none
Could not establish trust relationship for the SSL/TLS secure channel with authority RRS feed

  • Question

  • Previously, my MVC application works fine with AD FS. After then, I added a WCF service which manage database. The security for federation binding is TransportWithMessageCredential. I can't request credentials issued by trusted CA as I am just testing the function. When the UI access WCF service to load data, an exception as following is thrown.  Is this exception raised because untrusted CA is used? Please help me to resolve this.

    ERROR2013-04-27 04:58:43 – Could not establish trust relationship for the SSL/TLS secure channel with authority 'identity'.

    System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'identity'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
       at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
       at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.ConnectStream.WriteHeaders(Boolean async)
       --- End of inner exception stack trace ---
       at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
       at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()
       --- End of inner exception stack trace ---

    Saturday, April 27, 2013 9:17 AM

All replies

  • Hi Catherine..

    Can you share binding information from UI application's config file and service's config file?

    Thanks,

    Kishore.

    Saturday, April 27, 2013 9:35 AM
  • Thanks for reply. Following is the server configuration.

    <service name="WorkflowService.WFSampleService" behaviorConfiguration="MyBehavior1">
            <endpoint address="" binding="ws2007FederationHttpBinding" bindingConfiguration="MyWSFedBinding1"
              contract="WorkflowService.IWFSampleService"/>
          </service>
    <bindings>
    <ws2007FederationHttpBinding>
            <binding name="MyWSFedBinding1">
              <readerQuotas maxDepth="32" maxStringContentLength="200000" maxArrayLength="200000"
    					  maxBytesPerRead="20000" maxNameTableCharCount="16384" />
              <security mode="TransportWithMessageCredential">
                <message>
                  <claimTypeRequirements>
                    <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
                      isOptional="true" />
                    <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
                      isOptional="true" />
                  </claimTypeRequirements>
                  <issuer address="https://corp.sample.com/adfs/services/trust/13/kerberosmixed" />
                  <issuerMetadata address="https://corp.sample.com/adfs/services/trust/mex" />
                </message>
              </security>
            </binding>
          </ws2007FederationHttpBinding>
        </bindings>
    <behaviors>
          <serviceBehaviors>
            <behavior name="MyBehavior1">
              <serviceAuthorization serviceAuthorizationManagerType="WorkflowService.WFServiceAuthorizationManager, WorkflowService" />
              <federatedServiceHostConfiguration />
              <serviceMetadata httpsGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="true" />
              <serviceCredentials>
                <serviceCertificate findValue="4761de6cdd7ec8dd7e023cadb6ffd55514a64079"
                  storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
              </serviceCredentials>
            </behavior>
    </serviceBehaviors>
        </behaviors>

    Client Configuration

    <microsoft.identityModel>
        <service saveBootstrapTokens="true">
          <audienceUris>
            <add value="https://test.sample.com:808/SampleCBI/" />
          </audienceUris>
          <federatedAuthentication>
            <wsFederation passiveRedirectEnabled="true"
    		issuer="https://corp.sample.com/adfs/ls/"
    		realm="https://test.sample.com:808/SampleCBI/"
    		requireHttps="true" />
            <cookieHandler requireSsl="false" />
          </federatedAuthentication>
          <applicationService>
            <claimTypeRequired>
              
              <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
              <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
            </claimTypeRequired>
          </applicationService>
          <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
            <trustedIssuers>
              <add thumbprint="c509c9d7c6335151ec080ea4fd1e6c1eee7732ec" name="http://corp.sample.com/adfs/services/trust" />
            </trustedIssuers>
          </issuerNameRegistry>
          <certificateValidation certificateValidationMode="None" />
        </service>
      </microsoft.identityModel>
      <system.serviceModel>
        <bindings>
          <customBinding>
            <binding name="https://corp.sample.com/adfs/services/trust/13/kerberosmixed">
              <security defaultAlgorithmSuite="Basic128" authenticationMode="KerberosOverTransport" requireDerivedKeys="false" securityHeaderLayout="Strict" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
                <localClientSettings cacheCookies="true" detectReplays="false" replayCacheSize="900000" maxClockSkew="00:05:00" replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
                <localServiceSettings detectReplays="false" issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00" negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
                <secureConversationBootstrap />
              </security>
              <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Default" writeEncoding="utf-8">
                <readerQuotas maxDepth="32" maxStringContentLength="2000000" maxArrayLength="2000000" maxBytesPerRead="200000" maxNameTableCharCount="16384" />
              </textMessageEncoding>
              <httpsTransport manualAddressing="false" maxBufferPoolSize="2000000" maxReceivedMessageSize="2000000" allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true" maxBufferSize="2000000" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true" requireClientCertificate="false">
                <extendedProtectionPolicy policyEnforcement="Never" />
              </httpsTransport>
            </binding>
          </customBinding>
          <ws2007FederationHttpBinding>
            <binding name="WS2007FederationHttpBinding_IWFService" closeTimeout="01:01:00" openTimeout="01:01:00" receiveTimeout="01:10:00" sendTimeout="01:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="200000000" maxReceivedMessageSize="200000000" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">
              <readerQuotas maxDepth="320000" maxStringContentLength="200000000" maxArrayLength="200000000" maxBytesPerRead="200000000" maxNameTableCharCount="1638400" />
              <reliableSession ordered="true" inactivityTimeout="01:10:00" enabled="false" />
              <security mode="TransportWithMessageCredential">
                <message algorithmSuite="Default" issuedKeyType="SymmetricKey" negotiateServiceCredential="true">
                  <issuer address="https://corp.sample.com/adfs/services/trust/13/kerberosmixed" bindingConfiguration="https://corp.sample.com/adfs/services/trust/13/kerberosmixed" binding="customBinding">
                    <identity>
                      <servicePrincipalName value="http/corp.sample.com" />
                    </identity>
                  </issuer>
                  <issuerMetadata address="https://corp.sample.com/adfs/services/trust/mex" />
                  <tokenRequestParameters>
                    <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                      <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
                      <trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
                      <trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                        <wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
                        <wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
                      </trust:Claims>
                      <trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
                      <trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
                      <trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
                      <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
                      <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
                    </trust:SecondaryParameters>
                  </tokenRequestParameters>
                </message>
              </security>
            </binding>
          </ws2007FederationHttpBinding>
        </bindings>
        <client>
          <endpoint address="https://test.sample.com:809/WFSampleService.svc" binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FederationHttpBinding_IWFService" contract="IWFSampleService" name="WS2007FederationHttpBinding_IWFService" />
        </client>
      </system.serviceModel>

