none
Certificate based authentication problmes while communicating between 2 WCF services over Net.tcp RRS feed

  • Question

  • Hi All,

    I know this issue had been raised in some other threads too but most of the solutions have not yet worked for me.

    Basically I have two WCF services comunicating over net.tcp which are working perfectly.

    I tried to impliment certificate based authentication by using a self signed certificate according to the method prescribed here.

    But the same is failing and i'm getting "The X.509 certificate CN=DIN07005234 chain building failed." error.

    My server side service config looks as thus:

    <behaviors>
          <serviceBehaviors>
            <behavior name="tradeServiceBehavior">
    	<serviceCredentials>
                <clientCertificate>
    		<!-- this part I added to resolve the issue, but it still persist-->
                    <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" />
                </clientCertificate>
                <serviceCertificate findValue="TempKey" x509FindType="FindByIssuerName" storeLocation="LocalMachine" storeName="My" />
              </serviceCredentials>
              <serviceMetadata/>
            </behavior>
            <behavior name="returnFaults" />
            <behavior name="">
              <serviceMetadata httpGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="false" />
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <bindings>
          <netTcpBinding>
            <binding name="tcpbinding" .. portSharingEnabled="true">
              <security mode="Transport">
                <transport clientCredentialType="Certificate"></transport>			
              </security>		 
              <readerQuotas ... />
            </binding>

    And i'm accessing this service from another service as :

    NetTcpBinding netTcpBinding = new NetTcpBinding(SecurityMode.Transport)
    {
    	Security = { Mode = SecurityMode.Transport },
        .. };
    	..
        ChannelFactory<T> factory = new ChannelFactory<T>(netTcpBinding, endpointAddress);
    	factory.Credentials.ClientCertificate.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine,
           System.Security.Cryptography.X509Certificates.StoreName.My,
           System.Security.Cryptography.X509Certificates.X509FindType.FindByIssuerName, "TempKey");

    Is there anything else I can try to get it working on my development environment?

    Wednesday, February 13, 2013 5:31 PM

Answers

  • Hi,

    To resolve the issue, there are two solutions:

    1.Add the certificate to Trusted Root Certification Authorities. But CA certificate is created with MakeCert.exe, it cannot work as trusted CA even it has been added into Trusted Root Certification Authorities.

    2.Change the default authentication mode with System.ServiceModel.Description.ClientCredentials of the endpointBehaviors.

    You can choose Custom(X509CertificateValidationMode enums: None, PeerTrust, ChainTrust, PeerOrChainTrust and Custom) and custom a X509CertificateValidator.

    If you do not want to custom X509CertificateValidator, you can just set X509CertificateValidationMode to None with code( channelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;). Or with config file

    <endpointBehaviors>   
        <behavior name="IgoreSvcCertValidation">   
          <clientCredentials>   
               <serviceCertificate>   
              <authentication certificateValidationMode="None"/>   
              </serviceCertificate>   
       </clientCredentials>   
          </behavior>   
     </endpointBehaviors>

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, February 14, 2013 9:23 AM
    Moderator
  • Hi,

    Please modify the service config similar to the config I posted above, you can choose use config or with code, they are equivalent on the function.

    <behavior name="IgoreSvcCertValidation">   
          <clientCredentials>   
               <serviceCertificate>   
              <authentication certificateValidationMode="None"/>   
              </serviceCertificate>   
       </clientCredentials>   
          </behavior>   

    And make sure the endpoint for the client side has same configuration with the service.

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by Rohan W Friday, February 22, 2013 9:57 AM
    Monday, February 18, 2013 9:32 AM
    Moderator

All replies

  • Hi,

    To resolve the issue, there are two solutions:

    1.Add the certificate to Trusted Root Certification Authorities. But CA certificate is created with MakeCert.exe, it cannot work as trusted CA even it has been added into Trusted Root Certification Authorities.

    2.Change the default authentication mode with System.ServiceModel.Description.ClientCredentials of the endpointBehaviors.

    You can choose Custom(X509CertificateValidationMode enums: None, PeerTrust, ChainTrust, PeerOrChainTrust and Custom) and custom a X509CertificateValidator.

    If you do not want to custom X509CertificateValidator, you can just set X509CertificateValidationMode to None with code( channelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;). Or with config file

    <endpointBehaviors>   
        <behavior name="IgoreSvcCertValidation">   
          <clientCredentials>   
               <serviceCertificate>   
              <authentication certificateValidationMode="None"/>   
              </serviceCertificate>   
       </clientCredentials>   
          </behavior>   
     </endpointBehaviors>

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, February 14, 2013 9:23 AM
    Moderator
  • Hi Haixia,

    thanks for the reply.

    I implimeted the steps (in the second option) mentioned by you in both client and server.Unfortunately i'm now getting the following error which seems a bit weired as the implimetation is same at both ends.

    Am i missing something here ?

    The error i'm now getting is :

    The requested upgrade is not supported by 'net.tcp://../DataAccessLayer/DatabaseService.svc'.

    This could be due to mismatched bindings

    (for example security enabled on the client and not on the server).

    My Server config now looks like :

    ..
    ..
     <serviceCredentials>
                <clientCertificate>       
    	       <authentication certificateValidationMode="None" />
                </clientCertificate>
                <serviceCertificate findValue="TempKey" x509FindType="FindByIssuerName" storeLocation="LocalMachine" storeName="My" />
              </serviceCredentials>
    ..
    ..
    <bindings>
          <netTcpBinding>
            <binding ..>
              <security mode="Transport">
                <transport clientCredentialType="Certificate"></transport>			
              </security>	
              <readerQuotas .../>
            </binding>

    And my client code looks as such:

    ChannelFactory<T> factory = new ChannelFactory<T>(netTcpBinding, endpointAddress); factory.Credentials.ClientCertificate.SetCertificate(System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine, System.Security.Cryptography.X509Certificates.StoreName.My, System.Security.Cryptography.X509Certificates.X509FindType.FindByIssuerName, "TempKey");

    factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode =

    X509CertificateValidationMode.None;

    Friday, February 15, 2013 1:41 PM
  • Hi,

    Please modify the service config similar to the config I posted above, you can choose use config or with code, they are equivalent on the function.

    <behavior name="IgoreSvcCertValidation">   
          <clientCredentials>   
               <serviceCertificate>   
              <authentication certificateValidationMode="None"/>   
              </serviceCertificate>   
       </clientCredentials>   
          </behavior>   

    And make sure the endpoint for the client side has same configuration with the service.

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by Rohan W Friday, February 22, 2013 9:57 AM
    Monday, February 18, 2013 9:32 AM
    Moderator
  • Thanks Haixia, :)

    Friday, February 22, 2013 9:58 AM