.NET Core (8.0) WFC Client application getting exception "The HTTP request was forbidden with client authentication scheme 'Anonymous'"

[dikumar38853]

Client Implementation: It is implemented in .NET 8.0

var binding = new BasicHttpBinding(BasicHttpSecurityMode.Transport);
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var endpoint = new EndpointAddress("my end point");

var channelFactory = new ChannelFactory<"My Contract">(binding, endpoint);
channelFactory.Credentials.ClientCertificate.Certificate =
new X509Certificate2(@"certificate path", "certificate pwd");
var proxy = channelFactory.CreateChannel();
try
{
var response = proxy.PingDevice();
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}

Below are the NuGet Packages referenced in my WFC Client Application:

<PackageReference Include="System.ServiceModel.Duplex" Version="6.0.0" />
<PackageReference Include="System.ServiceModel.Federation" Version="6.0.0" />
<PackageReference Include="System.ServiceModel.Http" Version="8.1.2" />
<PackageReference Include="System.ServiceModel.Primitives" Version="8.1.2" />
<PackageReference Include="System.ServiceModel.NetNamedPipe" Version="8.1.2" />
<PackageReference Include="System.ServiceModel.NetTcp" Version="8.1.2" />
<PackageReference Include="System.ServiceModel.Security" Version="6.0.0" />

When I tried to troubleshoot it then I found that RemoteCertificate is coming null at the server side, due to that it is getting forbidden error.

and same code if I use in .NET Framework 4.8 then it works fine:
RemoteCertificate coming the correct certification due to that it works

---

My Service Application's binding configuration is:

<basicHttpBinding>
  <binding name="SSLClientCertificate" maxReceivedMessageSize="2100000000">
    <readerQuotas maxStringContentLength="2100000000" maxBytesPerRead="2100000000" />
    <security mode="Transport">
      <transport clientCredentialType="Certificate" />
    </security>
  </binding>
</basicHttpBinding>

---

Below is the startup.cs implementation at service side where I can see that ClientCertificate is coming null.

public override void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.Use(async (context, next) =>
    {
        var logger = context.RequestServices.GetRequiredService<ILogger<Startup>>();
        var cert = **context.Connection.ClientCertificate;**
        if (cert == null)
        {
            logger.LogWarning("No client certificate received for request to {Path}", context.Request.Path);
        }
        else
        {
            logger.LogInformation("Client certificate received: Subject={Subject}, Thumbprint={Thumbprint}", cert.Subject, cert.Thumbprint);
        }
        await next();
    });

    base.Configure(app, env);
}

Please suggest be if i have missed anything in my .NET 8.0 Client implementation?

[dikumar38853]

My Service Application's binding configuration is:

<basicHttpBinding>
  <binding name="SSLClientCertificate" maxReceivedMessageSize="2100000000">
    <readerQuotas maxStringContentLength="2100000000" maxBytesPerRead="2100000000" />
    <security mode="Transport">
      <transport clientCredentialType="Certificate" />
    </security>
  </binding>
</basicHttpBinding>

[dikumar38853]

.NET Core's networking stack is stricter than the .NET Framework, and requires the certificate to either have its Enhanced Key Usage set to ClientAuthentication (1.3.6.1.5.5.7.3.2) which means that dot net core allow only the proper client certificate if it is not client certificate then dot net core application will send to service for authatication. Please refer the below CertificateHelper.cs where it is added the check for ClientAuthenticationOID. If the certificate have Enhanced Key Usage set to ClientAuthentication (1.3.6.1.5.5.7.3.2) like below certificate's screenshot then it allow to send to server for authantication.

https://github.com/dotnet/corefx/blob/fe7adb2bf92bba926268c2e9f562b11c84932a07/src/Common/src/System/Net/Security/CertificateHelper.cs

So closing this ticket as it is working for if I am providing the certificate having Enhanced Key Usage set to ClientAuthentication (1.3.6.1.5.5.7.3.2).

x`

[mconnew]

I'm not sure what's being enforced by HttpClient, but the applicable specs say if there's an Enhanced Key Usage extension applied to the certificate, then it must have the Client Authentication usage applied. But if the extension is completely absent, it should still be usable. Technically it's possible to have the extension present with no usage listed so seeing no usage doesn't necessarily mean the extension is missing, it would depend on how the specific visualization tool handles that (I don't know what the Windows certificate properties dialog does in that situation).
BTW, several years back we shipped a change in WCF on .NET Framework that enforces this on the service side when using Chain Trust validation when validating the client certificate so even if the certificate had been sent, it would have been rejected.
There's an additional constraint on the service side which the client side likely isn't enforcing. The certificate that was used to sign your client certificate also has these same constraints. So if your certificate has the Client Authentication usage in an Enhanced Key Usage extension, but the signing certificate has only Server Authentication, then the certificate still isn't usable.
There's also a corresponding requirement about the servers certificate with Server Authentication. Outside of HttpClient, if you explicitly configure WCF's client certificate authentication, it enforces these requirements on the service certificate. This is true for .NET Framework too.