WCF - basicHttpBinding configuration (exception: Identity check failed for outgoing message. The expected DNS identity of the remote endpoint ...)

Question

WCF - basicHttpBinding configuration (exception: Identity check failed for outgoing message. The expected DNS identity of the remote endpoint ...)

ITMemberAHE 6

I'm trying to make a soap client in VisualStudio. First thing I've done was generating proxy class with delivered WSDL file (using Add Service Reference option in VisualStudio).
It was generated with wrong binding configuration - message security should be:
DefaultAsymmetricSignatureAlgorithm - "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
DefaultCanonicalizationAlgorithm - "http://www.w3.org/2001/10/xml-exc-c14n#" and
DefaultDigestAlgorithm - "http://www.w3.org/2001/04/xmlenc#sha256",

while it is:
DefaultAsymmetricSignatureAlgorithm "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
DefaultCanonicalizationAlgorithm "http://www.w3.org/2001/10/xml-exc-c14n#" and
DefaultDigestAlgorithm "http://www.w3.org/2000/09/xmldsig#sha1".

I changed basicHttpBinding settings in App.conf by adding:

<security mode="Message">
            <message algorithmSuite="Basic256Sha256" clientCredentialType="Certificate"/>
</security>

and binding settings changed properly, I also set certificates:

var cert = new X509Certificate2(AppDomain.CurrentDomain.BaseDirectory + "//cert.p12", "Pass");
client.ChannelFactory.Credentials.ClientCertificate.Certificate = cert;
client.ClientCredentials.ClientCertificate.Certificate = cert;

Unfortunately I got exception: The service certificate is not provided for target 'http://.../service'. Specify a service certificate in ClientCredentials.

But I don't think I have a service certificate at all (service belongs to another company). I tried using the same certificate for ClientCertificate and ServiceCertificate.

client.ClientCredentials.ServiceCertificate.DefaultCertificate = cert;

But I got error: The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode.

Changing mode to None gives excepion Security not found.

I added <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/> in serviceBehaviors/behavior/serviceCredentials/clientCertificate, and it doesn't work.

I also tried adding <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/> in endpointBehaviors/behavior/clientCredentials/serviceCertificate,

but I got another error: "Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'nameA' but the remote endpoint provided DNS claim 'nameB'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'nameB' as the Identity property of EndpointAddress when creating channel proxy. ”

And I'm not sure if I go right way anymore. I don't know what to do :(

In general, sending request using SoupUI works fine, but I can't make right configuration in my client service to send any request.

1 answer

Your answer

Answer 1

Anonymous

Hi @ITMemberAHE ,
If you change the certificate, you need to update your identity/certificate node like this:

<identity>  
    <certificate encodedValue="..." />  
</identity>

It is probably still pointing to your client's identity store and certificate.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Jiayao Wu

ITMemberAHE 6 Reputation points

2021-09-29T07:15:19.28+00:00

Hi @JiayaoWuMSFT-8028
What is encodedValue here and how can I get it?
Anonymous

2021-09-29T07:24:30.74+00:00

Hi @ITMemberAHE ,
How did you generate the configuration? Rerun on the server and replace the corresponding configuration on the client.
ITMemberAHE 6 Reputation points

2021-09-29T08:07:22.887+00:00

@JiayaoWuMSFT-8028
I think it halped. I got another exception: FaultException: MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood., I found that basicHttpBinding should be changed to wsHttpBinding, and I did so.

Now I am getting exception:
System.ServiceModel.ProtocolException: „The content type text/xml;charset=UTF-8 of the response message does not match the content type of the binding (application/soap+xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first 274 bytes of the response were: '<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:VersionMismatch</faultcode><faultstring>A SOAP 1.2 message is not valid when sent to a SOAP 1.1 only endpoint.</faultstring></soap:Fault></soap:Body></soap:Envelope>'.”
Anonymous

2021-09-29T09:18:04.637+00:00

Hi @ITMemberAHE ,
The ProtocolException seen on the client that is thrown when communication with the remote party is impossible due to mismatched data transfer protocols.Please check whether the transfer protocol and binding between the server and client match.
ITMemberAHE 6 Reputation points

2021-10-14T06:28:00.507+00:00

Hi @JiayaoWuMSFT-8028

That's the point. This whole time I'm tring to find right binding configuration. But how can I change binding message version to soap 1.1 without using CustomBinding?
Anonymous

2021-10-19T02:45:57.197+00:00

Hi @ITMemberAHE ,
Generally speaking, changing the version of a binding message requires defining a custom binding, which doesn't work as you say, so you have to find another way.

Share via

WCF - basicHttpBinding configuration (exception: Identity check failed for outgoing message. The expected DNS identity of the remote endpoint ...)

1 answer

Your answer