.netwcfweb-servicesssliis-5

WCF Service unable to connect to web service when running in IIS


I have a WCF service which is being used as a wrapper on a third party asmx service we are integrating with. The service it is communicating with was added using the Add Service reference dialog in visual studio. The code in the WCF service works when executed in unit tests, and also works when debugging the Host application.

When debugging the host runs in the ASP.NET Development Server and it works without errors. When I deploy the application to the local IIS instance (same as development machine, IIS 5.1) the service will start and run, but it throws this error when connecting ot the third party asmx endpoint:

System.ServiceModel.Security.SecurityNegotiationException: 
Could not establish trust relationship for the SSL/TLS secure channel with
authority 'xxxxx.thirdparty.com'. ---> System.Net.WebException: The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS
secure channel. ---> System.Security.Authentication.AuthenticationException: 
The remote certificate is invalid according to the validation procedure.

These are settings in the config file for the service endpoint:

<basicHttpBinding>
  <binding name="ServiceSoap" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" 
    useDefaultWebProxy="false" proxyAddress="http://[internalWebProxyHere]">
    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
    <security mode="Transport">
      <transport clientCredentialType="None" proxyCredentialType="None" realm=""/>
      <message clientCredentialType="UserName" algorithmSuite="Default"/>
    </security>
  </binding>
</basicHttpBinding>

The service works in visual studio, but not after deploying to IIS. What can I do to debug AuthenticationExceptions?

Edit: the client endpoint looks like this:

<endpoint address="https://'xxxxx.thirdparty.com/thirdpartyendpoint.asmx" 
    binding="basicHttpBinding" bindingConfiguration="ServiceSoap" 
    contract="eContracting.ServiceSoap" name="ServiceSoap"
    behaviorConfiguration="Behavior"/>

And I tried to add an endpoint behavior to disable the certificate validation but this did not help:

<behavior name="Behavior">
  <clientCredentials>
    <serviceCertificate>
      <authentication certificateValidationMode="None"/>
     </serviceCertificate>
    </clientCredentials>
</behavior>

If it also helps the third party certificate was issued by Rapid SSL CA, the certificate is valid. Looking in my local certificate store this certificate is in the "Intermediate Certification Authorities" tab, but not in "Trusted Root Certification Authorities" or in "Trusted Publishers".

Edit: The issue was resolved by adding the cert to the "Trusted Root Certification Authorities", though there was a catch.

  1. Importing certificates from ControlPanel -> InternetProperties -> Content -> Certificates. If you install this way it says it’s successful but it does not show up in winhttpcertcfg.
  2. Importing certificates by doing start -> run -> type ‘certmgr.msc’ and installing through here. It will say imported successfully but certs are not available to winhttpcertcfg.
  3. Importing certificates by start -> run -> MMC and using the certificates snapin does work. Click here to view instructions for Windows XP.

Specifically this is what worked:

  1. Start -> Run -> MMC
  2. File -> Add/Remove Snap-in
  3. Click Add...
  4. Select Certificates and click Add
  5. Select Computer Account an click Next
  6. Select Local computer and click Finish
  7. Click Close
  8. Import certificate from console root to these locations:

    • Trusted Root Certification Authorities
    • Intermediate Certification Authorities
    • Third-Party Root Certification Authorities

Solution

  • Try enabling tracing in the service web.config. By setting the switchValue to Verbose you might be able to find out a more detailed error. Maybe there is something wrong with the certificate.

    Configure and Enable Tracing

    You could also try setting the service certificate validation mode to none.

    X509ServiceCertificateAuthentication.CertificateValidationMode Property

    Another option is to import the Rapid SSL CA to your Trusted Root Certification Authorities on your local machine. I suspect cassini isn't validating or is ignoring certificates.

    Another possible issue to look at, the account IIS is running under for your service may not have permissions to read from the certificate store.