SecurityNegotiationException when connecting to Service Bus

Question

Hi,

Today I did an upgrade from version 1.3 to latest version of the Windows Azure SDK. Now when I'm exposing my WCF endpoint the Service Bus I'm getting a  the following exception:

The X.509 certificate CN=servicebus.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation because the revocation server was offline.

Any ideas?

Cheers.

Answer 1

Hi,

Today I did an upgrade from version 1.3 to latest version of the Windows Azure SDK. Now when I'm exposing my WCF endpoint the Service Bus I'm getting a  the following exception:

The X.509 certificate CN=servicebus.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation because the revocation server was offline.

Any ideas?

Cheers.

Answer 2

I've been using 1.6 of the Azure SDK for a few weeks now. Upon restarting the service today, the same error message appeared just today. I'm not aware of any changes to the service. 

 

The X.509 certificate CN=servicebus.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation because the revocation server was offline.

Answer 3

In the short-term to get past this, I modified the token provider section of the service's web.config file as shown, adding the serviceCertificate section:

 

<tokenProvider>

              <sharedSecret issuerName="owner" issuerSecret="secret_key" />

                        <serviceCertificate>

                              <authentication revocationMode="NoCheck"/>     

                        </serviceCertificate>

            </tokenProvider>

Answer 4

About 3 minutes after doing this, I removed that modification and the service started working. I've not checked the Azure status site, but suspect the revocation server might really have been offline.

Answer 5

<serviceCertificate>

<authenticationrevocationMode="NoCheck"/>

</serviceCertificate>

did not work for me

Answer 6

Try it again. I think the revocation-check server was down.

Answer 7

Just did. Still same issue.

Answer 8

I am having the same exception when I connect to the Service Bus through an http proxy which I believe is the problem (on a Windows Server 2003 machine).

I tried using the same configuration but without success (I got configuration errors, even though I registered the TokenProviderElement).

Any idea on how to solve this problem?

Answer 9

It turned out to be lack of configuration for the http proxy access.

The following thread helped me: http://social.technet.microsoft.com/Forums/en-AU/appvbeta/thread/670de585-672a-468c-963b-9da0beb62f29

I had to run the command: "proxycfg -u" in order to copy the IE Proxy settings to the WinHttpSettings that are used machine wide (not user session wide).

In my case the ServiceHost is running under a different account (Local Service) so the IE proxy settings were not being set correctly. Also, the CRL needs to know the proxy settings as well, so this proxycfg app fixed it because it allows to set the proxy configuration machine wide.

Right now my service is relayed through the AppFabric ServiceBus with ConnectivityMode.AutoDetect in order to work in both allowed tcp connections scenarios as well as more restricted scenarios in which an http proxy server might be used. Just configuration work, a single setting! Awesome! :)

Hope this helps!

Regards

Tiago

Answer 10

In my case the the exception occurs when I'm using Azure SDK 1.6. I rolled back my dev virtual machine to prior updating the SDK then it works fine.

Answer 11

Usually these kind of error happens if your client is not able to download the CRL (certifcate revocation list for the certificate)

1. Are you using a proxy server to connect to the internet.  If so does the error go away when you have a direct connection without an Proxy server.
2. Can you tun: "certutil -urlcache * delete"
3. Does it make a difference if you add "     <authentication revocationMode="NoCheck"/> "

If it doesn' work, I suggest you can remove the previous SDK first and clean install Azure SDk 1.6

 

Thanks

Leo Lin

Answer 12

I am facing the same problem "The X.509 certificate CN=servicebus.windows.net chain building failed" and not able to fix it with above suggestions.

I am on Windows Azure SDK 1.6.

Please help.

Answer 13

I'm don't understand why people mark as answer when no solution has been reached. Really annoying! 

Sachin, I never managed to solve it, if you do please update the thread. 

Answer 14

Ershad, it is just a moderator marking what he thinks is likely the answer. It is ok if you want to unmark it because you were the thread starter.

Thanks,

---

If this answers your question, please use the "Answer" button to say so | Ben Cline

Answer 15

Ok unmarked as answered.

Cheers.

Answer 16

Hi, This is a show stopper for us we are not moving in our development due to this. Somebody please look into it.

-Sachin

Answer 17

The problem (at least for us) was that when we deploy to the emulator an app pool gets created on the local IIS server.  That gets created running as Network Service.  Which in our company network does not have permission to access the internet.  When I change this to my domain account, I no longer get this error.  The problem is that every time the deploy is done, a new app pool is created so I have to do this every time.  That is pretty annoying, but at least it is working now.

If someone from Microsoft is listening, please allow us to change this user so we don't have to do it manually.

Thanks,

Bryan

---

Bryan Kelly

Answer 18

Hi Bryan,

I haven't tried what you're mentioning but I found it strange that this error occurs when upgrading to SDK 1.6 from a previous version. What version of the SDK are you using? 

Ershad

Answer 19

I have this exact problem which I did take up with MS and it appears the TokenProvider class in 1.6 *ALWAYS* checks the Certificate CRL regardless of what settings are in a) config files, and I even plugged in my own SSLCertificate Provider into the process.

As a workaround (for now) I ran a trace capturing all the CRL the machine was checking to verify this certificate, and I added host entries to point to the local machine and copied the CRL files locally.

this is far from ideal, but for now allows me to continue.

If you're interested - http://blogs.breeze.net/mickb/2012/01/31/AzureServiceBusFixingTheDreadedTheX509CertificateCNservicebuswindowsnetChainBuildingFailedError.aspx

Painful.

good luck.

Mick.

---

Mick Badran - http://blogs.breezetraining.com.au/mickb

Answer 20

It seems the CRLs (certificate revocation lists) are not automatically checked in Azure SDK 1.8 any more. If you have a spam filter or proxy it can interfere with accessing the CRLs causing this exact message to appear. Prior to Azure SDK 1.8, ensure you can access the following CRLs...

http://crl.microsoft.com/pki/crl/products/tspca.crl

http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl

http://mscrl.microsoft.com/pki/mscorp/crl/mswww(5).crl

If you cannot access these CRLs then the service bus will fail to authenticate with ACS. The easy solution is to just upgrade to Azure SDK 1.8, but a temporary fix is ensuring proper access to the above domains from your IIS application pool. WebSense caused us 4 hours of grief since it chose to block public-trust.com flagging it as malicious.