Home/ Questions/Q 446549
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T21:28:55+00:00

[Update] – I attach also full config files, for service , and for client

  • 0

[Update] – I attach also full config files, for service, and for client (outside of here, not to flood the topic)

I’m having situation pretty much identical to the one outlined in this question, however my question is somewhat different.

  • I’m using NetTcpBinding with security
    set to TransportWithMessageCredential
  • I’m using Password/Username
    credentials backed up by ASP.NET
    provider
  • My service is self hosted in Windows
    Service
  • I do have in my endpoint behavior
    specified authentication
    revocationMode=”NoCheck”

It is required that the service provides a certificate to authenticate itself to clients. That’s OK, I just do:

<serviceCertificate findValue="***"
                    storeLocation="CurrentUser"
                    storeName="My"
                    x509FindType="FindByThumbprint"/>

Now, I somewhat imagined that now the client would end up having

<identity>
  <certificate encodedValue="encoded certificate"/>
</identity>

And it will be able to verify service’s credentials without having that certificate installed in the store on client machine.

I was surprised to learn that although I set the service credentials to certificate, WSDL exposes 

<Identity>
   <Dns>Foo</Dns>
</Identity>

Again, on service I can set Identity to CertificateReference and hook it up to the same certificate, and then WSDL will expose identity as X509Certificate, but when I run the client that setting is ignored, and I end up with error message:

System.ServiceModel.Security.SecurityNegotiationException:
The X.509 certificate CN=xxx is not in
the trusted people store. The X.509
certificate CN=xxx chain building
failed. The certificate that was used
has a trust chain that can not be
verified. Replace the certificate or
change the certificateValidationMode.
A certificate chain processed, but
terminated in a root certificate which
is not trusted by the trust provider.

Is there a way to make client use that value from config and work without having to install a service certificate (nor its root) on client’ machine?

[UPDATE]
While setting certificateValidationMode to none will make the exception go away, it is unacceptable solution from security point of view.

It makes the client merely acknowledge that it receive ”some” certificate, without getting into details. This makes all range of man in the middle attacks possible. It still won’t validate the information sent by (alleged) service against the certificate dumped in the config.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Solution sketch:

    1) Define and register a custom X509CertificateValidator on the client

    2) In the Validate method, compare the given certificate with the one present in the client’s EndpointAddress.Identity property. The object referenced by this property should have the X509CertificateEndpointIdentity exact type.

    I didn’t test this solution, however it makes perfect sense to me.

    HTH
    Pedro

    • 0