But there are other cases as well.
You may get the following exception at the client:
The inner exception shows:
The reason for that is that the certificate the server uses is not trusted on the client machine. We can see this by double-clicking on the certificate in the file system or in the windows certificate store:
You have 2 ways to solve this:
1. Make sure the service certificate is trusted on the client machine. For example install its issuer certificate in the trusted root store.
OR:
2. This is just for testing and should not go to production. You can disable the server authentication by the client: On the client side create a new endpoint behaviour with a "clientCredentials" behaviour element and set its serviceCertificate/authentication/certificateValidationMode to "None".
The app.config may look like this now:
<behaviors>
<endpointBehaviors>
<behavior name="NewBehavior">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="None" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
A picture may be better here:
Don't forget to link that behaviour to the endpoint:
<endpoint ... behaviorConfiguration="NewBehavior"... />
Note that after you solve this error you may see a related cryptic WCF error message. What's next? get this blog rss updates or register for mail updates!
@YaronNaveh
11 comments:
It solved my problem.. thanks a lot.. great article :-)
I created a Root CA for my certificate and when I click on the certificate, it says: "This certificate is intended for the following purposes: All application policies".
However I still get the error at client side:
System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'http://localhost/Services/Service.svc' for target 'http://localhost/Services/Service.svc' failed. See inner exception for more details. ---> System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate CN=tempCert chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.
Dhawal
Make sure the Root CA is installed in the trusted CA store. Also you can install the other cert (which was issued by the CA) in the personal store and double click it to see if it is valid.
Solved my problem. Best solution for this problem on the web, hands down. Thanks!
hi...can you explain " install its issuer certificate in the trusted root store". I have the same error. I moved the certificate the client is using from personal store and installed it under "Trusted Root Certificate Authorities". Still seeing this error.
Hi Anonymous
Every certificate was issued by some other party which also have a certificate (e.g. verisign). That issuer certificate needs to be installed.
hey Yaron, this has solved the problem, and its giving the result. But when am writing a unit test case to run from the client side, its showing the same error. Even if am trying to test the application using testing tools like WCF storm, its showing this error back.
Which problem it has solved then?
i got this error, when i called the service from the client. i changed the validation mode to "none" and this actually has solved the problem. But when i wrote a unit test case project for the same client method in the same solution explorer, It popped out the same error and said test could not be passed. I was surprised because, i wrote that unit test case and added a reference to the service similar to what we do with the normal client.
when ur creating a unit test u can bypass the "The X.509 certificate CN=tempCert chain building failed. The certificate....." error by adding the following to the test app.config
And then adding behaviorConfiguration="NewBehavior" to the <endpoint tag.
Thanks, this has fixed my issue and stopped me pulling my hair out.
Post a Comment