I have a WCF service that is exposed. In terms of security i need to authenticate it with both client certificates and username password.
Few clients are to be authenticated using client certificates and the others using username password.
When i configure the service to use client certificates the IIS --> SSL settings needs to be configured for SSL Require. Doing so the other clients who do not have a client certificate cannot access the service.
How do i go around on this problem?
It is not possible when hosting the service in IIS. The SSL configuration with required client certificate has scope for whole virtual directory / application where it is configured and everything hosted in that directory. So you must host the service twice each time in different virtual directory or web application with different configuration.
Alternatively you can self host the service in windows service and specify separate configuration for each endpoint.
I think i did find a solution to the above problem.
You just need to have the services in different folders under the virtual directory.
Once you have the services as above in IIS just select the folder that does client certificate authentication and set the folders SSL Settings.
NOTE: In IIS you can set the settings for each folder using web.config or in the IIS features view for each folder.
That way you can achieve multiple authentications.
