R
Ryan
I am writing a client WCF webservice and have run into difficulty trying to
configure separate certificates for SSL and return message signature
validation.
I've included the web.config settings below for the website I am using for
testing the WCF client. The "clientCertificate" thumbprint links to my
private cert in my certificate store. The "defaultCertificate" is the SSL
cert thumbprint for the broker server, this certificate DNS matches the DNS
of the webservice URL I am hitting "fake.url.com" in my example (i've
replaced the actual url for security).
In this configuration I can trace the request and response and I do receive
a full and complete response with correct data however I receive the
following error from WCF:
"The incoming message was signed with a token which was different from what
used to encrypt the body. This was not expected."
If I replace the "defaultCertificate" thumbprint with the public cert used
to sign the response I get the following error because this certificate's DNS
does not match the broker server URL I am hitting. The certificate used to
sign the response has a non-URL name, for example "signing-cert". The error
I get is:
"Identity check failed for outgoing message. The expected DNS identity of
the remote endpoint was 'fake.url.com' but the remote endpoint provided DNS
claim 'signing-cert'. If this is a legitimate remote endpoint, you can fix
the problem by explicitly specifying DNS identity 'signing-cert' as the
Identity property of EndpointAddress when creating channel proxy."
I tried adding an identity property for the dns however it then returns the
following error:
"The HTTPS channel factory does not support explicit specification of an
identity in the EndpointAddress unless the authentication scheme is NTLM or
Negotiate.
Parameter name: remoteAddress"
I seem to have run into a road-block here. I expect it should be a simple
matter to specify the certificate WCF should use to validate the SSL channel,
and to specify a separate certificate to validate the response message
signature. I seems that all examples I come across expect the same
certificate to be used for SSL channel as well as response signing.
I apreciate any advice/tips you may have...I've fairly new to WCF...Just
can't seem to find the right settings to get thins working 100%.
<bindings>
<customBinding>
<binding name="AccountManagementSoapBindingImplSoapBinding">
<textMessageEncoding messageVersion="Soap11" writeEncoding="utf-8" />
<security allowSerializedSigningTokenOnReply="true"
defaultAlgorithmSuite="Default" authenticationMode="MutualCertificate"
requireDerivedKeys="false" includeTimestamp="true"
messageProtectionOrder="EncryptBeforeSign"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSecurityContextCancellation="false"
requireSignatureConfirmation="false">
</security>
<httpsTransport authenticationScheme="Anonymous" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint binding="customBinding" behaviorConfiguration="behavior"
address="https://fake.url.com:444/services/core/AccountManagementService/v1"
bindingConfiguration="AccountManagementSoapBindingImplSoapBinding"
contract="AccountManagementSoapBindingImpl"
name="AccountManagementSoapBindingImpl"/>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="behavior">
<clientCredentials>
<clientCertificate
findValue="5467657d78665c7855765a675c6765c76567d864"
x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My"/>
<serviceCertificate>
<defaultCertificate
findValue="432342b43d3c233a8764324b3c23432d32342a32"
x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My"/>
<authentication certificateValidationMode="PeerOrChainTrust"
trustedStoreLocation="LocalMachine" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
configure separate certificates for SSL and return message signature
validation.
I've included the web.config settings below for the website I am using for
testing the WCF client. The "clientCertificate" thumbprint links to my
private cert in my certificate store. The "defaultCertificate" is the SSL
cert thumbprint for the broker server, this certificate DNS matches the DNS
of the webservice URL I am hitting "fake.url.com" in my example (i've
replaced the actual url for security).
In this configuration I can trace the request and response and I do receive
a full and complete response with correct data however I receive the
following error from WCF:
"The incoming message was signed with a token which was different from what
used to encrypt the body. This was not expected."
If I replace the "defaultCertificate" thumbprint with the public cert used
to sign the response I get the following error because this certificate's DNS
does not match the broker server URL I am hitting. The certificate used to
sign the response has a non-URL name, for example "signing-cert". The error
I get is:
"Identity check failed for outgoing message. The expected DNS identity of
the remote endpoint was 'fake.url.com' but the remote endpoint provided DNS
claim 'signing-cert'. If this is a legitimate remote endpoint, you can fix
the problem by explicitly specifying DNS identity 'signing-cert' as the
Identity property of EndpointAddress when creating channel proxy."
I tried adding an identity property for the dns however it then returns the
following error:
"The HTTPS channel factory does not support explicit specification of an
identity in the EndpointAddress unless the authentication scheme is NTLM or
Negotiate.
Parameter name: remoteAddress"
I seem to have run into a road-block here. I expect it should be a simple
matter to specify the certificate WCF should use to validate the SSL channel,
and to specify a separate certificate to validate the response message
signature. I seems that all examples I come across expect the same
certificate to be used for SSL channel as well as response signing.
I apreciate any advice/tips you may have...I've fairly new to WCF...Just
can't seem to find the right settings to get thins working 100%.
<bindings>
<customBinding>
<binding name="AccountManagementSoapBindingImplSoapBinding">
<textMessageEncoding messageVersion="Soap11" writeEncoding="utf-8" />
<security allowSerializedSigningTokenOnReply="true"
defaultAlgorithmSuite="Default" authenticationMode="MutualCertificate"
requireDerivedKeys="false" includeTimestamp="true"
messageProtectionOrder="EncryptBeforeSign"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSecurityContextCancellation="false"
requireSignatureConfirmation="false">
</security>
<httpsTransport authenticationScheme="Anonymous" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint binding="customBinding" behaviorConfiguration="behavior"
address="https://fake.url.com:444/services/core/AccountManagementService/v1"
bindingConfiguration="AccountManagementSoapBindingImplSoapBinding"
contract="AccountManagementSoapBindingImpl"
name="AccountManagementSoapBindingImpl"/>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="behavior">
<clientCredentials>
<clientCertificate
findValue="5467657d78665c7855765a675c6765c76567d864"
x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My"/>
<serviceCertificate>
<defaultCertificate
findValue="432342b43d3c233a8764324b3c23432d32342a32"
x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My"/>
<authentication certificateValidationMode="PeerOrChainTrust"
trustedStoreLocation="LocalMachine" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>