wsHttpBinding for .net Client works in windows 7 failes to build chain in windows 10 RRS feed

  • Question

  • Running a .net Windows Application {NOT UWP} 4 debug on Visual studio 2013  under the same credentials on a windows 7 machine and multiple windows 10 machines.

    Using same root certs and same intermediate certs, as well as same crl for both root and intermediate.

    Pointing to the web service.

    I get the following error on all windows 10 and works just fine on the windows 7.

    Microsoft what did you change????

    <ExceptionType>System.IdentityModel.Tokens.SecurityTokenValidationException, System.IdentityModel, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
    <Message>The X.509 certificate CN=MYCERT, chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.
    at System.IdentityModel.Selectors.X509CertificateChain.Build(X509Certificate2 certificate)
    at System.IdentityModel.Selectors.X509CertificateValidator.ChainTrustValidator.Validate(X509Certificate2 certificate)
    at System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)
    at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)
    at System.ServiceModel.Security.TlsnegoTokenProvider.ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
    at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnNegotiationComplete(SspiNegotiationTokenProviderState sspiState, RequestSecurityTokenResponse negotiationRstr, RequestSecurityTokenResponse authenticatorRstr)
    at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
    at System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetNextOutgoingMessage(Message incomingMessage, T negotiationState)
    at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)

    Tuesday, July 19, 2016 8:49 PM


  • Hi 2Debug0,

    >> Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.

    Normally, this error is caused by that the certificate the server uses is not trusted on the client machine. I suggest you check the certificate in General tab of Certificate by double-clicking on the certificate in the file system or in the windows certificate store.

    You could try below ways.

    1. Make sure the service certificate is trusted on the client machine. For example install its issuer certificate in the trusted root store.
    2. Change the certificateValidationMode to None, and revocationMode to NoCheck

    You could refer the link below for more information.

    # Cryptic WCF error messages (part 4 of N)

    Best Regards,


    Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; Therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, July 20, 2016 2:19 AM