WCF call working when Fiddler On, else gives 400 Bad Request while debugging

Question

Not Solved - still looking for a solution.

I am making a WCF call passing in a SAML Token:

Using SAML token with Web Service (wsdl)

private static string serviceEndpoint = "https service endpoint";
    public static void CallProviderService(SecurityToken token)
    {
        var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
        binding.Security.Message.EstablishSecurityContext = false;
        binding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey;

        var channelFactory = new ChannelFactory<ISomeProviderService>(binding, new EndpointAddress(new Uri(serviceEndpoint)));
        string thumb = "mycertthumbprint";
        channelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, thumb);
        channelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;
        channelFactory.ConfigureChannelFactory();
        channelFactory.Credentials.SupportInteractive = false;

var elements = service.Endpoint.Binding.CreateBindingElements();
elements.Find<SecurityBindingElement>().EnableUnsecuredResponse = true;
service.Endpoint.Binding = new CustomBinding(elements);

        var channel = channelFactory.CreateChannelWithIssuedToken<ISomeProviderService>(token);

        try
        {
            var response = channel.MyServiceMethod(somedataobject);
        }

        catch (Exception ex)
        {
           //log message
        }
    }

When I had fiddler running the call worked find and returned me data.

With fiddler off, I get 400 Bad Request error in my catch block.

My doubt is the certificate isn't being passed when Fiddler is off.

Any idea?

Note: I have a .wsdl which I used to create proxy classes using Visual Studio ->Add Service Reference.

Question: How can I check if my installed certificate is used while making this https service call?

Updated: Here are the Req/Response from Fiddler:

Tunnel Request:

Tunnel Response:

Protocol Exception details:

enter image description here

From Client after Server Certificate Request: enter image description here

Update 12/8/2014: I think I have got one time success using the binding in this link: WCF custom binding that will support HTTPS, a signed certificate and a signed username token

I will update more as I don't know what that is doing much.

Have you turned on WCF tracing, it should give you more details as to why it is failing. http://msdn.microsoft.com/en-us/library/ms733025%28v=vs.110%29.aspx — Rick S, Nov 25 '14 at 20:55
I've had a similar problem where something was working with Fiddler and otherwise wasn't working. It turned out our firewall (or antivirus, can't remember which) configuration was getting in the way. You might check that — mason, Nov 25 '14 at 21:25
Just to be clear here, if you put in a bogus cert thumbprint in your code, do you get an exception somewhere new, or does it fail in the same way? — EricLaw, Dec 08 '14 at 17:10
@EricLaw Yes, I changed the last character in the thumb from 'f' to 'e' and got this: Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindByThumbprint', FindValue 'aninvalidhexthumb' — gbs, Dec 08 '14 at 17:16
@EricLaw I added another screencap from wireshark. If that helps identify the issue. — gbs, Dec 08 '14 at 18:34

score 5 · Answer 1 · answered Dec 02 '14 at 01:27

5

Due to very abundance of scenarios (and questions) like these, Eric Lawrence has written a blog post - Help! Running Fiddler Fixes My App???, just for this.

Following section from the post, seems relevant to your problem -

HTTPS Issues

Some users find that HTTPS traffic only works when Fiddler is running and decrypting secure traffic.

Certificate Errors

By default, Fiddler warns you about invalid certificates when connecting to HTTPS sites:

See image in original post

If you elect to ignore this warning, Fiddler will effectively “hide” the certificate error from the client application, such that it only sees the certificate Fiddler generated for HTTPS interception.

Most browsers show a meaningful error message if they encounter an invalid certificate:

See image in original post

…but many applications will fail silently or with a confusing error message. Even within the browser, sometimes no error message is shown (e.g. when using XmlHttpRequest).

The fix here is simple: Correct or replace the server’s certificate.

answered Dec 02 '14 at 01:27

Vikas Gupta

4,455
1
20
40

That article might be helpful - as I did get some error related to Protocol Version. The provider's service is down today and won't be able to test right away. – gbs Dec 02 '14 at 02:03
You can see the SSL/TLS protocol versions in the first messages. They are not encrypted. – paullem Dec 03 '14 at 10:08
@Vikas Looks like issue isn't the wrong protocol. It has to do with the certificate being ignored when not using Fiddler. – gbs Dec 04 '14 at 17:08
In your code you have `string thumb = "mycertthumbprint";` Is this real code you are running? or you changed the string here, just to remove the real thumbprint? – Vikas Gupta Dec 04 '14 at 17:54
Actual code has the real long thumbprint. And I do see the cert being found when I am debugging and look at ClientCertificate properties. – gbs Dec 06 '14 at 17:08
Without being able to debug it next to you... One last bit of thought here, **is the certificate trusted?** There isn't a whole lot I can think of, what can go wrong with certificates.. trust and expiration are the only things which come to my mind. – Vikas Gupta Dec 06 '14 at 18:58
Yes the certificate is trusted. I am using exact same certificate to get the security token that is passed to this method. – gbs Dec 06 '14 at 21:29

score 2 · Answer 2 · answered Nov 30 '14 at 12:53

2

Checking the cert.

