Porblem with Certificate validation

Question

Hi

         i have a service and client that uses certificate to validate the identity. when the client takes to the service i get the following error at the service side.

The X.509 certificate CN=www.fabrikam.com, O=Fabrikam, L=Redmond, S=Washington, C=US chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation because the revocation server was offline.

 

My Client App file is

<endpoint address="http://localhost:8000/Bancassurance/Authentication/Service"
        binding="wsFederationHttpBinding" bindingConfiguration="WSFederationHttpBinding_IAuthenticationService"
        contract="Polaris.Bancassurance.UI.AuthenticationService.IAuthenticationService"
        name="WSFederationHttpBinding_IAuthenticationService">
        <identity>
          <certificate encodedValue="AwAAAAEAAAAUAAAA1H3mV/pJAlVZAst/Dt0rqbBd67ggAAAAAQAAAEgGAAAwggZEMIIFLKADAgECAgooK0I4AAAAAAAvMA0GCSqGSIb3DQEBBQUAMG4xEzARBgoJkiaJk/IsZAEZFgNjb20xGTAXBgoJkiaJk/IsZAEZFgltaWNyb3NvZnQxFDASBgoJkiaJk/IsZAEZFgRjb3JwMRUwEwYKCZImiZPyLGQBGRYFbnRkZXYxDzANBgNVBAMTBkFkYXR1bTAeFw0wNjA1MTkyMzQyMzNaFw0xMTAzMTAxODI3NTZaMGIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMREwDwYDVQQKEwhGYWJyaWthbTEZMBcGA1UEAxMQd3d3LmZhYnJpa2FtLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMACp5TXWiJ71lp87W5r15bwnecarGdh4nnMTVj+W0haUCIiRKev5OfBRyrjeJfEy4gv9B1ME6pJJguIlfk7RMyx5Titica5J/aBWW21BxaDq05r9T+wZffsnxvqYcwWw6yG6/oG3sDk+Trv2/mpE8SNJVgEcqlD7hvWIPa3opjk8AMD8gmo0k3Hw6gHt8xmnAEsb57g0zLmHAo8+iLfs+u0i8efBnfgLrk0/rAaet74fSUS56bXmGyNvU5FF6rELEGOLkWfH/LK82EmlToakCocEOmQmFCkNpQhQHyepwKndF0AmjVJ57M5jH0EewOEpkIuKPJMRJwn/gtxW8MWhBMCAwEAAaOCAu4wggLqMA4GA1UdDwEB/wQEAwIE8DBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFJfyWkB2bCNfu9uY6UHUlXjBLCTEMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdIwQYMBaAFOyhvEbGfwt7MxHOkdVD6eGG/la6MDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly93d3cuYWRhdHVtLmNvbS9jcmxkYXRhL2FkYXR1bS5jcmwwggEKBggrBgEFBQcBAQSB/TCB+jB6BggrBgEFBQcwAoZuaHR0cDovL3Rob24tdGVzdDEtMjAwMy5udGRldi5jb3JwLm1pY3Jvc29mdC5jb20vQ2VydEVucm9sbC90aG9uLXRlc3QxLTIwMDMubnRkZXYuY29ycC5taWNyb3NvZnQuY29tX0FkYXR1bS5jcnQwfAYIKwYBBQUHMAKGcGZpbGU6Ly9cXHRob24tdGVzdDEtMjAwMy5udGRldi5jb3JwLm1pY3Jvc29mdC5jb21cQ2VydEVucm9sbFx0aG9uLXRlc3QxLTIwMDMubnRkZXYuY29ycC5taWNyb3NvZnQuY29tX0FkYXR1bS5jcnQwgdoGCCsGAQUFBwEMBIHNMIHKoWGgXzBdMFswWRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUB03hqsI4zqGA3bRTvpSU6LEi0bwwKRYnaHR0cDovL3d3dy5hZGF0dW0uY29tL2ltYWdlcy9hZGF0dW0uZ2lmomWgYzBhMF8wXRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU8+uAcGo7FFJINSouwXzviKfnVGswLRYraHR0cDovL3d3dy5mYWJyaWthbS5jb20vaW1hZ2VzL2ZhYnJpa2FtLmdpZjAXBgNVHSAEEDAOMAwGCisGAQQBgjc8ZAEwDQYJKoZIhvcNAQEFBQADggEBAEzYsXIBjTGbbuHIUbv+/7KFEWzSf3u23koOBlvzIHU6iXD64mdhrXr1G9qU39tE6fKxybfCp86U03NMb93SIHRtC2JvE/AJcNs4Oq9SF5VCGFGMBNAXKBBuJysrcQ2fgCvvscaNE8OmyAtW0IBzHqqpRO6rfcdzRE/m1UyyHtnuqdAPUBXqiE7xR7BEw7hHDPzc4fTFMU9ers3cjBZ9scwcBL6NIU47RL/vKqaIzlksII845egRr6LEH0aTyozk9IdOEL5W9JQeY2X2Ekb3+MtLNI5fAzUmsMkZ03JRuTxdZsOmmLYEqc9OfTkWeC53k+sAtW69NoMjI91+Vo/O4R0=" />

