Menu
Forums
New posts
Search forums
Members
Current visitors
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
Forums
Archive
Archive
ASP .Net
ASP .Net Web Services
Certificate issue with WCF client accessing webservice via broker
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Ryan" data-source="post: 4325334"><p>I am writing a client WCF webservice and have run into difficulty trying to</p><p>configure separate certificates for SSL and return message signature</p><p>validation.</p><p></p><p>I've included the web.config settings below for the website I am using for</p><p>testing the WCF client. The "clientCertificate" thumbprint links to my</p><p>private cert in my certificate store. The "defaultCertificate" is the SSL</p><p>cert thumbprint for the broker server, this certificate DNS matches the DNS</p><p>of the webservice URL I am hitting "fake.url.com" in my example (i've</p><p>replaced the actual url for security).</p><p></p><p>In this configuration I can trace the request and response and I do receive</p><p>a full and complete response with correct data however I receive the</p><p>following error from WCF:</p><p></p><p>"The incoming message was signed with a token which was different from what</p><p>used to encrypt the body. This was not expected."</p><p></p><p>If I replace the "defaultCertificate" thumbprint with the public cert used</p><p>to sign the response I get the following error because this certificate's DNS</p><p>does not match the broker server URL I am hitting. The certificate used to</p><p>sign the response has a non-URL name, for example "signing-cert". The error</p><p>I get is:</p><p></p><p>"Identity check failed for outgoing message. The expected DNS identity of</p><p>the remote endpoint was 'fake.url.com' but the remote endpoint provided DNS</p><p>claim 'signing-cert'. If this is a legitimate remote endpoint, you can fix</p><p>the problem by explicitly specifying DNS identity 'signing-cert' as the</p><p>Identity property of EndpointAddress when creating channel proxy."</p><p></p><p>I tried adding an identity property for the dns however it then returns the</p><p>following error:</p><p></p><p>"The HTTPS channel factory does not support explicit specification of an</p><p>identity in the EndpointAddress unless the authentication scheme is NTLM or</p><p>Negotiate.</p><p>Parameter name: remoteAddress"</p><p></p><p>I seem to have run into a road-block here. I expect it should be a simple</p><p>matter to specify the certificate WCF should use to validate the SSL channel,</p><p>and to specify a separate certificate to validate the response message</p><p>signature. I seems that all examples I come across expect the same</p><p>certificate to be used for SSL channel as well as response signing.</p><p></p><p>I apreciate any advice/tips you may have...I've fairly new to WCF...Just</p><p>can't seem to find the right settings to get thins working 100%.</p><p></p><p><bindings></p><p><customBinding></p><p><binding name="AccountManagementSoapBindingImplSoapBinding"></p><p><textMessageEncoding messageVersion="Soap11" writeEncoding="utf-8" /></p><p><security allowSerializedSigningTokenOnReply="true"</p><p>defaultAlgorithmSuite="Default" authenticationMode="MutualCertificate"</p><p>requireDerivedKeys="false" includeTimestamp="true"</p><p>messageProtectionOrder="EncryptBeforeSign"</p><p>messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"</p><p>requireSecurityContextCancellation="false"</p><p>requireSignatureConfirmation="false"></p><p></security></p><p><httpsTransport authenticationScheme="Anonymous" /></p><p></binding></p><p></customBinding></p><p></bindings></p><p></p><p><client></p><p><endpoint binding="customBinding" behaviorConfiguration="behavior"</p><p>address="<a href="https://fake.url.com:444/services/core/AccountManagementService/v1">https://fake.url.com:444/services/core/AccountManagementService/v1</a>"</p><p>bindingConfiguration="AccountManagementSoapBindingImplSoapBinding"</p><p>contract="AccountManagementSoapBindingImpl"</p><p>name="AccountManagementSoapBindingImpl"/></p><p></client></p><p></p><p><behaviors></p><p><endpointBehaviors></p><p><behavior name="behavior"></p><p><clientCredentials></p><p><clientCertificate</p><p>findValue="5467657d78665c7855765a675c6765c76567d864"</p><p>x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My"/></p><p><serviceCertificate></p><p><defaultCertificate</p><p>findValue="432342b43d3c233a8764324b3c23432d32342a32"</p><p>x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My"/></p><p><authentication certificateValidationMode="PeerOrChainTrust"</p><p>trustedStoreLocation="LocalMachine" revocationMode="NoCheck"/></p><p></serviceCertificate></p><p></clientCredentials></p><p></behavior></p><p></endpointBehaviors></p><p></behaviors></p></blockquote><p></p>
