Home/ Questions/Q 6810857
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T20:15:24+00:00

I am trying to create a WCF service that uses certificate authentication over SSL

  • 0

I am trying to create a WCF service that uses certificate authentication over SSL to create a Business to Business gateway. I have created a CA and a client certificate and put them in the Trusted root and personal folders respectively. I have set up the SSL routing but I keep getting the following error ‘The security protocol cannot verify the incoming message.’ And I can’t figure out why.

Below is my service configuration:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <compilation debug="true" targetFramework="4.0" />
    </system.web>
    <system.serviceModel>

        <services>
            <service name="B2BGateway.SSOBackChannel" behaviorConfiguration="B2B">
                <endpoint binding="wsHttpBinding"
                  bindingConfiguration="WSCertificateSecurity" 
                  contract="B2BGateway.Contracts.ISSOBackChannel" 
                  address="https://blah.com/SSOBackChannel.svc"></endpoint>
            </service>
        </services>

        <behaviors>
            <serviceBehaviors>
                <behavior name="B2B">

                    <serviceMetadata httpsGetEnabled="true" />
                    <serviceDebug includeExceptionDetailInFaults="true" />

                    <serviceCredentials>
                        <serviceCertificate />
                        <clientCertificate>
                            <authentication certificateValidationMode="PeerTrust" />
                        </clientCertificate>
                    </serviceCredentials>
                    <serviceAuthorization principalPermissionMode="None"></serviceAuthorization>
                </behavior>
            </serviceBehaviors>

            <endpointBehaviors>
                <behavior name="B2B">
                    <clientCredentials>
                        <clientCertificate findValue="2e2ecba0f33265085cc53cb53c0b00977aaa9e9e" storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint" />
                    </clientCredentials>
                </behavior>
            </endpointBehaviors>
        </behaviors>

        <bindings>
            <wsHttpBinding>
                <binding name="WSCertificateSecurity">
                    <security mode="TransportWithMessageCredential">
                        <transport clientCredentialType="None" proxyCredentialType="None" realm="" />
                        <message clientCredentialType="Certificate" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>

    </system.serviceModel>

    <system.diagnostics>
        <sources>
            <!-- See here for recommended diagnostics settings: http://msdn.microsoft.com/en-us/library/aa702726.aspx -->
            <source name="System.ServiceModel" switchValue="Warning,Information,ActivityTracing,Verbose" propagateActivity="true">
                <listeners>
                    <add name="traceListener" type="System.Diagnostics.XmlWriterTraceListener" initializeData="d:\logs\gah.svclog" />
                </listeners>
            </source>
        </sources>
    </system.diagnostics>
    <system.webServer>
        <directoryBrowse enabled="true" />
    </system.webServer>

</configuration>

And the client configuration is just the autogenerated code:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>

    <system.serviceModel>
        <bindings>
            <wsHttpBinding>
                <binding name="WSHttpBinding_ISSOBackChannel" closeTimeout="00:01:00"
                    openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                    bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                    messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
                    allowCookies="false">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <reliableSession ordered="true" inactivityTimeout="00:10:00"
                        enabled="false" />
                    <security mode="TransportWithMessageCredential">
                        <transport clientCredentialType="None" proxyCredentialType="None"
                            realm="" />
                        <message clientCredentialType="Certificate" negotiateServiceCredential="true"
                            algorithmSuite="Default" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
        <client>
            <endpoint address="https://blah.com/SSOBackChannel.svc"
                binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ISSOBackChannel"
                contract="SSOBackChannelService.ISSOBackChannel" name="WSHttpBinding_ISSOBackChannel" />
        </client>
    </system.serviceModel>
</configuration>

I wrote a unit test to see if the thing works which is where I’m getting the error…

[TestMethod]
public void Should_Call_Service_As_Machine_Does_Have_x509Certificate()
{
SSOBackChannelClient service = new SSOBackChannelClient();;
service.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "2e2ecba0f33265085cc53cb53c0b00977aaa9e9e");
var result = service.CheckBackChannelToken("123456789");
}

Any help would be so greatly appreciated!!
Josh

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You are using wsHttpBinding but you havent specified the certificate it needs to use to secure your transport channel. Try to specify a certificate it needs to use. i.e. for SSL

    Also try enabling tracing on your service. See here how to enable tracing.

    • 0