none
Cannot add reference to SSL WCF service from specific machine.

    Question

  • I cannot add a reference to a WCF service that requires a client certificate.  I get the following error:

    There was an error downloading 'https://xxx.xxx.com'.
    The request failed with HTTP status 403: Forbidden.
    Metadata contains a reference that cannot be resolved: 'https://xxx.xxx.com/'.
    The HTTP request was forbidden with client authentication scheme 'Anonymous'.
    The remote server returned an error: (403) Forbidden.
    If the service is defined in the current solution, try building the solution and adding the service reference again.

    Just some more information:

    -There have been no problems adding the reference on ANY of our other machines.  Only the ones that I am using.  All other machines can add the reference in any IDE without problems.

    -I get the same error in VS2010 and VS2008

    -I have tried resetting my VS settings and reinstalling all of my IDEs

    -When adding the reference on other machines, the IDE will prompt for a client cert when adding the reference.  My IDEs do not prompt, though I have the cert installed.

    -I can browse (via Internet Explorer) to the service url and view the web page and the wsdl using the correct certificate.

    -When I try to add the service as a web reference, I get the same error.  I can also try to add a reference directly to the wsdl with the same errors, although I can actually view the service web page AND the wsdl from the web service preview window.  The "Add Reference" button is greyed out at this time.

    -I can add the reference successfully on another machine, check the solution into source control, and then pull the code onto the "broken" machine and the code will build and actually runs successfully, i.e. the reference works on the broken machine as long as it was added by a different machine.

    Any ideas?

    • Moved by Ji.ZhouModerator Monday, August 02, 2010 6:14 AM (From:Visual C# IDE)
    Friday, July 30, 2010 8:00 PM

All replies

  • Hi screamatamonkey,

    Based on your description, the problem is specific to one machine when you try adding serviceREference against a https/ssl secured WCF service. Also, you mentioned that you can correctly visit the metadata page when you directly access it through webbrowser. Then, is there any warning when you use webbrowser(IE) to visit the service page(or wsdl metadata page)? If there is warning, it probably indicate that the SSL service certificate is not trusted at your client machine(or the servername doesn't match the certificate's subjectname). And such warning can be toleranted by webbrowser, but might cause error when you use tools to programmtically access the https endpoint. If this is the case, try verifying that the service ssl certificate has been installed in trusted store on your client machine.

    Also, a possible workaround is that you can first use webbrowser to visit the metadata wsdl page and save the wsdl document to local disk. Then, in the Visual Studio "Add ServiceReference" wizard, use the wsdl metadata document on local disk to generate the proxy class.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Tuesday, August 03, 2010 4:01 AM
  • When I view the metadata page from IE there are no certificate errors/warnings, so the correct certificate is installed.  When saved the wsdl to a file on my local machine and loaded it with visual studio, I received the following:

    The document was understood, but it could not be processed.
      - The WSDL document contains links that could not be resolved.
      - There was an error downloading 'https://******.com/****.svc?xsd=xsd0'.
      - The request failed with HTTP status 403: Forbidden.
    There was an error downloading 'C:\Users\*****\Desktop\********.xml/_vti_bin/ListData.svc'.
    Could not find a part of the path 'C:\Users\*****\Desktop\********.xml\_vti_bin\ListData.svc'.
    Could not find a part of the path 'C:\Users\*****\Desktop\********.xml\_vti_bin\ListData.svc'.
    Could not find a part of the path 'C:\Users\*****\Desktop\********.xml\_vti_bin\ListData.svc'.
    If the service is defined in the current solution, try building the solution and adding the service reference again.

     

     

    Tuesday, August 03, 2010 2:40 PM
  • Thanks for reply,

    Seems the error is still due to the access to the external wsdl resource(at the https:// location).

    When you using webbrowser to visit the metadata page of the WCF service(on the problem machine), does it prompt for selecting client certificate?  Also, is there any particular difference between the problem machine and other working machines, such as operating system or IE version ...). For VISTA or Windows 7 machines that enabled UAC, please make sure you've run the VS IDE under elevation mode. And you can verify whether the client certificates are installed in the correct certificate store on the machine(for the specific user's CurrentUser store).

