/SecureBindings ":443:<host header>"
In my case I use:
%systemroot%\system32\cscript.exe //nologo C:\Inetpub\AdminScripts\adsutil.vbs set /w3svc/1252729226/SecureBindings ":443:michael-test.local"
Finally I perform an "iisreset" in order to apply the changes.
After utilizing the adsutil script and restarting the Webserver both, the HTTP based as well as the HTTPS based custom host headers are resolved correctly, as you can see in the wsdl document for my sample webserive:
|
<wsdl:service name="HelloWorldService"> |
mharbauer 