        </identity>
      </endpoint>

Behaviour

   <SimpleCardSpaceTokenClientCredentials>
           <serviceCertificate>
       <authentication
          trustedStoreLocation="LocalMachine"
          revocationMode="NoCheck" certificateValidationMode="None"/>
       <defaultCertificate
          findValue='www.fabrikam.com'
          storeLocation='LocalMachine'
          storeName='My'
          x509FindType='FindBySubjectName' />
      </serviceCertificate>
     </SimpleCardSpaceTokenClientCredentials>

 

Binding

 <binding name="WSFederationHttpBinding_IAuthenticationService"
          closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00"
          sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false"
          hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="50000000"
          maxReceivedMessageSize="5000000" messageEncoding="Text" textEncoding="utf-8"
          useDefaultWebProxy="true">
          <readerQuotas maxDepth="32" maxStringContentLength="5000000" maxArrayLength="5000000"
            maxBytesPerRead="5000000" maxNameTableCharCount="5000000" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00"
            enabled="false" />
          <security mode="Message">
            <message algorithmSuite="Default" issuedKeyType="SymmetricKey"
              issuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion" negotiateServiceCredential="true">
              <claimTypeRequirements>
                <add claimType="http://www.breezebanca.com/identity/claims/UserRole"
                  isOptional="false" />
                <add claimType="http://www.breezebanca.com/identity/claims/Name"
                  isOptional="false" />
                <add claimType="http://www.breezebanca.com/identity/claims/UserId"
                  isOptional="false" />
                <add claimType="http://www.breezebanca.com/identity/claims/LicenseNumber"
                  isOptional="false" />
              </claimTypeRequirements>
              <issuer address="http://www.banca.com:7000/sample/trust/usernamepassword/sts" />
            </message>
          </security>
        </binding>

 

My Service App file is

 <service
          name="Polaris.Bancassurance.ServiceImplementation.AuthenticationService"
          behaviorConfiguration="TdsServiceCredentials">
        <host>
          <baseAddresses>
            <add baseAddress="http://localhost:8000/Bancassurance/Authentication"/>
          </baseAddresses>
        </host>
        <!-- Service Endpoint -->
        <endpoint address="Service"
                  binding="wsFederationHttpBinding"
                  contract="Polaris.Bancassurance.ServiceInterface.IAuthenticationService"
                  bindingConfiguration="requireInfoCard">
          <identity>
            <certificateReference
       findValue="www.fabrikam.com"
       x509FindType="FindBySubjectName"
       storeLocation="CurrentUser"
       storeName="My" />
          </identity>
        </endpoint>

      <!-- Mex Endpoint -->
        <endpoint address="mex"
                  binding="mexHttpBinding"
                  contract="IMetadataExchange" />
      </service>

 

Behaviour

<behavior name="TdsServiceCredentials">
     <dataContractSerializer maxItemsInObjectGraph="6553600"/>
     <serviceMetadata httpGetEnabled ="true" />
     <serviceCredentials>
      <clientCertificate>
       <authentication trustedStoreLocation="CurrentUser" certificateValidationMode="None" revocationMode="NoCheck"/>
      </clientCertificate>
            <serviceCertificate findValue="www.Fabrikam.com" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
     </serviceCredentials>
     <serviceDebug includeExceptionDetailInFaults="False" />
    </behavior>

 

Binding

 <binding name="requireInfoCard">
          <readerQuotas maxArrayLength="5000000" maxStringContentLength="5000000"/>
          <security mode="Message">
            <message issuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion">
              <issuer address="http://www.banca.com:7000/sample/trust/usernamepassword/sts"/>
              <claimTypeRequirements>
                <add claimType="http://www.breezebanca.com/identity/claims/UserRole"/>
                <add claimType="http://www.breezebanca.com/identity/claims/Name"/>
                <add claimType="http://www.breezebanca.com/identity/claims/UserId"/>
                <add claimType="http://www.breezebanca.com/identity/claims/LicenseNumber"/>
              </claimTypeRequirements>
            </message>
          </security>
        </binding>

 Need help regarding this..... is there any thing that iam missing out

Answer 1

Hello,

Essentially what the service is trying to tell you is that it cannot validate the client's certificate because the revocation server (usually a .crl file if you are creating test certificates, but in production this can be a certificate authority) is not accessible. Ensure that the .crl file or CA is accessible, if its a file make sure its in the service's running directory.

