none
Question about certificate use on CustomToken SDK Sample RRS feed

  • Question

  • Hi.

     

    I have a question about the sample located at \TechnologySamples\Extensibility\Security\CustomToken sample. I see that the custom token uses a certificate named 'localhost' on the service and client, and the service address is configured at ''http://localhost/servicemodelsamples/services.svc".

     

    When I change the certificate on both the server and client, I get an error:

     

    System.ServiceModel.Security.MessageSecurityException: Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'localhost' but the remote endpoint provided DNS claim 'MyCert'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'MyCert' as the Identity property of EndpointAddress when creating channel proxy.

     

    MyCert being the certificate that replaced the 'localhost' certificate. I also get the same error when I configure the service address on the client by machine name instead of 'localhost', like: http://pcMyPC/servicemodelsamples/services.svc

     

    Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'pcMyPC' but the remote endpoint provided DNS claim 'localhost'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'localhost' as the Identity property of EndpointAddress when creating channel proxy.

     

    Does the certificate subject must be the of the same name than the machine name where the service is hosted? And how can I configure the "Identity property of EndpointAddress when creating channel proxy" programmatically on this sample?

     

    Thanks in advance,

    Matias.

    Tuesday, July 10, 2007 6:51 PM

Answers

  • We do some sanity checking on outgoing messages and yes the cert needs to match the endpoint.

    You can fix this in config by setting the Identity of the endpoint.

     

    <endpoint

    address="http://ProxyService:8190/ProxyService"

    behaviorConfiguration="IssuedSamlTokenOverHttp"

    binding="customBinding"

    bindingConfiguration="IssuedSamlTokenOverHttp"

    contract="ICalculator"

    name="IssuedSamlTokenOverHttp">

    <identity>

    <dns value="MyCert"/>

    </identity>

    </endpoint>

     

    In code. something like.

     

    PingServiceContractClient proxy = null;

    EndpointAddress serviceEndpointAddress = new EndpointAddress(new Uri(serviceHostAddress),  EndpointIdentity.CreateDnsIdentity("MyCert"), (AddressHeaderCollection)null);

    proxy = new PingServiceContractClient(binding, serviceEndpointAddress);

     

     

     

    Wednesday, July 18, 2007 5:39 AM