[QUOTE="Ryan, post: 4325334"] I am writing a client WCF webservice and have run into difficulty trying to configure separate certificates for SSL and return message signature validation. I've included the web.config settings below for the website I am using for testing the WCF client. The "clientCertificate" thumbprint links to my private cert in my certificate store. The "defaultCertificate" is the SSL cert thumbprint for the broker server, this certificate DNS matches the DNS of the webservice URL I am hitting "fake.url.com" in my example (i've replaced the actual url for security). In this configuration I can trace the request and response and I do receive a full and complete response with correct data however I receive the following error from WCF: "The incoming message was signed with a token which was different from what used to encrypt the body. This was not expected." If I replace the "defaultCertificate" thumbprint with the public cert used to sign the response I get the following error because this certificate's DNS does not match the broker server URL I am hitting. The certificate used to sign the response has a non-URL name, for example "signing-cert". The error I get is: "Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'fake.url.com' but the remote endpoint provided DNS claim 'signing-cert'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'signing-cert' as the Identity property of EndpointAddress when creating channel proxy." I tried adding an identity property for the dns however it then returns the following error: "The HTTPS channel factory does not support explicit specification of an identity in the EndpointAddress unless the authentication scheme is NTLM or Negotiate. Parameter name: remoteAddress" I seem to have run into a road-block here. I expect it should be a simple matter to specify the certificate WCF should use to validate the SSL channel, and to specify a separate certificate to validate the response message signature. I seems that all examples I come across expect the same certificate to be used for SSL channel as well as response signing. I apreciate any advice/tips you may have...I've fairly new to WCF...Just can't seem to find the right settings to get thins working 100%. <bindings> <customBinding> <binding name="AccountManagementSoapBindingImplSoapBinding"> <textMessageEncoding messageVersion="Soap11" writeEncoding="utf-8" /> <security allowSerializedSigningTokenOnReply="true" defaultAlgorithmSuite="Default" authenticationMode="MutualCertificate" requireDerivedKeys="false" includeTimestamp="true" messageProtectionOrder="EncryptBeforeSign" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" requireSecurityContextCancellation="false" requireSignatureConfirmation="false"> </security> <httpsTransport authenticationScheme="Anonymous" /> </binding> </customBinding> </bindings> <client> <endpoint binding="customBinding" behaviorConfiguration="behavior" address="[URL]https://fake.url.com:444/services/core/AccountManagementService/v1[/URL]" bindingConfiguration="AccountManagementSoapBindingImplSoapBinding" contract="AccountManagementSoapBindingImpl" name="AccountManagementSoapBindingImpl"/> </client> <behaviors> <endpointBehaviors> <behavior name="behavior"> <clientCredentials> <clientCertificate findValue="5467657d78665c7855765a675c6765c76567d864" x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My"/> <serviceCertificate> <defaultCertificate findValue="432342b43d3c233a8764324b3c23432d32342a32" x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My"/> <authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="LocalMachine" revocationMode="NoCheck"/> </serviceCertificate> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> [/QUOTE]
Verification
Post reply
Forums
Archive
Archive
ASP .Net
ASP .Net Web Services
Certificate issue with WCF client accessing webservice via broker
Top
