Home/ Questions/Q 6375663
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T01:38:42+00:00

I’m building a WCF-based application with the users authenticating using certificates on smart cards.

  • 0

I’m building a WCF-based application with the users authenticating using certificates on smart cards. The service is hosted on IIS7 and the clients are Windows forms apps.

The problem is that when a new user is added (new certificate created) that user can’t log in until the IIS is restarted or the application pool recycled. If an existing user is deleted he’s also able to log on until a restart/recycle.

In my behaviour definition I have 

        <serviceCredentials>
            <serviceCertificate findValue="blahblah.local" 
    x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
            <userNameAuthentication userNamePasswordValidationMode="MembershipProvider"
     membershipProviderName="SqlMembershipProvider" cacheLogonTokens="true"/>
            <clientCertificate>
                <authentication mapClientCertificateToWindowsAccount="true" 
certificateValidationMode="ChainTrust" revocationMode="Online"/>
            </clientCertificate>
        </serviceCredentials>

Is there any way to prevent this certificate “caching” from taking place or refresh the active certificate list on demand?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Apparently the caching was a known “feature” of System.Identitymodel. It’s discussed here and more info available here.

    What I did was to use a custom validator (code below) which took care of the issue.

    EDIT: Added more code for validating X.509 certificates against CRL’s in real-time here

    web.config

    <clientCertificate>
    <authentication mapClientCertificateToWindowsAccount="true" certificateValidationMode="Custom" customCertificateValidatorType="My.IdentityModel.MyX509Validator, My.IdentityModel" />
</clientCertificate>

    code

    using System;
using System.IO;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

namespace My.IdentityModel
{
    /// <summary>
    /// Custom X.509 certificate validator
    /// Richard Ginzburg - richard (at) ginzburgconsulting (dot) com
    /// </summary>
    public class MyX509Validator : X509CertificateValidator
    {
        public override void Validate(X509Certificate2 certificate)
        {
            if (certificate == null)
            {
                throw new ArgumentNullException("certificate", "Certificate validation failed, no certificate provided");
            }

            X509ChainPolicy myChainPolicy = new X509ChainPolicy
                                                {
                                                    RevocationMode = X509RevocationMode.Online,
                                                    RevocationFlag = X509RevocationFlag.EntireChain,
                                                    VerificationFlags = X509VerificationFlags.NoFlag,
                                                    UrlRetrievalTimeout = new TimeSpan(0, 0, 10),
                                                    VerificationTime = DateTime.Now
                                                };
            X509Chain chain = new X509Chain(true) {ChainPolicy = myChainPolicy};

            try
            {
                bool ok = chain.Build(certificate);
                if(!ok)
                {
                    foreach (var status in chain.ChainStatus)
                    {
                        Logging.Log("MyX509Validator: Validation failed - " + status.StatusInformation);
                    }
                    throw new SecurityTokenValidationException("Certificate validation failed when building chain");
                }
            }
            catch (CryptographicException e)
            {
                throw new SecurityTokenValidationException("Certificate validation failed when building chain, " + e);
            }
        }
    }
}
    • 0