question

ITMemberAHE-1270 avatar image
0 Votes"
ITMemberAHE-1270 asked JiayaoWu-MSFT commented

WCF - basicHttpBinding configuration (exception: Identity check failed for outgoing message. The expected DNS identity of the remote endpoint ...)

I'm trying to make a soap client in VisualStudio. First thing I've done was generating proxy class with delivered WSDL file (using Add Service Reference option in VisualStudio).
It was generated with wrong binding configuration - message security should be:
DefaultAsymmetricSignatureAlgorithm - "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
DefaultCanonicalizationAlgorithm - "http://www.w3.org/2001/10/xml-exc-c14n#" and
DefaultDigestAlgorithm - "http://www.w3.org/2001/04/xmlenc#sha256",

while it is:
DefaultAsymmetricSignatureAlgorithm "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
DefaultCanonicalizationAlgorithm "http://www.w3.org/2001/10/xml-exc-c14n#" and
DefaultDigestAlgorithm "http://www.w3.org/2000/09/xmldsig#sha1".

I changed basicHttpBinding settings in App.conf by adding:

<security mode="Message">
            <message algorithmSuite="Basic256Sha256" clientCredentialType="Certificate"/>
</security>


and binding settings changed properly, I also set certificates:

var cert = new X509Certificate2(AppDomain.CurrentDomain.BaseDirectory + "//cert.p12", "Pass");
client.ChannelFactory.Credentials.ClientCertificate.Certificate = cert;
client.ClientCredentials.ClientCertificate.Certificate = cert;

Unfortunately I got exception: The service certificate is not provided for target 'http://.../service'. Specify a service certificate in ClientCredentials.

But I don't think I have a service certificate at all (service belongs to another company). I tried using the same certificate for ClientCertificate and ServiceCertificate.

client.ClientCredentials.ServiceCertificate.DefaultCertificate = cert;

But I got error: The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode.

Changing mode to None gives excepion Security not found.

I added <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/> in serviceBehaviors/behavior/serviceCredentials/clientCertificate, and it doesn't work.

I also tried adding <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/> in endpointBehaviors/behavior/clientCredentials/serviceCertificate,

but I got another error: "Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'nameA' but the remote endpoint provided DNS claim 'nameB'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'nameB' as the Identity property of EndpointAddress when creating channel proxy. ”

And I'm not sure if I go right way anymore. I don't know what to do :(

In general, sending request using SoupUI works fine, but I can't make right configuration in my client service to send any request.

dotnet-csharpwindows-wcf
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JiayaoWu-MSFT avatar image
0 Votes"
JiayaoWu-MSFT answered JiayaoWu-MSFT commented

Hi @ITMemberAHE-1270 ,
If you change the certificate, you need to update your identity/certificate node like this:

 <identity>
     <certificate encodedValue="..." />
 </identity>

It is probably still pointing to your client's identity store and certificate.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Jiayao Wu

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JiayaoWuMSFT-8028
What is encodedValue here and how can I get it?

0 Votes 0 ·

Hi @ITMemberAHE-1270 ,
How did you generate the configuration? Rerun on the server and replace the corresponding configuration on the client.

0 Votes 0 ·

@JiayaoWuMSFT-8028
I think it halped. I got another exception: FaultException: MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood., I found that basicHttpBinding should be changed to wsHttpBinding, and I did so.

Now I am getting exception:
System.ServiceModel.ProtocolException: „The content type text/xml;charset=UTF-8 of the response message does not match the content type of the binding (application/soap+xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first 274 bytes of the response were: '<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:VersionMismatch</faultcode><faultstring>A SOAP 1.2 message is not valid when sent to a SOAP 1.1 only endpoint.</faultstring></soap:Fault></soap:Body></soap:Envelope>'.”

0 Votes 0 ·
Show more comments