There are potentially two client certificates. The one used on the TLS session and the one used in the SAML Token/SOAP message. Typically they are the same cert. But added by different parts of the code.

Fiddler only knows about the TLS cert. If you had to add the TLS client cert to fiddler, then it could be this indeed. Test is simple, remove it from the Fiddler directory. If it stops working......

If you want to see the TLS client cert then you could make a trace with your favorite Network trace tool (NetMon, MessageAnalyser, WireShark, whatever). Put it on the outgoing network adapter and take a look at the difference in the TLS messages. You probably have to give the private key to the trace tool. Because the client certificate is exchanged when it is already encrypted.....

Another option is to use the Schannel built in trace, but I haven't had time to figure out how that one works, because the network trace was always possible in my test environments.

answered Nov 30 '14 at 12:53

paullem

1,261
7
8

paul, I have added req/response from fiddler. I installed Netmon on my machine but have no idea how to use it and what exactly I am looking in there. So what you mentioned above is going over my head. If you can explain a bit or some good resource. – gbs Dec 03 '14 at 17:32
Netmon 3.4 is the newest, but old.... Get the newest parses at: https://connect.microsoft.com/site216/Network%20Monitor%20Parsers . After installing those, just start a capture; run your test; stop capture. Look in the TLS session setup, look at Client Hello and Server Hello messages. Anyway in Fiddler it does TLS 1.2. Which is OK. Now what if Fiddler isn't there. I am not sure if Netmon can decrypt TLS 1.2 and these specific cyphers (too old...). So seeing the client cert may be too hard for netmon. But you should be able to see TLS version negotiation. – paullem Dec 03 '14 at 19:54
By the way, what a weird timestamp in the response..... Had not seen it at first glance. Are the clocks OK? Could be a layout issue in fiddler? – paullem Dec 03 '14 at 20:04
I looked at the two handshake info though I am not sure what exact stuff I should be checking for. To me all look fine in there. And yes I did notice that time in Fiddler. I did download wireshark as well. Again no idea what specifics I would be looking in there. – gbs Dec 04 '14 at 03:29
I had certificate named ClientCertificate in the Fiddler folder. As soon as I removed that, I got the same exception as I get without Fiddler running. Once I add the certificate back it started working. So now what should I be doing so my code works? If you see the code above I am indeed adding a certificate. I wonder if it is wrong way to do that? – gbs Dec 04 '14 at 03:35
OK let's skip netmon. It sounds like a regular WCF Transport security client side certificate problem. Because removing it from Fiddler produced the same error. That is regular WCF configuration. Just add the Transport level client side certificate in configuration or code. In your code above you are only setting one of the two places where you need to add the client cert. Not being a WCF guru I am hesitant to give a more detailed answer...... I too would have to test/verify the specifics of this combined binding on a local machine – paullem Dec 04 '14 at 14:00
Paul, I am new to it as well so I am digging around as well. Any suggestions/ideas are welcome. – gbs Dec 04 '14 at 17:07
Paul I added another screencap from wireshark. If that helps identify the issue. – gbs Dec 08 '14 at 18:35
I still believe that it is a binding issue. Combining transport security and WS2007Xyz is probably the issue. I fear that you need to specify the client certificate in two places. Once for transport and once for ws2007Xyz I have used each of them individually, never combined. I think you better email me at firstname.lastname at (my company as in the website of my profile:) devcon.nl. Then we can Skype, but I do not have a lot of time. So let's see how far we can get. My regular name is: Paul Lemmers Did you already look at Vittorio's book? – paullem Dec 08 '14 at 21:14
Any ideas on how would I add the second certificate, looking at my code above? Haven't looked at the book but sure came across it. I will look around more else I will bother you via email. Thanks for sticking along. – gbs Dec 08 '14 at 21:26
Do you think I would need to use some CustomBinding instead of WS2007xyz? – gbs Dec 08 '14 at 21:33
1

Paul, to let you know I added a custom binding as mentioned in the link in my updated question and that worked. – gbs Dec 09 '14 at 16:47
Great! I had hoped that there would have been a simpler configuration. I would certainly have started looking in the wrong place... I had assumed you were using cert auth to obtain the SAML token, but the sample suggests username. Result: just one Client cert configuration. Interesting. Thx for the update. – paullem Dec 09 '14 at 20:06
Yes, I am using certificate to get the token. The sample's code after getting the token is what I need. Some setting with binding was missing or as you mentioned the WS2007xxx was not the right one to use in my case. – gbs Dec 11 '14 at 05:19

score 1 · Answer 3 · answered Dec 05 '14 at 08:04

1

Can you switch certificate validation mode from below options and try -

ChainTrust
None
PeerOrChainTrust
PeerTrust

answered Dec 05 '14 at 08:04

Amit

882
6
13

WCF call working when Fiddler On, else gives 400 Bad Request while debugging

3 Answers3