We Keep Coding

WCF: Could not establish trust relationship for the SSL/TLS secure channel with authority 'dev.xxxxx.com'

I have a WCF webservice application. built another .net app to consume the wcf webservice.
I kept getting this error message. " Could not establish trust relationship for the SSL/TLS secure channel with authority 'dev.xxxxx.com'."
I googled it and tried a few different solutions, still not able to get it fixed.
WCF service config:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the values below to false before deployment -->
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<protocolMapping>
<add binding="basicHttpsBinding" scheme="https" />
</protocolMapping>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
<bindings>
<basicHttpBinding>
<binding maxBufferSize="104857600" maxReceivedMessageSize="104857600" sendTimeout="00:10:00">
</binding>
</basicHttpBinding>
</bindings>
</system.serviceModel>
<system.webServer>
Client config:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpsBinding_IIRSvc">
<security mode="Transport">
<transport clientCredentialType="None"
proxyCredentialType="None"
realm="" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://dev.xxxxx.com/IRSvc.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpsBinding_IIRSvc"
contract="irsvc.IIRSvc" name="BasicHttpsBinding_IIRSvc" />
</client>
</system.serviceModel>

I'm not sure what the config for the service should look like, but if i compare the 2 configs.
I see a SecurityMode 'transport' in the client.config but i don't see any security mode in the service.
The default security mode is 'None' so maybe that's a mismatch.

It could also be that your certificates CA Root certificate is not present in Trusted Root Certification Authorities. Start mmc.exe then go to:
File -> Add or Remove Snap-ins -> Certificates -> Add -> Computer account -> Local computer. Click Finish.
Check if your HTTPS CA Root certificate certificate is present in Trusted Root Certification Authorities or else copy it there.
Example error from certificate:
This CA Root certificate is not trusted because it is not in the
Trusted Root Certification Authorities store.
More info here:
https://stackoverflow.com/a/48790088/3850405

Custom UserName/Password authentication in IIS6

I have a WCF service I'm hosting in IIS6. I'm trying to set up custom username/password authentication using Transport level security. I've set up a test certificate and got a client to connect over SSL with no authentication specified, i.e:
<security mode="Transport">
<transport clientCredentialType="Basic" />
</security>
I've set up a custom validator with Message security and client credential type "UserName", but I'd like to incorporate this now with Transport level security. When I have my web.config set, when I try to view the WSDL, I get an error:
"Security settings for this service require 'Basic' Authentication but it is not enabled for the IIS application that hosts this service."
Here are the important parts of my web.config:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="UserNameBinding">
<security mode="Transport">
<transport clientCredentialType="Basic" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ServiceAuthenticationBehavior"
name="Service.WebServices.MyService">
<endpoint address="mex" binding="mexHttpsBinding" bindingConfiguration=""
name="mexBinding" contract="IMetadataExchange" />
<endpoint binding="wsHttpBinding" bindingConfiguration="UserNameBinding"
name="wsHttpBindingWithAuth" contract="Service.WebServices.IMyService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceAuthenticationBehavior">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate findValue="TestCert01" storeLocation="LocalMachine"
storeName="TrustedPeople" x509FindType="FindBySubjectName" />
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="Service.WebServices.ClientCredentialsValidator, Service.WebServices" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
Is there something I'm supposed to set in IIS6 to enable this?
In IIS, I started initially with the "Enable anonymous access" option enabled. I also tried enabling "Basic authentication (password is sent in clear text)" checkbox, but no success.

This post seems to suggest that Basic is only available for Windows account, with a 3rd party solution...
Basic Authentication with WCF REST service to something other than windows accounts?
I've been here myself, and ended up going with 1-legged openauth which worked nicely.
edit
this post sent me well on my way to a solution http://www.cleancode.co.nz/blog/523/oauth-dot-net
its worth mentioning the diff between 1 and 2-leg OAuth. 1-leg is where the client and the service both know the client's secret (password) for the client's account name which is used to encrypt and decrypt the authentication request (which all gets added to the querystring). with 2-legged, this is generated by a 3rd party such as google, facebook etc.