    In addition, here is a blog entry which mentioned the client certificate prompt option in IE setting, you can also veirfy whether the setting is consistent among all the machines on your side(whether the problem machine has different settings).

    #Client Certificate Selection Prompt
    http://blogs.msdn.com/b/ieinternals/archive/2009/09/03/client-certificate-selection-prompt.aspx


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Thursday, August 05, 2010 4:04 AM
  • When I use a web browser it does indeed prompt me for a client certificate (like it's supposed to) which I can select from the dialog box.  I'm running windows 7 with UAC turned off.

    The problem is that my visual studio instance does not prompt me for a certificate (the working machines DO prompt), so either no certificate or the wrong certificate is passed to the service metadata page.  I have actually gone over to a different machine, installed the cert, and added the reference to VS running the same version of IDE and operating system as I am with no problems, which leads me to believe that there is some setting in my IDE that needs to be changed to fix the problem...I just don't know what/where it is.

    Thursday, August 05, 2010 2:28 PM
  • Hi,

    As the issue is specific to the  Visual Studio IDE on that particular machine, I think you can try refresh the IDE settings through the "Tools--->Import and Export Settings..." menu. You can first use the Visual Studio on other working machine to export a good setting and import it on the problem machine.

    IN addition, you can try swtiching the logon user(logon the machine with a diffrent account or new account) and test the VS add service reference to see whether it can work.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Monday, August 09, 2010 3:18 AM
  • Please help me,

    I have same problem when i try to add Service Refernce of my SSL Wcf Service on Windows 7

    Service and client application is on the same machine

    There was an error downloading 'https://xxxxxxxxx.svc'.
    The request failed with HTTP status 403: Forbidden.
    Metadata contains a reference that cannot be resolved: 'https://xxxxxxxxx.svc'.
    The HTTP request was forbidden with client authentication scheme 'Anonymous'.
    The remote server returned an error: (403) Forbidden.
    If the service is defined in the current solution, try building the solution and adding the service reference again.

    I tried everything, i saw : http://blogs.msdn.com/b/imayak/archive/2008/09/12/wcf-2-way-ssl-security-using-certificates.aspx

    but I have not solved the problem

     

    Help!!!!!!!

     

     

    Wednesday, January 19, 2011 2:39 PM
  • Same problem here. I created a WCF service in VS2010, published to IIS7 (with ssl setting Required Client Certificate); was able to access the .svc from browser after selected a client certificate (self-signed) when prompted. Everything looked good until I tried to add the service reference from a client (no matter console or web client), then I got this dreadful error:

    There was an error downloading 'https://localhost:444/Demo/SecretService.svc'.

    The request failed with HTTP status 403: Forbidden.

    Metadata contains a reference that cannot be resolved: 'https://localhost:444/Demo/SecretService.svc'.

    The HTTP request was forbidden with client authentication scheme 'Anonymous'.

    The remote server returned an error: (403) Forbidden.

    If the service is defined in the current solution, try building the solution and adding the service reference again.

    I had spent great amount of time on this issue and even opened a case with Microsoft Tech support, downloaded the suggested hotfix that supposedly targeted the issue, but this error still not going away after I applied the hotfix. At this point, I am still working with Microsoft Senior engineer to get this resolved..and no solution that works yet..

     

    I will post updates if my case will be resolved. Until then, SOS! WCF security guru out there, are you listening?!

     

     

     

     

     

     

     


    bjs
    • Edited by shigangy Saturday, December 10, 2011 11:35 PM
    • Proposed as answer by AdamMSDN Friday, May 31, 2013 5:25 PM
    Saturday, December 10, 2011 11:34 PM
  • I am  solved problem by saving web browser .wsdl and .xsd files on file system, change reference in those files to matching files. Than i succesfully add reference in visual studio to that file system .wsdl file.
    MarkoOkram


    • Edited by MarkoOkram Sunday, December 11, 2011 5:51 PM
    Sunday, December 11, 2011 5:50 PM
  • You may be able to use fiddler to act as a man in the middle.  If you configure Fiddler to handle SSL traffic and to use your certificate, that may solve you problem.  I have use this tatic in the past and it has worked for me.

    Friday, May 31, 2013 5:27 PM