Alternatively, turn off revocation checking for the service's issued token authentication settings, or use a certificate validation mode other than chaintrust. You've already done this for the client's certificate, but you need to do it on the IssuedTokenAuthentication settings as well since this is a federated scenario which involves a cardspace STS. Please correct me if I interpreted the scenario wrong.

To do this, you must modify your service host settings in code: http://msdn2.microsoft.com/en-us/library/ms730131.aspx

Let me know if this helps.

 

Regards,

Shiung

 

Answer 2

Hi Shiung

I tried the changes but i am still getting the same error. I changed my service behaviour as below

<behaviors>

<serviceBehaviors>

 <behavior name="TdsServiceCredentials">

<dataContractSerializer maxItemsInObjectGraph="6553600"/>

<serviceMetadata httpGetEnabled ="true" />

<serviceCredentials>

<issuedTokenAuthentication allowUntrustedRsaIssuers="True">

<knownCertificates>

<add storeLocation="LocalMachine" findValue="www.Fabrikam.com" x509FindType="FindBySubjectName" storeName="My"/>

</knownCertificates>

</issuedTokenAuthentication>

<clientCertificate>

<authentication trustedStoreLocation="CurrentUser" certificateValidationMode="None" revocationMode="NoCheck"/>

</clientCertificate>

<serviceCertificate findValue="www.Fabrikam.com" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>

</serviceCredentials>

<serviceDebug includeExceptionDetailInFaults="False" />

</behavior>

</serviceBehaviors>

</behaviors>

need help regarding this....

Answer 3

Hello,

It is currently not possible to set the IssuedTokenAuthentication knobs for CertificateValidationMode and RevocationMode in config.

If you refer to the link I mentioned above, there are samples of how to do it in code. Please try that and let me know if it works.

 

Thanks,

Shiung

Answer 4

Hi Shiung

Thanks for the help. it worked when i added the code in my c# file

Regards

Ragu

Answer 5

Hi All,

I am also facing the problem similiar to Ragu but the only difference is that i am not using clientside certificates and federation services.

I am using Microsoft's WCF usernamepasswordvalidator sample.

It works fine on my system using test certificate.

After achieving this, I removed the generated proxy and created my own by enabling metadata in service.Now when I run it, it gives the following error inside the innerexception section:

"The X.509 certificate CN=localhost chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

I even tried to use following code in the client to remove this error but of no use.

PermissiveCertificatePolicy.Enact("CN=localhost");

class PermissiveCertificatePolicy

{

string subjectName;
static PermissiveCertificatePolicy currentPolicy;
PermissiveCertificatePolicy(string subjectName)
{this.subjectName = subjectName;
ServicePointManager.ServerCertificateValidationCallback +=
new System.Net.Security.RemoteCertificateValidationCallback(RemoteCertValidate);
}

public static void Enact(string subjectName)

{currentPolicy = new PermissiveCertificatePolicy(subjectName);}
bool RemoteCertValidate(object sender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error)

{
if (cert.Subject == subjectName)
{return true;}
return false;}}

Can anybody please guide me on how to resolve this issue. If needed, I have pasted the service appp.config below

<system.serviceModel>
<diagnostics>
<messageLogging logEntireMessage="true" logMalformedMessages="true"
logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" />
</diagnostics>
<services>
<service behaviorConfiguration="CalculatorServiceBehavior" name="Microsoft.ServiceModel.Samples.CalculatorService">
<endpoint address="Username" binding="wsHttpBinding" bindingConfiguration="Binding1"
name="" contract="Microsoft.ServiceModel.Samples.ICalculator" />
<host>
<baseAddresses>
<add baseAddress="http://localhost:8001/servicemodelsamples/service" />
</baseAddresses>
</host>
</service>
</services>

<bindings>
<wsHttpBinding>
<!-- Username binding -->
<binding name="Binding1">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="CalculatorServiceBehavior">
<serviceCredentials>
<serviceCertificate findValue="localhost" storeLocation="CurrentUser"
storeName="My" x509FindType="FindBySubjectName" />
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="Microsoft.ServiceModel.Samples.CalculatorService+CustomUserNameValidator, service" />
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>

regards

 

Answer 6

Code Snippet

Boolean Certificate_isValid(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) {
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly | OpenFlags.IncludeArchived | OpenFlags.MaxAllowed);
return store.Certificates.Contains(certificate);
}

/* ... */

ServicePointManager.ServerCertificateValidationCallback = Certificate_isValid;

Just install the certificate and then validate it in code.

StoreName.My correspondes to mmc > Certificates > Personal.

Took me forever to figure out.


-AH