Using client certificates for authentication

The client machine has the "TicketSalesClient" certificate in "My" storage of current user and the "TicketSalesServer" certificate in "TrustedPeople" storage of current user. The server machine has "TicketSalesClient" certificate in "TrustedPeople" storage of local machine and the "TicketSalesServer" certificate in "My" storage of local machine.
The service runs under IIS 7. Below is the web.config file:
<system.serviceModel>
<services>
<service behaviorConfiguration="secureBehavior" name="InternetRailwayTicketSales.TicketSalesImplementations.TicketSalesService">
<endpoint address="TicketSalesService"
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding" contract="InternetRailwayTicketSales.TicketSalesInterface.ITicketSales" />
<endpoint address="TicketSalesServiceSecureMex"
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding"
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="https://localhost:443/TicketSales/" />
</baseAddresses>
</host>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="secureBehavior">
<serviceThrottling maxConcurrentInstances="5000" maxConcurrentSessions="5000" />
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="True" />
<serviceCredentials>
<serviceCertificate findValue="TicketSalesServer"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName"/>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
The service in IIS is configured for SSL and certificate requiring.
1)Now when I try to add service reference in the client I receieve: "The HTTP request was forbidden with client authentication scheme 'Anonymous'. The remote server returned an error: (403) Forbidden."
2)If I try to request the metadata endpoint using browser I firstly apply the SSL certificate and then receieve an error that "The credentials do not give the right to view this directory or page." As I understand this is because I can't give the client credentials through the browser.
3)I tried to use svcutil with configuration file which contains client credentials:
<configuration>
<system.serviceModel>
<client>
<endpoint
behaviorConfiguration="ClientCertificateBehavior"
binding="basicHttpBinding"
bindingConfiguration="Binding1"
contract="IMetadataExchange"
name="https" />
</client>
<bindings>
<basicHttpBinding>
<binding name="Binding1">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="ClientCertificateBehavior">
<clientCredentials>
<clientCertificate findValue="TicketSalesClient"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
And then:
svcutil https://veryLongAddress.svc?wsdl /config:svcutilConf.config
And the response is that the "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure"
So what am I doing wrong?

Seems like your certificates installation is fine. Can you try as shown below and see the output. Try to browse to the service from IE and you should be able to see the service and its wsdl.
Go to IE and then
Tools --> Internet Options --> Security --> Internet --> Custom Level
Tools --> Internet Options --> Security --> Intranet --> Custom Level
Now scroll down to Misc section to find the option "Dont Prompt for client certificate selection when no certificate is present or only one certificate is present" to Diable.
Now restart IE and browse to the service and IE should ask you to select a client certificate from the personal store and you need to select mvc.localhost.
If TicketSalesClient cert is not visible then your client certificate is not in the appropriate store.
The reason for this is that the file you are using to install the certificates do matter as well as the purpose for which the certificate has been created. You can find the purpose of each certificate when you double click them in the certificate store you have a column that is called Intended Purpose. Make sure its for your client certificate.

When hosting the service in IIS all endpoints must have the same transport security configuration. I played with this before and I ended with redefining binding for WSDL GET (yes it has also internal binding defined). So modify your bindings on service to:
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
<customBinding>
<binding name="wsdlBinding">
<textMessageEncoding messageVersion="None" />
<httpsTransport requireClientCertificate="true" />
</binding>
</customBinding>
And in service behaviors use:
<serviceMetadata httpsGetEnabled="true"
httpsGetBinding="customBinding"
httpsGetBindingConfiguration="wsdlBinding" />
This should force WSDL get to require client certificate and it "should" work from browser (unless there is some other problem).

When we host WCF service in IIS with security type transport and client credential type certificate, Then put your client certificate on Root store and enable anonymous authentication in IIS. Enable anonymous authentication in IIS But most important, add your certificate to root store.

Adding a service reference to a WCF service with webHttpBinding and security mode Transport results in an incorrect config file

I have searched and searched and I cannot find a solution. It seems like it would be relatively common to run into this... WCF REST service over https. When I add the service reference all of the proxy classes are correct and I can create the objects defined in the service, call the services, etc. However, I can't create a configured client with the proxy's client classes. I have to explicity create the bindings, behaviors, and endpoints and add them to the client. FOr example, what I should be able to do, based on all of my research is:
ServiceClient = new ServiceClient();
And be off and running. However, what I have to do is:
WebHttpBinding serviceBinding = new WebHttpBinding(WebHttpSecurityMode.Transport);
serviceBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
EndpointAddress endPointAddress
= new EndpointAddress(<endpointaddress>);
// Create Service Client
ServiceClient = new ServiceClient(serviceBinding, endPointAddress);
// Add Web Behavior to the EndPoint
WebHttpBehavior webHttpBehavior = new WebHttpBehavior();
ServiceClient.Endpoint.Behaviors.Add(webHttpBehavior);
// Set up the request to POST with a wrapped request
WebInvokeAttribute postAttribute = new WebInvokeAttribute();
postAttribute.Method = "POST";
postAttribute.BodyStyle = WebMessageBodyStyle.WrappedRequest;
ServiceClient.Endpoint.Contract.Operations.Find(<operationname>).Behaviors.Add(postAttribute);
In order to mimic the service configuration:
<behaviors>
<endpointBehaviors>
<behavior name="AspNetAjaxBehaviorXml">
<webHttp />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="AuthenticationServicesBehavior">
<serviceMetadata httpsGetEnabled="true" policyVersion="Policy15" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="LoggingServicesBehavior">
<serviceMetadata httpsGetEnabled="true" policyVersion="Policy15" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="True" />
<bindings>
<webHttpBinding>
<binding name="WebSslBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</webHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="AuthenticationServicesBehavior"
name="AuthenticationServices">
<endpoint address="authenticate" behaviorConfiguration="AspNetAjaxBehaviorXml"
binding="webHttpBinding" bindingConfiguration="WebSslBinding"
name="AuthenticationEndPoint" bindingNamespace="<mynamespace>"
contract="IService" />
</service>
The "Add Service Reference" is giving me this:
<bindings>
<customBinding>
<binding name="AuthenticationEndPoint">
<!-- WsdlImporter encountered unrecognized policy assertions in ServiceDescription 'EchoAppsServices': -->
<!-- <wsdl:binding name='AuthenticationEndPoint'> -->
<!-- <sp:HttpsToken xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">..</sp:HttpsToken> -->
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Soap12" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
</binding>
</customBinding>
</bindings>
<client>
<endpoint binding="customBinding" bindingConfiguration="AuthenticationEndPoint"
contract="AuthenticationService"
name="AuthenticationEndPoint" />
</client>
I believe my inability to create a default client that works out of the box is related to the problem with WsdlImporter. I get a similar error when I use svcutil:
Warning: The following Policy Assertions were not Imported:
XPath://wsdl:definitions[#targetNamespace='<mynamespace>']/wsdl:binding[#na
me='AuthenticationEndPoint']
Assertions:
<sp:HttpsToken xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolic
y'>..</sp:HttpsToken>
I'm sure it has something to do with my self signed cert, but I can't get makecert to give me a functioning cert with a CA that doesn't cause my IIS to crash.
Environment details:
VS2008
XP 64bit
.NET 3.5
IIS6
Thanks in advance for any help...

