Help on the error. The service certificate is not provided for target 'http://localhost/servicemodelsamples/service.svc'
I am using the WCF Sept CTP release, http://www.microsoft.com/downloads/details.aspx?familyid=C6636E90-26E6-44E0-8780-5D3CCD3D94ED&displaylang=en
I am running the Certificate sample
"C:\Program Files\Microsoft SDKs\Windows\v6.0\Samples\WCFSamples\TechnologySamples\Basic\Binding\WS\MessageSecurity\Certificate\CS"
The sample works fine with wsHttpBinding.
I changed the binding to "basicHttpBinding" both on server side and client side.
I get the following error:
The service certificate is not provided for target 'http://localhost/servicemodelsamples/service.svc'. Specify a service certificate in ClientCredentials.
From the SDK documentation: "For the BasicHttpBinding, the system requires that the server certificate be provided to the client out-of-band". Note that this is not required in the WSHttpBinding, since the service certificate is obtained via an (WS-SecureConversation) initial negotiation.
So, you must explicitely define the service certificate in the client credentials.
System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine, System.Security.Cryptography.X509Certificates.StoreName.My, System.Security.Cryptography.X509Certificates.X509FindType.FindBySubjectName,
// These two are needed if you don't have fully signed/trusted certs
proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = Security.X509CertificateValidationMode.PeerOrChainTrust;
proxy.ClientCredentials.ServiceCertificate.Authentication.TrustedStoreLocation = System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine;
The clientCredentials behavior allows one to define a certificate to present to a service.
A certificate is used by a client to authenticate itself to the service and provide message integrity.
This configuration references the "client.com" certificate installed during the setup instructions.
Setting the certificateValidationMode to PeerOrChainTrust means that if the certificate
is in the user's Trusted People store, then it will be trusted without performing a
validation of the certificate's issuer chain. This setting is used here for convenience so that the
sample can be run without having to have certificates issued by a certificate authority (CA).
This setting is less secure than the default, ChainTrust. The security implications of this
setting should be carefully considered before using PeerOrChainTrust in production code.
<authentication certificateValidationMode="PeerOrChainTrust" />
Ok, I found the answer. Thanks Pedro.
As Pedro mentioned, I had to add the server certificate at the client side. After adding the following bold line my sample worked.
FYI- Outof box the certificate sample has problem for "FindPrivateKey.EXE" command. I reccomend add the the SDK bin path in the path environments variable and remove the ""%MSSDK%\bin\".
<clientCertificate findValue="client.com" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
<defaultCertificate findValue="localhost" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode ="PeerOrChainTrust"/>
Read "out-of-band negotioation" here. http://windowssdk.msdn.microsoft.com/en-us/library/ms733836.aspx
Hi Pedro Felix,
after searching for 7 hours I find this thread. I am also struggling with the similar exception.
I created a server and a client but I am setting the config through code as shown below.
var bindwsHttp = new WSHttpBinding();
bindwsHttp.Security.Mode = SecurityMode.Message; bindwsHttp.Security.Message.NegotiateServiceCredential = false; bindwsHttp.Security.Message.ClientCredentialType = MessageCredentialType.Certificate; dynamic obj = Activator.CreateInstance(service, bindwsHttp, endpointaddress);
obj.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "e520069fafe87b2630137858af823ee44f729762"); //server Information
obj.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;
obj.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine,StoreName.My,X509FindType.FindByThumbprint, "53b5be439a5b62421c5607e279ec78517b16cd8c"); // client information.
The proxy class object (obj) is successfully created but While calling any method I am getting following exception :
failed for outgoing message. The expected DNS identity of the remote endpoint
was 'minint-7mde6d9.fareast.corp.microsoft.com' but the remote endpoint
provided DNS claim 'tempCertServer'. If this is a legitimate remote endpoint,
you can fix the problem by explicitly specifying DNS identity 'tempCertServer'
as the Identity property of EndpointAddress when creating channel proxy.
I am passing the arguments Properly ???
if Yes then where I am making mistake. else Where I gone wrong .
Hope You will help me.
- Edited by Manikanta3 Monday, July 01, 2013 2:55 PM edithing