Lately, I’ve been working on a project that involved retrofitting authentication via client certificates, similar to CAC/PIV smart card authentication, into an existing set of Windows Communication Foundation (WCF) web services and a desktop (yes, desktop) client application that was designed to interact with them. The first part was pretty easy to figure out; the second part was less so.
The truth is that the code needed for the client application is not onerous. The trick was finding any documentation/examples that pointed the way. If I had ever doubted that desktop applications are second-class citizens (I didn’t), this task confirmed it.
If you’ve accessed a web site that required smart card or certificate authentication (which are really the same thing), the dialog above is probably very familiar to you. With a web application, the browser is the actual client, and it detects that the back-end site or service needs a certificate. The browser then prompts you to provide a certificate and, assuming you do, passes you through to the site. With a desktop application, you need to build all of that interaction in. (In case you’re wondering why all of the certificates above say “DO NOT TRUST,” it’s because I applied a filter to show only Fiddler dummy certificates for the screen shot.)