I am attempting to hit a WCF service endpoint. However, I keep getting the above exception on the server (when I check the logs) whenever I attempt to hit the service.
The service basically has mutual certificate behaviour. It lists a Client certificate and a Service Certificate. Also, It specifies a userPrincipleName under the endpoint\identity section of its web.conf... An example of the config file of a similar set up is shown below...
<endpoint address="<nicelyAddressEndpoint>"
binding="netTcpBinding" bindingConfiguration="customTcpBinding"
contract="<service>" name="<smartSoundingCamelCasedServiceName>">
<identity>
<userPrincipalName value="<example>@yourMother.net" />
</identity>
</endpoint>
would be the endpoint that I described.
<service name="<NiceServiceName>" behaviorConfiguration="MutualCertificateBehavior">
<endpoint address="" binding="customBinding" bindingConfiguration="CustomMCBinding" contract="IServiceContractThatIsntWrittenPoorley"/>
</service>
<behavior name="MutualCertificateBehavior">
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceMetadata httpGetEnabled="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" includeWindowsGroups="false"/>
<certificate findValue="<CertName>" storeLocation="LocalMachine" storeName="Root" x509FindType="FindBySubjectName" />
</clientCertificate>
<serviceCertificate findValue="<ServiceCert>" storeLocation="LocalMachine" storeName="Root" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
And that would be the service and the behavior.
I am doing what I can to attempt to get data out of this thing. I am running into one sticking point, and I am not sure if it is because I am going about this the wrong way, or that I am close and I just need to get over a minor hurtle. In my client web.config I set up the endpoint behavior similarly...
<behavior name="ClientCertificateBehvior">
<clientCredentials>
<clientCertificate findValue="<XXX>"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName"/>
<serviceCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
<defaultCertificate findValue="<XXX>" storeLocation="LocalMachine" storeName="Root" x509FindType="FindBySubjectName" />
</serviceCertificate>
</clientCredentials>
</behavior>
And this is my endpoint...
<endpoint address="xxx.xxx.xxx"
behaviorConfiguration="ClientCertificateBehvior" binding="customBinding"
bindingConfiguration="CustomBinding_IVPOService" contract="VPOServiceEndPoint.IVPOService"
name="CustomBinding_IVPOService">
<identity>
<dns value="xxx" />
<userPrincipalName value="yyy@xxx.net" />
</identity>
</endpoint>
Now I am getting this exception whenever I attempt to hit this service...
The identity check failed for the outgoing message. The expected identity is 'identity(http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn)' for the 'xxxxxx' target endpoint.
I will note that I have the certificate in the appropriate store listed on my local machine and I have granted the appropriate writes to that certificate. I am to the point where I realize that I am making more trouble for myself here, and I am attempting to figure out what is the right thing to do instead of throwing things against the wall and seeing what sticks. What step am I missing? What is the best way to receive data from a MutualCertificate secured service? How can I best get the right userPrinciplename? I thought it would be what is listed in the servie web.config? Am I going about this in the right way? Am I getting close or just making a bigger mess for myself?
