none
WCF Message Security

    Question

  • Dear All,

       I am working with WCF Message Security. I have configured Service and Client Certificates.

     These certificates are assigned to respective project programatically. These certificates are viewed in Certmgr.msc as well. But when I run application I get the follwoing exception:

     

     

    "The caller was not authenticated by the service".

     

    I am using VISTA RTM. Can anybody solve my problem.

     

    Thanks

     

    MaheshBabu

    Monday, April 23, 2007 11:40 AM

All replies

  • You haven't provided the service side authentication exception, the binding you're using, or described how the certificates were created, so it's not clear what the problem is.  Without this information, providing a solution is difficult.  You might also find the answer you're looking for by using the search function to review existing threads about how X509 certificates work.
    Monday, April 23, 2007 3:38 PM
  • I am using followinf code to create service and client ceritificates

     

    Service-->

    makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=localhost -sky

    exchange -pe

    certmgr.exe -add -r CurrentUser -s My -c -n localhost -r CurrentUser -s

    TrustedPeople

     

     

    Client -->

    makecert.exe -sr CurrentUser -ss My-a sha1 -n CN=WCFUser -sky

    exchange -pe

    certmgr.exe -add -r CurrentUser -s My -c -n WCFUser -r CurrentUser -s

    TrustedPeople

     

     

    Following is the code in host to assigncertificate to Service:

     

    Uri address = new Uri("http://localhost:8001/TradeService");

    WSHttpBinding binding = new WSHttpBinding();

    //Set the Security Mode

    binding.Security.Mode = SecurityMode.Message;

    binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;

    Type contract = typeof(ExchangeService.ITradeService );

    ServiceHost host = new ServiceHost(typeof(ExchangeService.TradeService));

    host.AddServiceEndpoint(contract,binding,address );

    //Set the Certificate

    host.Credentials.ServiceCertificate.SetCertificate(

    StoreLocation.CurrentUser,

    StoreName.My,

    X509FindType.FindBySubjectName,

    "localhost");

    host.Open();

     

    following is the code on client side:

     

    EndpointAddress address = new EndpointAddress("http://localhost:8001/TradeService");

    WSHttpBinding binding = new WSHttpBinding();

    binding.Security.Mode = SecurityMode.Message;binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;ChannelFactory<ITradeService> cf = new ChannelFactory<ITradeService>(binding,address );

    //Set the Client Certificate

    cf.Credentials.ClientCertificate.SetCertificate

    (StoreLocation.CurrentUser,StoreName.My,X509FindType.FindBySubjectName,"WCFUser"); //Set the Server Certificate

    cf.Credentials.ServiceCertificate.SetDefaultCertificate

    (StoreLocation.CurrentUser,StoreName.My,X509FindType.FindBySubjectName,"localhost");

     

     

    Thanks

    REgards

     

    Maheshbabu

     

    Wednesday, April 25, 2007 5:26 AM
  • you are doing mutual certificate authentication right!,

    try to disable the credential negotiation and the establishment of a security context as you are provinding the certificate out of band for the client.

     

    so on the server and client side do :

     

    binding.Security.Message.NegotiateServiceCredential = false;

    binding.Security.Message.EstablishSecurityContext = false;

     

     

    for further fun reading:

    http://msdn2.microsoft.com/en-us/library/ms733102.aspx

     

     

    hth, Allan

    Wednesday, April 25, 2007 7:17 AM
  • Dear Allan,

       I tried the way it is suggested, but now I am getting the follwoing errot from the client. My Service is running fine.

     



    "An unsecured or incorrectly secured fault was received from the other party. See
     the inner FaultException for the fault code and detail.System.ServiceModel.Faul
    tException: At least one security token in the message could not be validated."

     

     

    Waiting for the solution

     

    REgards

     

    MaheshBabu


     

    Wednesday, April 25, 2007 8:39 AM
  • hmm

    your client code :

    cf.Credentials.ServiceCertificate.SetDefaultCertificate

    (StoreLocation.CurrentUser,StoreName.My,X509FindType.FindBySubjectName,"localhost");

     

    change the StoreName.My to StoreName.TrustedPeople ?

     

     

    Allan

    Wednesday, April 25, 2007 9:27 AM
  • Client -->

    makecert.exe -sr CurrentUser -ss My-a sha1 -n CN=WCFUser -sky exchange -pe

     

    this will actually create a store name called My-a, if this is the exact  command you executed then make a space between My-a .....e.i My -a

     

    Wednesday, April 25, 2007 9:37 AM
  • Thanks Allan,

       I have made the necessary changes as mentioned by you, but still the problem persists with the same error message.

