Thursday, November 29, 2007 10:09 AM
I have a STS with the following binding and behavior:Code Block
<security authenticationMode="CertificateOverTransport" />
<httpsTransport requireClientCertificate="false" />
<serviceMetadata httpsGetEnabled="true" />
<serviceCertificate .... />
<authentication mapClientCertificateToWindowsAccount="true" includeWindowsGroups="true" certificateValidationMode="PeerTrust" />
<issuedTokenAuthentication allowUntrustedRsaIssuers="false" />
I use a card binded to a private X509 certificate to authenticate to my STS.
This service is running for months in production and dev environments.
Few days ago, I have installed .NET Framework 3.5 on the DEV web server and Visual Studio 2008 on my development computer. I have converted the TargetFramework to 3.5 for the host project, and then publish it to the DEV web server.
Since, I cannot authenticate to the STS. Here is the exception:
The X.509 certificate chain building failed. The certificate that was used has a chain trust that cannot be verified.
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider
Stack Trace:Code Block
System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message message, TimeSpan timeout)
So, this error is normal for a ChainTrust validation mode.
But I use PeerTrust!
So the ValidateTokenCore should normally call the PeerTrustValidator.Validate() method, and not the ChainTrustValidator one.
I don't know if it's linked to .NET Framework 3.5, but all that stuff was working great few days ago...
Thursday, November 29, 2007 4:45 PM
I have tried with a custom X509CertificateValidator overriding the Validate() with nothing inside the method, to validate all certificates.
But I've got the same exception, with the same StackTrace showing a call to ChainTrustValidator.Validate(...)
Monday, December 03, 2007 12:47 PM
I've recovered the VS2005 version of my project, just imported it to VS 2008 and deploy "as is" (without changing Target Framework to 3.5).
So, to resume, on my client station, I have VS2008 + CardSpace 3.5.
On my test web server (where the STS is), I have .NET Framework 3.0. For the service configuration, see first post.
All works well.
If I install .NET Framework 3.0 SP1 on the test web server and then restart IIS, I have the exception (see first post).
If I desinstall .NET Framework, reinstall the 3.0 version, and restart IIS, all works well ....
I've tried several time to be sure (desinstalling 3.0 SP1, installing 3.0, etc). Only by applying SP1, the certificate is not validated.
Is there a setting to change after applying SP1?
Tuesday, December 04, 2007 1:47 AM
Yes, there has been a change.
When using map client cert to windows account (mapClientCertificateToWindowsAccount=true), WCF now enforces stricter validation on the client cert (namely chain validation).
Tuesday, December 04, 2007 3:18 PM
I think that to comply with ChainTrustValidator, the issuer certificate must have also the Client Authentication usage key. And this is not the case for my CA certificate. I will have to see this with my security team.......
Is there a documentation anywhere on this change?
Because, I thought that we could upgrade from Framework 3.0 to Framework 3.0 SP1 without any changes...
However, thanks a lot for your help, it's very time saving for me!!
Tuesday, December 04, 2007 5:27 PM
Is the revocationMode setting is also forced automatically?
Wednesday, December 05, 2007 1:36 AMYes.
For the documentation, it is in the release process...
Monday, October 04, 2010 6:15 PMWCF (Windows Communication Foundation) now enforces stricter validation on the client cert.
Friday, September 23, 2011 3:04 PM