A client certificate is an electronic document which uses a digital signature to bind a public key with an identity. A client certificate is used to verify that a public key belongs to an individual or an organization. When a client certificate is valid, access to secured content over the https:// is enabled. Client certificates fall under the technology umbrella known as a Public-Key Infrastructure (PKI). PKI is a large complex body of standards, policies, protocols, and practices that are beyond the scope this documentation. The following Microsoft document should give the developer a starting point to understand PKI: Public Key Infrastructure.

ArcGIS Server version 10.1 and higher has the ability to leverage PKI solutions in 'Commercial Off the Shelf' (COTS) Web servers such as: Microsoft Internet Information Server (IIS), Oracle WebLogic, IBM WebSphere, etc. through the use of the ArcGIS Web Adaptor. The requirements for using PKI in ArcGIS Server include:

1. The ArcGIS Web Adaptor must be setup as the gateway to ArcGIS Server.
2. The Web Server hosting the ArcGIS Web Adaptor must be configured to require client certificates for user authentication.
3. ArcGIS Server Site must be configured to: (a) Delegate user authentication to the Web Tier and (b) Use an identity store (LDAP, Windows Active Directory, etc.) supported by the Web Server.

When a request is made for a resource on ArcGIS Server, the Web Server will authenticate the user by validating the client certificate provided. The request (along with the user name) is then forwarded to ArcGIS Server via the Web Adaptor. ArcGIS Server will verify that the specified user has access to the requested resource before sending back the appropriate response. For more information on using PKI techniques to set up and use client certificates, see the ArcGIS Server documentation.

The ArcGIS Runtime for WPF requires supplying a valid Microsoft System.Security.Cryptography.X509Certificates.X509Certificate object as the .ClientCertificate Property in order to gain access to a secured (https://) ArcGIS Server web service based upon PKI. The Microsoft System.Security.Cryptography.X509Certificates Namespace API documentation provides a starting point for developers to learn how to programmatically access X509Certificate objects. If no client certificates have been set up on a client machine and a user tries to access using an X509Certificate from your custom ArcGIS WPF application, a Windows Security dialog stating "No certificate available. No certificates meet the application. Click OK to continue" will appear:

Whenever an ArcGIS Runtime for WPF based application uses PKI to secure web services, it is important that error checking be added to the application to ensure that the correct X509Certificate is used to access those secured web services. If a user of your ArcGIS WPF client application provides/uses an X509Certificate that is not accepted by the PKI security set up on the ArcGIS Server machine, then an error will be thrown. The following are a couple of different error messages that could occur:

"Error initializing layer: The remote server returned an error: (403) Forbidden.":

"Error initializing layer: The remote server returned an error: (401) Unauthorized.":

Depending on the particular ArcGIS Runtime for WPF object that is used, the developer will need to write code in the appropriate error handling event. For example: an ArcGISDynmaicMapServiceLayer should have error trapping code in the InitializationFailed Event; a QueryTask should have error trapping code in the Failed Event, a PrintTask should have error trapping code in the ExecuteCompleted Event (via the PrintEventArgs), etc.

The .ClientCertificate Property has been added to numerous ArcGIS Runtime for WPF objects. Accessing and using an X509Certificate is basically the same for each of the ArcGIS Runtime for WPF objects with a .ClientCertificate Property. There are code examples of using the X509Certificate in the DynamicMapServiceLayer.ClientCertificate Property, ArcGISTiledMapServiceLayer.ClientCertificate Property, Printing.PrintTask.ClientCertificate Property (code-behind only options) and FeatureLayer.ClientCertificate Property (Model-View-View-Model (MVVM) pattern using XAML and code-behind). Remember the key to accessing a PKI based secured ArcGIS Server web service is to first provide the appropriate .ClientCertificate Property credentials during construction of the object and prior to using (i.e Set/Write) any of the other properties/methods of the ArcGIS Runtime for WPF object, otherwise an error accessing that object will result.