none
WCF ERROR: server certificate is not configured properly RRS feed

  • Question

  • I consume a SSL WCF service on a remote server. I have no control to the service as I am a consumer. I got the error:

    System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to https://payments.acompany.com/aservice/aservice.svc. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
       at System.Net.TlsStream.CallProcessAuthentication(Object state)
       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
       at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.ConnectStream.WriteHeaders(Boolean async)
       --- End of inner exception stack trace ---
       at System.Net.HttpWebRequest.GetResponse()
       at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
       --- End of inner exception stack trace ---
    
    Server stack trace: 
       at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
       at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
       at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
    

    I have to add the following code to make it work.

    System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Ssl3 
                                | System.Net.SecurityProtocolType.Tls 
                                | System.Net.SecurityProtocolType.Tls11
                                | System.Net.SecurityProtocolType.Tls12;

    My client side application app.config:

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
        <startup> 
            <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
        </startup>
     
        <system.serviceModel>
            <bindings>
                <basicHttpBinding>
                    <binding name="BasicHttpBinding_iaservice">
                        <security mode="Transport" />
                    </binding>
                </basicHttpBinding>
            </bindings>
            <client>
                <endpoint address="https://payments.acompany.com/aservice/aservice.svc"
                    binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_iaservice"
                    contract="iaservice" name="BasicHttpBinding_iaservice" />
            </client>
        </system.serviceModel>
    
    </configuration>

    The thing is other team members can access the service from their desktop except me. I followed this stackoverflow article to add a registry "UseScsvForTls" DWORD in the registry to 1. It is just not working. By the way, even I use WCFTestClient.exe tool I still can't communicate with the service. The error is

     Authentication failed because the remote party has closed the transport stream.

    More information, I opened certification by certmgr.exe. The image is:

    See my personal certification was expired already(the red box). Is it the issue?


    Thanks for help.





    • Edited by ardmore Wednesday, September 2, 2015 8:59 PM add image.
    Wednesday, September 2, 2015 8:12 PM

Answers

  • Hi ardmore,

    According to this case, And for this error >>This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Authentication failed because the remote party has closed the transport stream.

    I suggest you to check HttpConfig to see whether the correct IP address and port is mapped to the certificate, and whether the proper permission is set.

    Next may be you need to  install the client certificate to the server-side trusted store area.

    For more information, please refer to the following articles:

    1.How to: Configure a Port with an SSL Certificate

    2.Makecert.exe (Certificate Creation Tool)

    I hope that will be helpful to you.

    Best Regards,

    Grady

    Thursday, September 3, 2015 12:08 PM
    Moderator
  • The by the way is totally misplaced... the articles work with every Windows version! you need the makecert.exe (part of Windows SDK) though. the netsh command is standard in windows.

    Netsh can only be executed successfully with administrator privileges.

    None the less... when writing a client it should not be related to netsh or makecert or httpcfg (since these tools are used to create a listening on a port and set the certificate on it and not for creating a connection to an already open port [on the services side])

    Now to the Problem at hand, are you adding the Certificate (which is used by the Service for authentication) to your ServiceClient? If not... try that first.

    It is possible via code or app.conf.

    Another thing... if others can, why dont you use that program or the code to from it?

    Also, if your Certificate is expired (assuming this is the one that is used to authenticate you at the service) then of course it cannot work. An expired Certificate is NOT valid.

    happy coding




    Thursday, September 3, 2015 1:41 PM

All replies

  • Hi ardmore,

    According to this case, And for this error >>This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Authentication failed because the remote party has closed the transport stream.

    I suggest you to check HttpConfig to see whether the correct IP address and port is mapped to the certificate, and whether the proper permission is set.

    Next may be you need to  install the client certificate to the server-side trusted store area.

    For more information, please refer to the following articles:

    1.How to: Configure a Port with an SSL Certificate

    2.Makecert.exe (Certificate Creation Tool)

    I hope that will be helpful to you.

    Best Regards,

    Grady

    Thursday, September 3, 2015 12:08 PM
    Moderator
  • @tracymgrady,

    It is not a self host WCF. The service is on a remote server and other people can access it. So it is not server side issue. And it is not wsHttpbinding, it is BasicHttpbinding.

    By the way, my desktop is Windows 7. The article you provided is for other systems.

    Thursday, September 3, 2015 12:26 PM
  • The by the way is totally misplaced... the articles work with every Windows version! you need the makecert.exe (part of Windows SDK) though. the netsh command is standard in windows.

    Netsh can only be executed successfully with administrator privileges.

    None the less... when writing a client it should not be related to netsh or makecert or httpcfg (since these tools are used to create a listening on a port and set the certificate on it and not for creating a connection to an already open port [on the services side])

    Now to the Problem at hand, are you adding the Certificate (which is used by the Service for authentication) to your ServiceClient? If not... try that first.

    It is possible via code or app.conf.

    Another thing... if others can, why dont you use that program or the code to from it?

    Also, if your Certificate is expired (assuming this is the one that is used to authenticate you at the service) then of course it cannot work. An expired Certificate is NOT valid.

    happy coding




    Thursday, September 3, 2015 1:41 PM