Home/ Questions/Q 8218665
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T12:52:43+00:00

The scenario is this: there are 2 WCF Web Services, one a client (WCFClient),

  • 0

The scenario is this: there are 2 WCF Web Services, one a client (WCFClient), one a server (WCFServer), deployed on different machines. I needed certificate communication between the two of them.

On the server WCF I have set the binding to use certificates as client credential type.

<security mode="Message">
      <message clientCredentialType="Certificate" />
</security>

Also, in the behaviour section, among other settings, I have

<serviceBehaviors>
      <behavior name="Server.ServiceBehavior">                  
          <serviceCredentials>
            <clientCertificate>
              <authentication certificateValidationMode="PeerTrust"/>
            </clientCertificate>
            <serviceCertificate findValue="Server"
            storeLocation="LocalMachine"
            storeName="TrustedPeople"
            x509FindType="FindBySubjectName" />
          </serviceCredentials>
        </behavior>
</serviceBehaviors>

On the client WCF Service I added this endpoint behaviour

<endpointBehaviors>
   <behavior name="CustomBehavior">
     <clientCredentials>
       <clientCertificate findValue="Client" 
                          x509FindType="FindBySubjectName" 
                          storeLocation="LocalMachine" 
                          storeName="TrustedPeople" />
       <serviceCertificate>            
         <authentication certificateValidationMode="PeerTrust"/>
       </serviceCertificate>
     </clientCredentials>
   </behavior>
 </endpointBehaviors>

When I wanted to test my services, I had an error message:

The service certificate is not provided for target 'http://blablabla...'. Specify a service certificate in ClientCredentials.

So I started checking things out on the Internet. After trying many things, the only thing that actually worked is adding this on my client: 

<serviceCertificate>
         <defaultCertificate findValue="Server"
                             storeLocation="LocalMachine"
                             storeName="TrustedPeople"
                             x509FindType="FindBySubjectName" />
         <authentication certificateValidationMode="PeerTrust"/>
       </serviceCertificate>

As you might think, yes, this means I need the Server certificate on my client machine. Which is clearly a very bad thing.
It works for my testing purposes, but it is an unacceptable for deployment.

I would want to understand what really could cause that error message and what the solution may be.

Later edit: In this project the client must not have the server certificate (even without having the private key). This is the specification of the system and it’s quite difficult (in bureaucracy terms) to go beyond this.
There will be multiple clients, each with the client WCF service running, and each should know nothing more that their own certificate. The server will know the server certificate and all the clients certificate.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I actually forgot about this question, but at that time I have found the solution.

    My actual problem was that I was using a basicHttpBinding for the communication I wanted to secure. basicHttpBinding implies ussing that serviceCredential part.
    http://msdn.microsoft.com/en-us/library/ms731338(v=vs.85).aspx

    Because of the system requirements I had, I changed the binding to wsHttpBinding. Now I don’t need to put the server certificate on the client machine.

    • 0