none
WCF and NetTcp security with Certificate RRS feed

  • Question

  • From the issuer Server, I created the server certificate and client one ( using XCA). then imported into my machine.

    Service configuration looks like

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
      <startup>
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2"/>
      </startup>
      <system.serviceModel>
    
        <services>
          <service name="xxx.yyy.Providers.zzz"  behaviorConfiguration="MetaDataBehvior" >
            <host>
              <baseAddresses>
                <add baseAddress="net.tcp://localhost:9002/yyyService"/>
              </baseAddresses>
            </host>
            <endpoint  address="" binding="netTcpBinding" contract="xxx.yyy.Interfaces.Izzz" />
            <endpoint  address="mex" binding="mexTcpBinding" contract="IMetadataExchange" />
          </service>
        </services>
    
        <behaviors>
          <serviceBehaviors>
            <behavior name="MetaDataBehvior">
              <serviceMetadata />
            </behavior>
            <behavior>
              <serviceCredentials>
                <clientCertificate>
                  <authentication
                    certificateValidationMode="ChainTrust"
                    revocationMode="NoCheck" />
                </clientCertificate>
                <serviceCertificate
                  findValue="xxx.yyy.Server"
                  x509FindType="FindBySubjectName"
                  storeLocation="LocalMachine"
                  storeName="My" />
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>
    
        <bindings>
          <netTcpBinding>
            <binding name="NetTcpBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="2147483647">
              <readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
              <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
              <security mode="Message">
                <message clientCredentialType="Certificate" />
              </security>
            </binding>
          </netTcpBinding>
        </bindings>
    
      </system.serviceModel>
    </configuration>

    and client side looks like

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
    
    
      <system.serviceModel>
        <bindings>
          <netTcpBinding>
            <binding name="yyynetTcpBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="2147483647">
              <readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
              <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
              <security mode="Message">
                <message clientCredentialType="Certificate" />
              </security>
            </binding>
          </netTcpBinding>
        </bindings>
    
        <client>
    
          <endpoint name="PrimaryService_TcpEndPoint" address ="net.tcp://localhost:9002/yyyService" behaviorConfiguration="yyyEndPointBEhavior"
                    binding="netTcpBinding" contract="xxx.yyy.Interfaces.Izzz">
            <identity>
              <dns value="10.0.5.187" />
              </identity>       
          </endpoint>
    
        </client>
        <behaviors>
          <endpointBehaviors>
            <behavior name="yyyEndPointBEhavior">
              <clientCredentials>
                <clientCertificate
                  findValue="xxx.yyy.Client"
                  x509FindType="FindBySubjectName"
                  storeLocation="LocalMachine"
                  storeName="My" />
                <serviceCertificate>
                  <authentication
                    certificateValidationMode="ChainTrust"
                    revocationMode="NoCheck" />
                </serviceCertificate>
              </clientCredentials>
            </behavior>
          </endpointBehaviors>
        </behaviors>
      </system.serviceModel>
      <startup>
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2"/>
      </startup>
    
    </configuration>

    when start establishing the connection I got the following error

    It is likely that certificate 'OU=xxx.yyy.Client, C=cc' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail.

    Invalid provider type specified.

    Any idea how to solve that?


    Friday, November 16, 2018 12:51 AM

All replies

  • Hi Aabdellatif,
    As mentioned in the error details, the reason caused the problem is that there are some errors in certificate authentication.
    In general, if you use the certificate as an identity, we should ensure that the certificate’s storage location corresponds to the CertificateValidationMode
    None: Do not perform validation.
    PeerTrust: if the certificate is located in a trusted person’s store, it is valid. 
    ChainTrust: the certificate is valid if the chain generates a certificate authority in the trusted root store.
    PeerOrChainTrust: the certificate is valid if the certificate is located in the trusted person’s store or if the chain generates the certificate authority in the trusted root store.
    Custom: we must implement the custom X509certificatevalidator to verify the certificate.
    If you use the self-signed certificate, I suggest you use the following configuration.

               <clientCertificate>
                  <authentication
                    certificateValidationMode="None"
                    revocationMode="NoCheck" />
                </clientCertificate>

    Besides, when you export the certificate and install it, Don’t forget to export the private key.

    Best Regards

    Abraham

    Tuesday, November 20, 2018 7:32 AM
    Moderator