0

I have a WCF service running on a server, and I created a self-signed certificate and my service references it as follows:

<behaviors>
  <serviceBehaviors>
    <behavior name="KeypadBehavior">
      <serviceMetadata httpGetEnabled="true"/>
      <serviceDebug includeExceptionDetailInFaults="false"/>
      <serviceCredentials>
        <serviceCertificate findValue="SELFHOSTTESTCert" x509FindType="FindBySubjectName"/>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

My ASP.NET web application needs to create a client for the Admin endpoint:

    <client>
        <endpoint address="http://selfhosttest.example.com/Teamtime/Keypad.svc/Client"
          binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IKeypad"
          contract="TTAHttp.IKeypad" name="WSHttpBinding_IKeypad" />
        <endpoint address="http://selfhosttest.example.com/Teamtime/Keypad.svc/Admin" binding="wsHttpBinding"
          bindingConfiguration="WSHttpBinding_IKeypadPrivilleged" contract="TTAHttp.IKeypadPrivilleged"
          name="WSHttpBinding_IKeypadPrivilleged">
            <identity>
                <certificate encodedValue="a very long unique string" />
            </identity>
        </endpoint>
    </client>

On the VM, I can create an use a Admin endpoint client.

I'm trying to migrate my application to an Azure WebApp. I uploaded the same certificate on the portal. The WCF service wouldn't start, and it took some fiddling around before I tried setting the location and store values:

      <serviceCredentials>
        <serviceCertificate storeLocation="CurrentUser" storeName="My" findValue="SELFHOSTTESTCert" x509FindType="FindBySubjectName" />
      </serviceCredentials>

The service now show's it's "welcome page". The problem I'm having now is no matter what I try for the client configuration (see attempts A,B,C,D) any attempt to create a client throws an RTE.

<client>
    <endpoint address="http://selfhost.example.com/TeamTime/Keypad.svc/Client" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IKeypad" contract="TTAHttp.IKeypad" name="WSHttpBinding_IKeypad" />
    <endpoint address="http://selfhost.example.com/TeamTime/Keypad.svc/Admin" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IKeypadPrivilleged" contract="TTAHttp.IKeypadPrivilleged" name="WSHttpBinding_IKeypadPrivilleged">
    <identity>

    <!-- Option A -->
    <!--<certificate encodedValue="a very long unique string" />-->

    <!-- Option B -->
    <!--<certificate encodedValue="a very long unique string" />
    <certificateReference
        findValue="SELFHOSTTESTCert"
        storeLocation="CurrentUser"
        storeName="My"
        x509FindType="FindBySubjectName"/>-->

    <!-- Option C -->
    <!--<certificateReference findValue="my thumbprint" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint"/>-->

    <!-- Option D -->
    <!--<certificateReference storeLocation="CurrentUser" storeName="My" findValue="SELFHOSTTESTCert" x509FindType="FindBySubjectName"/>-->

  </identity>
</endpoint>
</client>

How can I create a client on an Azure website to an endpoint using an uploaded certificate?

Stack trace: Server stack trace: at System.ServiceModel.Security.IssuanceTokenProviderBase1.DoNegotiation(TimeSpan timeout) at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.TlsnegoTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout) at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory1.ClientSecurityChannel1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout) at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionClientSettings1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ReliableChannelBinder1.ChannelSynchronizer.SyncWaiter.TryGetChannel() at System.ServiceModel.Channels.ReliableChannelBinder1.ChannelSynchronizer.SyncWaiter.TryWait(TChannel& channel) at System.ServiceModel.Channels.ReliableChannelBinder1.ChannelSynchronizer.TryGetChannel(Boolean canGetChannel, Boolean canCauseFault, TimeSpan timeout, MaskingMode maskingMode, TChannel& channel) at System.ServiceModel.Channels.ClientReliableChannelBinder1.Request(Message message, TimeSpan timeout, MaskingMode maskingMode) at System.ServiceModel.Channels.RequestReliableRequestor.OnRequest(Message request, TimeSpan timeout, Boolean last) at System.ServiceModel.Channels.ReliableRequestor.Request(TimeSpan timeout) at System.ServiceModel.Channels.ClientReliableSession.Open(TimeSpan timeout) at System.ServiceModel.Channels.ReliableRequestSessionChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at TTAHttp.IKeypadPrivilleged.ClearTokens(String MeetingID) at LaunchTeamTimeClient.Page_Load(Object sender, EventArgs e)

WhiskerBiscuit
  • 4,795
  • 8
  • 62
  • 100

1 Answers1

0

It seems that you need to add WEBSITE_LOAD_CERTIFICATES with thumbprint of certificate in the WebApp appsetting. If it is that case, please have a try to follow the Using Certificates in Azure Websites Applications blog to add it. The following is the snipped from the blog.

Adding an app setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. You can have multiple comma-separated thumbprint values or can set this value to “ * “ (without quotes) in which case all your certificates will be loaded to your web applications personal certificate store

Tom Sun - MSFT
  • 24,161
  • 3
  • 30
  • 47
  • If you want to install self-signed CA certificate in the Azure WebApp that is not allowed. More details please refer to the another [SO thread](http://stackoverflow.com/questions/41776109/installing-certificates-to-the-trusted-root-certificate-store-on-azure-web-apps?answertab=active#tab-top). – Tom Sun - MSFT Feb 24 '17 at 07:54