Tuesday, October 14, 2008

Cryptic WCF error messages (part 4 of N)

@YaronNaveh

Today's exception can happen when X.509 certificates negotiation is used. One case when it is used is when you use wsHttpBinding with:


negotiateSerciveCredential="True"
messageClientCredentialType=[anything but "Windows"]


But there are other cases as well.

You may get the following exception at the client:


"SOAP security negotiation with 'http://localhost:13037/WCFService54/Service.svc' for target 'http://localhost:13037/WCFService54/Service.svc' failed. See inner exception for more details."


The inner exception shows:


{"The X.509 certificate CN=WSE2QuickStartServer chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.\r\n"}


The reason for that is that the certificate the server uses is not trusted on the client machine. We can see this by double-clicking on the certificate in the file system or in the windows certificate store:



You have 2 ways to solve this:

1. Make sure the service certificate is trusted on the client machine. For example install its issuer certificate in the trusted root store.

OR:

2. This is just for testing and should not go to production. You can disable the server authentication by the client: On the client side create a new endpoint behaviour with a "clientCredentials" behaviour element and set its serviceCertificate/authentication/certificateValidationMode to "None".

The app.config may look like this now:

<behaviors>
<endpointBehaviors>
<behavior name="NewBehavior">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="None" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>


A picture may be better here:




Don't forget to link that behaviour to the endpoint:

<endpoint ... behaviorConfiguration="NewBehavior"... />




Note that after you solve this error you may see a related cryptic WCF error message.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

11 comments:

Anonymous said...

It solved my problem.. thanks a lot.. great article :-)

Dhawal said...

I created a Root CA for my certificate and when I click on the certificate, it says: "This certificate is intended for the following purposes: All application policies".

However I still get the error at client side:
System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'http://localhost/Services/Service.svc' for target 'http://localhost/Services/Service.svc' failed. See inner exception for more details. ---> System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate CN=tempCert chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.

Yaron Naveh (MVP) said...

Dhawal

Make sure the Root CA is installed in the trusted CA store. Also you can install the other cert (which was issued by the CA) in the personal store and double click it to see if it is valid.

Valley of the Roses said...

Solved my problem. Best solution for this problem on the web, hands down. Thanks!

Anonymous said...

hi...can you explain " install its issuer certificate in the trusted root store". I have the same error. I moved the certificate the client is using from personal store and installed it under "Trusted Root Certificate Authorities". Still seeing this error.

Yaron Naveh (MVP) said...

Hi Anonymous

Every certificate was issued by some other party which also have a certificate (e.g. verisign). That issuer certificate needs to be installed.

Harini Kondamudi said...

hey Yaron, this has solved the problem, and its giving the result. But when am writing a unit test case to run from the client side, its showing the same error. Even if am trying to test the application using testing tools like WCF storm, its showing this error back.

Yaron Naveh (MVP) said...

Which problem it has solved then?

Harini Kondamudi said...

i got this error, when i called the service from the client. i changed the validation mode to "none" and this actually has solved the problem. But when i wrote a unit test case project for the same client method in the same solution explorer, It popped out the same error and said test could not be passed. I was surprised because, i wrote that unit test case and added a reference to the service similar to what we do with the normal client.

Anonymous said...

when ur creating a unit test u can bypass the "The X.509 certificate CN=tempCert chain building failed. The certificate....." error by adding the following to the test app.config













And then adding behaviorConfiguration="NewBehavior" to the <endpoint tag.

mattveal27 said...

Thanks, this has fixed my issue and stopped me pulling my hair out.