none
WCF on windows service using SSL RRS feed

  • Question


  • I have a windows service on which i have hosted a WCF service , which has 2 endpoints 1. NetTCP 2. HTTPS And the certificate i am using is issued to, Example : ab-prod-APP.Domain.Name

    Now when the service is hosted and i try to call the WCF service over HTTPS (using the URL- https://ab-prod-app/WCFService)from an Windows Application, it says, certificate untrusted. But if i call the same service with the URL https://ab-prod-app.Domain.Name/WCFService it works fine . How do i make it work without the domain name in the URL ?
    Tuesday, July 4, 2017 2:10 PM

All replies

  • Hi Shishir,

    How did you define endpoint address?

    I would suggest you try to create a certificate which is issued to ab-prod-app and specify the endpoint address with https://ab-prod-app/WCFService.

    In addition, has your below thread been resolved? If you have, it would be appreciated if you could share us your solution.

    https://social.msdn.microsoft.com/Forums/vstudio/en-US/ee381029-5532-4825-a35c-7240f6a27868/the-http-request-was-forbidden-with-client-authentication-scheme-anonymous?forum=wcf

    Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Wednesday, July 5, 2017 5:11 AM
  • No i am not allowed to change anything in the certificate side. As there is another WCF service (say RemoteWCF) which is being called from my WCF service (say LocalWCF)and it uses the same certificate which i am using for my (LocalWCF to host it on HTTPS)and it does not have a domain name but still it works. So i need to make this work without changing the certificate.

    Yes i found a solution , i will updated.

    Wednesday, July 5, 2017 6:40 AM
  • A potential solution is to override how the certificate is validated on the client.  First place this somewhere before the call is made: 

    ServicePointManager.ServerCertificateValidationCallback = RemoteCertificateValidationCallback;
    The following is a sample method so you will need to modify it to have your custom logic.  
    private static bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
            {
                //Return true if the server certificate is ok
                if (sslPolicyErrors == SslPolicyErrors.None)
                    return true;
    
                bool acceptCertificate = true;
    
                //The server did not present a certificate
                if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNotAvailable) == SslPolicyErrors.RemoteCertificateNotAvailable)
                {
                    acceptCertificate = false;
                }
                else
                {
                    //The certificate does not match the server name
                    if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNameMismatch) == SslPolicyErrors.RemoteCertificateNameMismatch)
                    {
                        acceptCertificate = false;
                    }
    
                    //There is some other problem with the certificate
                    if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors)
                    {
                        foreach (X509ChainStatus item in chain.ChainStatus)
                        {
                            if (item.Status != X509ChainStatusFlags.RevocationStatusUnknown && item.Status != X509ChainStatusFlags.OfflineRevocation)
                                break;
    
                            if (item.Status != X509ChainStatusFlags.NoError)
                            {
                                acceptCertificate = false;
                            }
                        }
                    }
                }
                
                if (acceptCertificate == false)
                {                
                    acceptCertificate = true;
                }
    
                return acceptCertificate;
            }


    Cheers, Jeff

    Thursday, July 6, 2017 12:45 AM