3

I am having an issue. We are trying to attach a client certifacte to a WCF service over SSL required. When I try to navigate to the service through a browser it will show me the 'You have created a service page' but only if I attach the certificate, So I dont think its an IIS issue.

I have been through a ton of stack overflow questions and I think each time i make a little progress. But For the life of me I can not shake this issue. I added logging and here is what I am seeing for Errors:

System.Net Information: 0 : [12444] SecureChannel#15775260 - Certificate 

is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [12444] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Error: 0 : [12444] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net Information: 0 : [12444] AcquireCredentialsHandle(package =



Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Error: 0 : [12444] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net.Sockets Verbose: 0 : [8000] Socket#13431269::Dispose()
System.Net Error: 0 : [8000] Exception in HttpWebRequest#55386345:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [8000] Exception in HttpWebRequest#55386345::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..
System.ServiceModel Error: 131075 : <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.ThrowingException.aspx</TraceIdentifier><Description>Throwing an exception.</Description><AppDomain>/LM/W3SVC/1/ROOT/Application.TestHarness.Blah-1-130676061695261461</AppDomain><Exception><ExceptionType>System.ServiceModel.Security.SecurityNegotiationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>Could not establish secure channel for SSL/TLS with authority 'test-bolt.homesite.com'.</Message><StackTrace>   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp;amp; msgData, Int32 type)
   at Application.TestHarness.IntegrationService.QuickQuote()

Service Config :

<system.serviceModel>
<behaviors>
  <serviceBehaviors>
    <behavior name="WebBehavior">
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
    </behavior>
  </serviceBehaviors>
</behaviors>

<services>
  <service name="Service.Namwe" behaviorConfiguration="WebBehavior">
    <endpoint address=""
              binding="wsHttpBinding"
              bindingConfiguration="transportSecurity"
              contract="Service.IContract"/>
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
  </service>
</services>
<bindings>
  <wsHttpBinding>
    <binding name="transportSecurity">
      <security mode="Transport">
        <transport clientCredentialType="Certificate"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

Client Config :

<system.serviceModel>
<bindings>
  <wsHttpBinding>
    <binding name="transportSecurity">
      <security mode="Transport">
        <transport clientCredentialType="Certificate"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<behaviors>
  <endpointBehaviors>
    <behavior name ="defaultClientCertificate">
      <clientCredentials>
        <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="hostname.com"/>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>
<client>
  <endpoint name="boltService" behaviorConfiguration="defaultClientCertificate"
            address="https://hostname.com/Service/Integration.svc"
            binding="wsHttpBinding"
            bindingConfiguration="transportSecurity"
            contract="ServiceRef.IServiceContract" />
</client>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />

Any advice would be greatly appreciated.

Jamie Babineau
  • 746
  • 2
  • 12
  • 25
  • Just to verify, when you open the certificate snap in, you see the certificate under local machine in the personal store with the name as configured? – Y.S Feb 05 '15 at 11:28
  • Yes I do see it on localmachine under personal and when viewing the cert it is authenticated (real cert purchased so I did not create it) – Jamie Babineau Feb 05 '15 at 11:45
  • Is the certificate enhanced key usage set to client authentication? – Y.S Feb 05 '15 at 11:46
  • it is both client authentication and server authentication – Jamie Babineau Feb 05 '15 at 11:47
  • What's the request status you get from the server machine? Is it 403? Also it there a sub status? – Y.S Feb 05 '15 at 11:48
  • i don't get a 403 I get an exception of "The request was aborted: Could not create SSL/TLS secure channel." – Jamie Babineau Feb 05 '15 at 11:52
  • Have a look at this post, see the second answer regarding the endpoint configuration, looks similar to yours, maybe it will help you http://stackoverflow.com/questions/1742938/wcf-could-not-establish-trust-relationship-for-the-ssl-tls-secure-channel-with – Y.S Feb 05 '15 at 11:54
  • Ths issue I have is the cert i am using is for our dev machine. I have a host file entry for hostname.com to point to my local machine using my actual IPV4 and not simply 127.0.0.1. I originally thought maybe the loop back address might have been causing these issues. Doing answer #2 in that post has not yieled any different results – Jamie Babineau Feb 05 '15 at 12:06

3 Answers3

8

I figured out what my issue was. The App pool that was running the service did not have access to the certificate. I was assuming since I had stuck it in IIS that all app pools would have access (not the case). In case anyone finds this and has a simialar issue here is what i eventually found and what fixed it. https://msdn.microsoft.com/en-us/library/aa702621.aspx You can also do this in MMC if you like the GUI more than cmd line tools.

Jamie Babineau
  • 746
  • 2
  • 12
  • 25
  • 1
    FFS. Wasted two days trying to figure out what that godforsaken'd message was trying to imply. Rebuilt, republished, required new certificates, etc, _thrice_ . Then, changed the AppPool identity to Network Service and _poof_, done. – Eric Wu May 19 '17 at 19:15
2

I have same problem and solved problem with this code;

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

Or try this code

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
muratoner
  • 2,316
  • 3
  • 20
  • 32
1

Running visual studio in administrator mode fixed this issue for me.

handles
  • 7,639
  • 17
  • 63
  • 85