If you want to create client proxy classes, why would you use webHttpBinding. Why not just use wsHttpBinding?
The whole point of webHttpBinding was so that you could use standard Http toolkits like HttpWebRequest and Microsoft.Http.HttpClient on the client to access the service.

Not sure if that's just a typo - but your code and config don't match.
See in your code:
serviceBinding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Windows;
but in your config:
<webHttpBinding>
<binding name="WebSslBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</webHttpBinding>
In code, you set your HttpClientCredentialType to Windows (integrated Windows authentication), but in config, you set it to None.
Try changing your config to use Windows as well:
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
and try again.
If you don't get any better results : why not just update the client config manually, after the import? The WSDL importer is known to have hiccups here and there, and most often, just using your brain and manual config adaption can solve the problem. You basically just need to copy the <endpointBehaviors> and the <bindings> sections into your client side config and define a <client> section which references the appropriate endpoint - that's pretty much all.

You bring up a good point, but I started down this road to make a RESTful web service that can be called either from the client or the server. I can call it from both right now just the way it is but I have to explicitly configure the server side. This is unacceptable because this application will be deployed to multiple end users and it's easier to change a configuration file than it is to patch. I know that I could create multiple endpoints, but I would much rather only have to maintain one per service.
Thank you for your reply.

WCF Metadata on separate port and not SSL

Pretty new to complex WCF configs and have looked around, but couldn't clearly answer this.
I'm looking for a yes this is possible and ideally a sample or no, this is not possible.
Question:
Can you separate out the Metadata (WSDL) from a secure transport (SSL) service and make it plain old HTTP?
We have a WCF service that is using Transport security (SSL) for the service.
At this stage, during development we're using our own Certificates for the SSL, so we're a CA.
So the WSDL is exposed using
<serviceMetadata httpsGetEnabled="true" />
Under the service behaviours.
When you browse to the WSDL https://devserver:8010/MyService/?wsdl you get the usual, don't know the CA warning and just click IGNORE to continue on.
One of the problems I've got is that a proxy generation tool like JAX-WS just bails with a HTTP.403 Forbidden warning, even though I've put the CA certificate into the JDK/JRE keystore for cacerts.
So I was thinking, if I could separate out the Metadata then you could expose that on HTTP on a separate port and then there's no certificate issues for generating proxies.
So I tried marking the service metadata as follows:
<serviceMetadata httpGetEnabled="true" httpGetUrl="http://devserver:8011/MyService/" />
But this doesn't work as it's now mixing up the behaviour.
Perhaps I've missed something?
Perhaps this isn't possible?
And yes, to some extent it is moot, as a production machine WOULD have a trusted CA and therefore you won't get the certificate trust warnings.
However, it's now become a question of is this possible?
All help appreciated, thanks
Hadley

You also need to specify your MEX endpoint
http://bloggingabout.net/blogs/dennis/archive/2006/11/09/WCF-Part-4-3A00-Make-your-service-visible-through-metadata.aspx
Note it will need a different binding configuration with security = None instead of transport.

Did some more trial and error and the end result which works is like this. This is shortened for brevity.
<behaviors>
<serviceBehaviors>
<behavior name="serviceBehaviour">
<serviceMetadata httpGetEnabled="true" httpGetUrl="http://devserver:8022/MyService/" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="basicHttp" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<readerQuotas maxStringContentLength="2147483647" maxArrayLength="2147483647" />
<security mode="Transport">
</security>
</binding>
</basicHttpBinding>
<webHttpBinding>
<binding name="webHttp">
<security mode="None">
</security>
</binding>
</webHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="serviceBehaviour" name="MyService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttp"
name="httpsEndpoint" contract="IMyService" />
<host>
<baseAddresses>
<add baseAddress="https://devserver:8020/MyService/" />
</baseAddresses>
</host>
</service>