WCF service broken after upgrade to 4.5 on client machine RRS feed

  • Question

  • <?xml version="1.0" encoding="utf-8" ?>
        <add key ="ProviderManagerTraceOn" value ="true"/>    
        <!-- Use DPAPI with a user store to encrypt sensitive information in this config - see - %WinDir%\Microsoft.NET\Framework\<versionNumber> -->
                <add useMachineProtection="false" keyEntropy="" name="MessagingServiceDataProtectionConfigurationProvider" type="System.Configuration.DpapiProtectedConfigurationProvider, System.Configuration, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
            <!-- Configure the Custom Membership Provider -->
            <membership defaultProvider="CustomMembershipProvider">
                    <add name="CustomMembershipProvider"
                         type="xxxx.Messaging.CustomMembershipProvider, xxxx.Framework35"/>
            <!-- Configure the Custom Role Provider -->
            <roleManager enabled ="true" defaultProvider ="CustomRoleProvider" >
                    <add name ="CustomRoleProvider"
                         type="xxxx.Messaging.CustomRoleProvider, xxxx.Framework35"/>
            <!-- Configure debugging. True enables stepping into service code from the client.-->
            <compilation debug="false" />
             <customErrors mode="Off"/>
        <!-- WCF configuration -->
                     <!--use base address provided by host -->
                <endpoint address=""
                        contract="Relay.Messaging.IMessagingService" />
                        <endpoint address="mex"
                        contract="IMetadataExchange" />
                <!-- Set up a binding that uses Username as the client credential type -->
                    <binding name="MessagingServiceBehaviorBindingConfiguration" maxReceivedMessageSize="10485760" maxBufferPoolSize="10485760">
                        <security mode ="Message">
                            <message clientCredentialType ="UserName" negotiateServiceCredential="true" />
                        <!--ReaderQuotas provide basic validation of the message requests and reduce threat from DOS attack. These may need to be increased to enable larger message sizes on a host-->
                            maxNameTableCharCount="16384" />
                <!-- Configure this custom binding to prevent message replays at the service -     see
                Note that client systems whose clock differs from the service clock by more than maxClockSkew will be rejected.
                    <binding name="ReplayMessageBindingConfiguration">
                        <textMessageEncoding />
                                replayWindow="00:05:00" />
                            <secureConversationBootstrap />
                        <httpTransport />
                    <behavior name="MessagingServiceBehavior">
                        <!-- Configure role based authorization to use the Custom Role Provider -->
                        <serviceAuthorization principalPermissionMode ="UseAspNetRoles"
                                roleProviderName ="CustomRoleProvider" />
                            <!-- Configure user name authentication to use the Custom Membership Provider -->
                            <userNameAuthentication userNamePasswordValidationMode ="MembershipProvider"
                                membershipProviderName ="CustomMembershipProvider"/>
                            <!-- Configure the service certificate.
                            Note, findValue should be changed to the subject value of the service certificate. The certificate is used to authenticate the server and
                            the subject must be the host name (e.g. xxxx or contained in the service address URI used by clients to connect
                            to the service (e.g. xxxx\MessagingService.svc).
                            <serviceCertificate storeLocation ="LocalMachine"
                                storeName ="My"
                                x509FindType ="FindBySubjectName"
                                findValue =""/>
                        <!--For debugging purposes set the includeExceptionDetailInFaults attribute to true-->
                        <serviceDebug includeExceptionDetailInFaults="true" />
                        <!--Expose Mex endpoints only in development environments - change httpGetEnabled to True.
                        In production, clients can be blocked from accessing WSDL - change httpGetEnabled to False.
                        See -->
                        <serviceMetadata httpGetEnabled="True" />
                        <!--Configure serviceSecurityAudit to enable/disable security auditing -
                        see -->
                            messageAuthenticationAuditLevel="Failure" />
              <!-- Specify throttling behavior
              maxConcurrentCalls      = default should be 16*processor count
              maxConcurrentInstances  = default should be 100*processor count
              maxConcurrentSessions   = default shoudl be 116*processor count
              <serviceThrottling maxConcurrentCalls="100"     
        <!--Configure logging for debugging purposes using attributes of the messageLogging element. Note that the log folder must exist. svclog files can be inspected using the Microsoft Service Trace Viewer-->
                <source name="System.ServiceModel"
                        switchValue="Verbose, ActivityTracing"
                        propagateActivity="true" >
                        <add name="xml"/>
                <source name="System.ServiceModel.MessageLogging">
                        <add name="xml"/>
                <add name="xml"
                           initializeData="C:\logs\MessagingService.svclog" />
            <diagnostics wmiProviderEnabled="true">
        <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
          <probing privatePath="bin\providers" />

    This is the config for a WCF service that works fine with .NET 4.0 installed. When a client has .NET 4.5 installed and targets 4.0 in the client application we get the error below.

    The xxx Messaging service host certificate could not be validated.::SOAP security negotiation with 'http://xxxx/xxxx/xxMessagingService.svc' for target 'http://xxxx/xxxx/xxMessagingService.svc' failed. The X.509 certificate xxxx is not in the trusted people store. The X.509 certificate xxxx chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain could not be built to a trusted root authority.

    Can anyone shed any light on what is happening here and why it works with the same setup when the service is called from <= .NET 4.0 but gives this error in .NET 4.5

    Tuesday, February 5, 2013 3:48 PM

All replies

  • Anyone?
    Friday, February 8, 2013 9:48 AM
  • Hi,

    From your information, I know it works very well in .net 4, but not work in .net 4.5.

    Can you please email on netfx45compat at Microsoft dot com( with following information:

    1. Code that reproduces the problem.

    2. Operating System


    Best Regards.

    Amy Peng
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Tuesday, February 12, 2013 4:56 AM
  • Did you have any luck getting this working?  I am running into the same issue with a service we have running.  It works fine under .NET 4 but upgrade to .NET 4.5 and I get the exact error message you are receiving.



    Thursday, May 16, 2013 4:49 PM