    I have changed store location to Trusted People and specified My -a insted of My-a, but still the problem persists.

     

    IS this becauses I am using VISTA, I am not sure but does VISTA have some issues with Certifications.

     

    Now I am  not  getting what to do?

     

    Can you please mail me any Demo if you have it with you?

     

    Thanks

     

    MahehBabu

    Wednesday, April 25, 2007 10:58 AM
  • ok I created 2 config file that should reassemble your current service contract e.g ExchangeService.ITradeService etc.

     

     use these config files here with out your code and see if this helps..

     

    first your certs: which is what you did in the first place.

     

    //server

    makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=TradeService -sky exchange -pe

    certmgr.exe -add -r CurrentUser -s My -c -n TradeService -r CurrentUser -s TrustedPeople

     

     //client

    makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=WCFUser -sky exchange -pe

    certmgr.exe -add -r CurrentUser -s My -c -n WCFUser -r CurrentUser -s TrustedPeople

     


     

    [Server side config file]

     

    <?xml version="1.0" encoding="utf-8" ?>

    <configuration>

    <system.serviceModel>

    <services>

    <service name="ExchangeService.TradeService"

    behaviorConfiguration="Tradebehavior">

    <endpoint address="http://localhost:8001/TradeService"

    binding="wsHttpBinding"

    bindingConfiguration="wsTradeBinding"

    contract="ExchangeService.ITradeService" />

    </service>

    </services>

    <bindings>

    <wsHttpBinding>

    <binding name="wsTradeBinding">

    <security mode="Message">

    <message clientCredentialType="Certificate" />

    </security>

    </binding>

    </wsHttpBinding>

    </bindings>

    <behaviors>

    <serviceBehaviors>

    <behavior name="Tradebehavior">

    <serviceCredentials>

    <serviceCertificate findValue="TradeService"

    x509FindType="FindBySubjectName"

    storeLocation="CurrentUser"

    storeName="TrustedPeople" />

    <clientCertificate>

    <authentication certificateValidationMode="PeerTrust" />

    </clientCertificate>

    </serviceCredentials>

    </behavior>

    </serviceBehaviors>

    </behaviors>

    </system.serviceModel>

    </configuration>

     

    [client side config file]

     

    <?xml version="1.0" encoding="utf-8"?>

    <configuration>

    <system.serviceModel>

    <client>

    <endpoint address="http://localhost:8001/TradeService"

    binding="wsHttpBinding"

    bindingConfiguration="clientConfig"

    behaviorConfiguration="clientBehavior"

    contract="ITradeService">

    <identity>

    <certificateReference findValue="TradeService"

    x509FindType="FindBySubjectName"

    storeLocation="CurrentUser"

    storeName="TrustedPeople" />

    </identity>

    </endpoint>

    </client>

    <bindings>

    <wsHttpBinding>

    <binding name="clientConfig">

    <security mode="Message">

    <message clientCredentialType="Certificate" />

    </security>

    </binding>

    </wsHttpBinding>

    </bindings>

    <behaviors>

    <endpointBehaviors>

    <behavior name="clientBehavior">

    <clientCredentials>

    <clientCertificate findValue="WCFUser"

    x509FindType="FindBySubjectName"

    storeLocation="CurrentUser"

    storeName="TrustedPeople" />

    <serviceCertificate>

    <authentication certificateValidationMode="PeerOrChainTrust" />

    </serviceCertificate>

    </clientCredentials>

    </behavior>

    </endpointBehaviors>

    </behaviors>

    </system.serviceModel>

    </configuration>

     

    Vista should have no issues regarding certificates.

     

    if this fails also, please provide me with your code as it is now and output from the client/server tracelog.

     

    Allan

    Wednesday, April 25, 2007 11:44 AM
  • Dear Allan,

     

    Thanks a Lot!!!!!!!!!!!!!!!!

       the solution works for me.

     

    Now I am trying the same thing for "UserName" Token. Lets see wheather it works there or not.

     

    In fact I tried but it is giving me exeption

    "The username is not provided. Specify username in ClientCredentials."

    Here I am using the same certificate. I think It should be possible to use same certificate for Certificate and UserName token.

     

    (Tell me wheather I am correct or wrong).

     

    If any problem I will again request you.

     

    Thanks

     

    Regards

    MaheshBabu 

    Thursday, April 26, 2007 6:24 AM
  • Dear Allan,

    I have a similar problem, so I've tried your code however I am getting the following exception:

    Cannot find the X.509 certificate using the following search criteria: StoreName 'TrustedPeople', StoreLocation 'CurrentUser', FindType 'FindBySubjectName', FindValue 'TradeService'.

    Thank you,
    Monday, July 23, 2007 9:18 AM