How to make IIS hosted WCF service work with Card Space using localhost

  • Article

First let me explain why it does not work.

There are three string comparisons done by card space. The information card has Issuer, IssuerEndpointAddress, and IssuerMexAddress.

When you hit a web site which requires an information card, in other words, it contains a object tag which has specified the Issuer and Mex address.

Comparison 1: CardSpace UI would do a string comparison between the Issuer specified in the object tag and all the cards it has, and light up only those matches.

Comparison 2: Then when you select a hightlighted card, it uses the IssuerMexAddress inside the card to retrieve wsdl from the issuer. When the wsdl returns, it then compares the address inside the wsdl and the IssuerEndpointAddress inside the card. It fails if it does not match.

If everything goes well, it will go to the Issuer to get the token.

So why localhost does not work by default?

IIS hosted WCF service's Issuer Endpoint Address would be fully qualifed domain name, something like mymachinename.mydomain.com. Literally it would not match localhost. So the comparison 1 would fail, where the card would specify the fully qualifed domain name, so the card would not even light up. Even if you managed to make the card issuer name use the localhost, and select the card, the mex retrieval process is going to fail because you will try to send a mex request to the https://mymachine.mydomain.com/..., but your ssl cert is actuall localhost. This will fail because https will compare validate the ssl cert.

Two ways to fix it.  

First option is to modify the IIS setting so that the WCF service will indeed host over the localhost. Two simple command line would do.

cscript //nologo %systemdrive%\inetpub\adminscripts\adsutil.vbs set W3SVC/1/ServerBindings :80:localhost

cscript //nologo %systemdrive%\inetpub\adminscripts\adsutil.vbs set W3SVC/1/SecureBindings :443:localhost

This will make the IIS hosted WCF service really use localhost.

Second option is to modify the manged card so that its Issuer Name is https://localhost/..., its token service endpoint address is https://mymachine.mydomain.com/... and my token service mex endpoint address is https://localhost/.../mex