CardSpace 3.5 and CertificateValidationMode

Question

I have a STS with the following binding and behavior:

 

Code Block

<customBinding>

<binding name="X509Binding">

<security authenticationMode="CertificateOverTransport" />

<httpsTransport requireClientCertificate="false" />

</binding>

</customBinding>

...

<behavior name="Behavior_Name">

<serviceMetadata httpsGetEnabled="true" />

<serviceCredentials>

<serviceCertificate .... />

<clientCertificate>

<authentication mapClientCertificateToWindowsAccount="true" includeWindowsGroups="true" certificateValidationMode="PeerTrust" />

</clientCertificate>

<issuedTokenAuthentication allowUntrustedRsaIssuers="false" />

</serviceCredentials>

</behavior>

 

I use a card binded to a private X509 certificate to authenticate to my STS.

This service is running for months in production and dev environments.

 

Few days ago, I have installed .NET Framework 3.5 on the DEV web server and Visual Studio 2008 on my development computer. I have converted the TargetFramework to 3.5 for the host project, and then publish it to the DEV web server.

 

Since, I cannot authenticate to the STS. Here is the exception:

 

System.IdentityModel.Tokens.SecurityTokenValidationException:

The X.509 certificate chain building failed. The certificate that was used has a chain trust that cannot be verified.

......

A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider

 

Stack Trace:

 

Code Block

System.IdentityModel.Selectors.X509CettificateChain.Build(...)

System.IdentityModel.Selectors.X509CertificateValidator.ChainTrustValidator.Validate(X509Certificate2 certificate)

System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)

System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)

System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(......)

.....

System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message message, TimeSpan timeout)

 

 

So, this error is normal for a ChainTrust validation mode.

But I use PeerTrust!

So the ValidateTokenCore should normally call the PeerTrustValidator.Validate() method, and not the ChainTrustValidator one.

 

I don't know if it's linked to .NET Framework 3.5,  but all that stuff was working great few days ago...

Answer 1

I have tried with a custom X509CertificateValidator overriding the Validate() with nothing inside the method, to validate all certificates.

 

But I've got the same exception, with the same StackTrace showing a call to ChainTrustValidator.Validate(...)

 

 

 

 

Answer 2

 

I've recovered the VS2005 version of my project, just imported it to VS 2008 and deploy "as is" (without changing Target Framework to 3.5).

 

So, to resume, on my client station, I have VS2008 + CardSpace 3.5.

On my test web server (where the STS is), I have .NET Framework 3.0. For the service configuration, see first post.

 

All works well.

 

If I install .NET Framework 3.0 SP1 on the test web server and then restart IIS, I have the exception (see first post).

If I desinstall .NET Framework, reinstall the 3.0 version, and restart IIS, all works well ....

I've tried several time to be sure (desinstalling 3.0 SP1, installing 3.0, etc). Only by applying SP1, the certificate is not validated.

 

Is there a setting to change after applying SP1?

 

 

Answer 3

Yes, there has been a change.

When using map client cert to windows account (mapClientCertificateToWindowsAccount=true), WCF now enforces stricter validation on the client cert (namely chain validation).

 

Thanks,

Rakesh

 

 

Answer 4

Woooow!

I think that to comply with ChainTrustValidator, the issuer certificate must have also the Client Authentication usage key. And this is not the case for my CA certificate. I will have to see this with my security team.......

 

Is there a documentation anywhere on this change?

Because, I thought that we could upgrade from Framework 3.0 to Framework 3.0 SP1 without any changes...

 

However, thanks a lot for your help, it's very time saving for me!!

 

Answer 5

Is the revocationMode setting is also forced automatically?

Answer 6

Yes.

For the documentation, it is in the release process...

Answer 7

WCF (Windows Communication Foundation) now enforces stricter validation on the client cert.

Answer 8

With this in place my WCF client could now talk to the service endpoint again

---

White Carpet Kitchen Carpet