    Sunday, April 28, 2013 2:29 AM
  • With the details you have provided.

    I assume you have done below things.

    1. Created a certificate at the server where your Workflow service is hosted.

    2. Assigned it to the service (IIS Bindings for https).

    3. Copied the certificate to the client machine. And you have imported the certificate at the CLIENT in two places.

    1. Personal store (Optional I guess)
    2. Trusted Publishers (Must)

    4. Use MMC (Microsoft Management console) to import.

    Thanks,

    Kishore.

    Sunday, April 28, 2013 4:33 AM
  • Apologies..

    One small correction.

    It should be Trusted Root Certification Authorities, not Trusted Publishers.

    Sunday, April 28, 2013 4:43 AM
  • The service and Web UI are installed to the same server, and they share the same Certificate.

    The certificate is installed under personnel store by default. I import the certificate into Trusted Root... store manually.

    The AD FS is installed on the other server.

    In addition, the 'Identity' in the error message refers to the AD FS service name 'corp.sample.com', as following,

    Could not establish trust relationship for the SSL/TLS secure channel with authority 'corp.sample.com'.

    I wonder why 'corp.sample.com' is used to establish trust relationship for the SSL/TLS secure channel? Completely confused.

    Sunday, April 28, 2013 5:59 AM
  • Hi..

    In Client's config, under <wsFederationHttpBinding> section, comment out below lines and check.

    <identity>
       <servicePrincipalName value="http/corp.sample.com" />
    </identity>

    Alternatively, Get the certificate from ADFS, and add it in trusted root in your machine.

    I have used ADFS in one of my project, but not via Workflows. So, I'm not sure if above steps are valid.

    But give a try. If it works, we will verify/find out why is it so :)

    Thanks,

    Kishore.

    Sunday, April 28, 2013 6:56 AM
  • Hi,

    Thanks for the conduct. Unfortunately, Same error after trying.

    Not sure I do the right thing, please help confirm it.

    1. Open certificates by running command "mmc".

    2. Under "Local Computer" --> "Personnel" --> "Certificates", find the certificate with which AD FS communicates. Export it with private key. Type a password for the private key. Copy the .pfx file to the client server.

    3. Change to the client server, running "mmc". Import the ADFS certificate (.pfx) into the trusted root.

    Comment out identity lines in web.config.

    Sunday, April 28, 2013 8:02 AM
  • Yup..

    you are doing right.

    Now.. I'm lack of clues. I will try to help you tomorrow by checking out my old code. I don't have access to it now. But as I said... the flow is completely different. Will check tomorrow.

    Meanwhile.. if you have some time, answer below query..

    1. Which application does the communication with ADFS? Is it Web UI or Workflow Service?

    Thanks,

    Kishore.

    Sunday, April 28, 2013 1:16 PM
  • Hi Catherine,

    Any luck for your issue??

    If not, reply to my question in the preivous post.

    Additionally,

    Let me know the Full Computer Name of your ADFS server.

    Thanks.


    Happy Coding, Kishore.

    Monday, April 29, 2013 11:36 AM
  • Hi,

    Sorry for delaying in reply as I was on a travel in the past few days. Thank you very much for keeping tracking this.

    Both Web UI and Work flow service communicate with AD FS. Web UI communicates with work flow service, and work flow service plans to communicate with the other WCF service in a specific method (I haven't deploy this service as this doesn't impact web UI).

    AD FS server is 'corp.sample.com'. the identity name configured in web.config.


    Thursday, May 2, 2013 5:25 AM
  • Hi Catherine...

    Sorry if I'm asking you too many questions.

    Are you using Forms Authentication?

    I mean..

    1. First application redirects to ADFS login page.

    2. User enters credentials. ADFS validates them.

    3. Then actual application loads.

    4. Now, user performs some operation which invokes Workflow Service.

    Is this the flow of your application??

    -- If YES, Did the steps (1,2,3) passed?

    Thanks.


    Happy Coding, Kishore.

    Thursday, May 2, 2013 6:31 AM
  • I am using Federated Authentication. The Web UI can load successfully, and I can get security token from backend which contains my login info. The error raises only when the application communicates with WF service.

    Someone tells me that if you uses certificate published by trust CA, this error would gone. Does your application run normally with self-signed certificate?

    Thursday, May 2, 2013 9:07 AM