5

The error I'm receiving in production environment:

The remote certificate is invalid according to the validation procedure.
[AuthenticationException: The remote certificate is invalid according to the validation procedure.] System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception) +2755308
System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) +470

The production environment is using a three tier architecture, Web talks to App and App talks to database. Web and App use WCF service layer to communicate over SSL (443). We believe it might be configuration in either SSL certificate in IIS7 or a WCF configuration issue.

What we tried: I added the certificate in in both App and Web to the Trusted Authority for both "Local Computer" and "Current User".

I can add my WCF Web Config if need be.

I tried the following recommendations:

https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename(v=vs.110).aspx

https://msdn.microsoft.com/en-us/library/ms734695.aspx

"The remote certificate is invalid according to the validation procedure." using Gmail SMTP server

How do I know what the storeName of a certificate?

https://msdn.microsoft.com/en-us/library/ms733813(v=vs.110).aspx

https://msdn.microsoft.com/en-us/library/hh556232%28v=vs.110%29.aspx

Self-Hosted WCF Service with Mutual SSL (between Service and Client) fails with 403 Forbidden

Community
  • 1
  • 1
Vyache
  • 381
  • 4
  • 15
  • Have you tried reducing the problem to its minimal form by building a dummy app that is configured in the same way as the real app, but only implements a single `DoNothing()` operation (and ideally a client that only tries calling that `DoNothing()` operation once)? If that fails you can at least be sure it's somewhere in the infrastructure and nowhere in your actual business code. – Jeroen Mostert Feb 13 '15 at 15:33
  • Also, try to connect to the endpoint from a browser and see what it says (assuming you get an error). – 500 - Internal Server Error Feb 13 '15 at 16:24
  • @JeroenMostert Right, we implemented something similar and received the same error. We did notice that the certificate was issued to a different url, other than localhost, both the app and web Issue To *.some.some... The Web to App address isn't using that same Issued To:"..." The web and app layers aren't open to public yet. – Vyache Feb 13 '15 at 16:27
  • it might be related to your service behavior, what does your service behavior look like? is it chain trust or pair trust can you paste your bindings and behaviors? please don't paste sensitive value and put a dummy one here – Bravo11 Feb 13 '15 at 22:07
  • @Bravo11 Actually we didn't include behaviors in the WCF, we just used the binding with security mode="transport" and clientCredentialType="None". I think I read a post about using behaviors instead of the above binding. Here: http://stackoverflow.com/questions/6514067/wcf-ssl-service Does one work better then the other? – Vyache Feb 13 '15 at 22:10
  • looks like you have requirement that client would not present and credentials? that's what your bindings tell me. but if that's not the case and you want your clients to present certificate as well let me know i will post a quick solution – Bravo11 Feb 13 '15 at 22:23
  • @Bravo11, Yep, we don't need credentials. Our Sysadmins are investigating the issue, they believe the issue lies in the certificates. I'll keep you posted. :) – Vyache Feb 13 '15 at 22:26
  • You must add your server side web.config to reveal WCF configuration part. Otherwise, who can guess what you configured? – Lex Li Feb 23 '15 at 03:51

1 Answers1

1

This answer is for Client certificates where you are sending a Certificate with your payload to an HTTPS end point.

You'll want to make sure that you trust the certificate, that you trust the certificate authority that created it, and that you have that CA's certificate in your trusted store.

Are you able to go to a simple webpage on your system (not WCF service) where you need to provide the certificate? ie: https://mysite/test.aspx This will allow you to test certificates outside of WCF and let you separate WCF issues from IIS issues.

1) Make sure you've setup Certificate mapping in IIS. http://www.iis.net/configreference/system.webserver/security/authentication/clientcertificatemappingauthentication http://blogs.msdn.com/b/asiatech/archive/2014/02/13/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7.aspx

Short tl;dr; for what we do:

  • Add your client cert to your cert store (private key)
  • Add a user to the local users
  • go to IIS and map the certificate to the user you create
  • run winhttpcfg.exe to give your App Pool's user access to that certificate

https://msdn.microsoft.com/en-us/library/windows/desktop/aa384088%28v=vs.85%29.aspx

2) Make sure your web.config is setup properly (sample from ours that allow the end point to be hit via HTTP and HTTPS)

<bindings>
   <basicHttpBinding>
     <!-- Secure Bindings -->
     <binding name="secureHttpBinding">
       <security mode="Transport">
         <transport clientCredentialType="Certificate" />
       </security>
      </binding>

      <binding name="httpBinding">
        <security mode="None" />
      </binding>
   </basicHttpBinding>
</bindings> 

<behaviors>
  <serviceBehaviors>
    <behavior name="ServiceBehaviour">
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
    </behavior>
  </serviceBehaviors>
</behaviors>

<services>
         <!-- Person Revised Service-->
        <service name="Services.PRPA_AR101202" behaviorConfiguration="ServiceBehaviour">
            <endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="Services.IPRPA_AR101202"></endpoint>
            <endpoint address="" binding="basicHttpBinding" bindingConfiguration="httpBinding" contract="Services.IPRPA_AR101202" />
        </service>
</services>

Again, this answer is for client certificates with messages, if it's just regular HTTP you can ignore it

Ryan Ternier
  • 8,714
  • 4
  • 46
  • 69
  • I got the solution, I'm going to review everything I wrote here and your answer and see if it matches up. I ended up using wsHttpBinding. It turned out that I didn't understand how to properly setup the service model and its bindings across the tiers. – Vyache Feb 27 '15 at 16:00