none
SOAP Security Negotiation Error RRS feed

  • Question

  • Hi,
    I am Implementing X509 certification(Asymmetric).(Certificate using makecert.exe )
    I have installed certificate in lOCALMAchine and given access for the IISUsers.If i run .svc 
    i am able to see the wsdl.I have exported ClientCertificate to the service machine.
    so in service machine ,client and service certificate is present in personal folder,Trusted people folder
    I have written Client application in different machine.
    I have exported service certificate t client machine.I  am able to access the service url(Added using service reference in vs2012)
    But when i run the client application error-caller was not authenticated by the service.(please note that application still not yet hosted in iis in development itself i am facing problem)
    So i installed certificates in trusted folder in both the machines.
    Now the error is
    SOAP security negotiation with 'http://10.196.1.39/HelloWorld-WebService/Service1.svc' for target 'http://10.196.1.39/HelloWorld-WebService/Service1.svc' failed.
    See inner exception for more details.
    Fo this i made application pool as Netwrok Service account.So i added Netwrok Service account
    to the certificates.But still same error.
    web.config-service side
    <bindings>
          <wsHttpBinding>
            <binding name="Sampleconfig" >
              <!--<security>
                <message clientCredentialType="username" />
              </security>-->
              <security mode="Message">
                

                <message clientCredentialType="Certificate" negotiateServiceCredential="true" />

              </security>
              <!--<reliableSession enabled="true" />-->
            </binding>
          </wsHttpBinding>
        </bindings>
        <services>
          <service name="HelloWorld_WebService.Service1" behaviorConfiguration="ServiceCredentialBehavior">
            <endpoint address="" binding="wsHttpBinding" bindingConfiguration="Sampleconfig" contract="HelloWorld_WebService.IService1" />
          </service>
        </services>


        <behaviors>
          <serviceBehaviors>
            
            <behavior name="ServiceCredentialBehavior">
              <serviceCredentials>
                
                <clientCertificate>
                 <!-- <certificate />-->
                  <authentication certificateValidationMode="PeerTrust"   />
                  
                </clientCertificate>
                <serviceCertificate findValue="WCFSERVER" 
        storeLocation="LocalMachine"
        storeName="My" 
        x509FindType="FindBySubjectName" />
              </serviceCredentials>
              
              <!-- To avoid disclosing metadata information, set the values below to false before deployment.OSD-967116.msd.govt.state.ma.us -->
              <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
              <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
              <serviceDebug includeExceptionDetailInFaults="true"/>
            </behavior>
          </serviceBehaviors>
        </behaviors>

    Please suggest me

    priyanka


    • Edited by Shankarbs Friday, August 29, 2014 12:23 AM
    Friday, August 29, 2014 12:22 AM

Answers

  • Hi,

    sorry for the late reply.

    Actually problem solved i need to install the client and service certificates in Trusted people folder than trusted root and also given access to "EveryOne".



    priyanka

    • Marked as answer by Shankarbs Wednesday, September 3, 2014 8:23 PM
    Wednesday, September 3, 2014 8:23 PM

All replies

  • Hi PriyankaShankar,

    Please first try to set the security mode to none to see if it help:

    <wsHttpBinding>
            <binding>
              <security mode="None"/>
            </binding>
     </wsHttpBinding>

    To enable the Negotiate process to select the Kerberos protocol for network authentication, the client application must provide an SPN, a user principal name (UPN), or a NetBIOS account name as the target name. If the client application does not provide a target name, the Negotiate process cannot use the Kerberos protocol. If the Negotiate process cannot use the Kerberos protocol, the Negotiate process selects the NTLM protocol.

    In cross-domain, kerberos has to be used. Since service is running as local system account, a SPN identity has to be used on the client side for the target name.

    For more informaiton, please read http://support.microsoft.com/kb/929650 

    Besides, you could also refer to:

    http://sundarnarasiman.net/?p=70

    Regards

    Monday, September 1, 2014 3:13 AM
    Moderator
  • Hi,

    sorry for the late reply.

    Actually problem solved i need to install the client and service certificates in Trusted people folder than trusted root and also given access to "EveryOne".



    priyanka

    • Marked as answer by Shankarbs Wednesday, September 3, 2014 8:23 PM
    Wednesday, September 3, 2014 8:23 PM