WCF: NotSupportedException: The SSL settings for the service 'SslRequireCert' does not match those of the IIS 'Ssl'.

  • Article

When you are using WCF with client certificate over SSL in web hosted case, you might hit an exception like the following:

[NotSupportedException: The SSL settings for the service 'SslRequireCert' does not match those of the IIS 'Ssl'.]

System.ServiceModel.Activation.HostedAspNetEnvironment.ValidateHttpsSettings(String virtualPath, Nullable`1& requireClientCertificate) +117347 System.ServiceModel.Channels.HttpsChannelListener.ApplyHostedContext(String virtualPath, Boolean isMetadataListener) +97 System.ServiceModel.Activation.HostedAspNetEnvironment.ApplyHostedContext(TransportChannelListener listener, BindingContext context) +84 System.ServiceModel.Channels.HttpsTransportBindingElement.BuildChannelListener(BindingContext context) +93 System.ServiceModel.Channels.BindingContext.BuildInnerChannelListener() +63 System.ServiceModel.Channels.MessageEncodingBindingElement.InternalBuildChannelListener(BindingContext context) +67

Why?

The exception text is actually quite informative in this case. The IIS configuration is telling you that it is only SSL with any cert but the WCF is configured with client certificate over SSL. Your configuration section could look like the following.

            <security mode="Transport">
                <transport clientCredentialType="Certificate" />
            </security>

 

How to fix that?

Now go to your inetmgr, navigate to the virtual directory, and click on the SSL Setting, and make sure “Require” certificate is selected instead of “Ignore”. Now, if you have a sub directory under the v-dir, make sure you click on any sub directory as well and double check your SSL setting to require certificate.

Alternatively, open the master iis Host config file at C:\Windows\System32\inetsrv\config\applicationHost.config, and then search for “Default Web Site/MyVdir”. And see if it only contains “ssl”, like the following:

   <location path="Default Web Site/MyVdir">
        <system.webServer>
            <security>
                <access sslFlags="Ssl" />
            </security>
        </system.webServer>
    </location>

To fix this, just add additional sslFlags to look like the following.

  <location path="Default Web Site/MyVdir">
        <system.webServer>
            <security>
               <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
            </security>
        </system.webServer>
    </location>

Now make sure the changes are saved and do an iisreset before trying to hit the server again.