Wcf service throws exception: Could not establish trust relationship for the SSL/TLS secure channel with authority

Question

I know there are a lot of questions about this on stack overflow, but none of them are very recent and doesn't seem to address my problem in the fullest.

The situation is as follows:

We have a webservice running on IIS 6.2. The webservice is configured to accept only https traffic. The binding on the website is configured to use HTTPS, on all available Ip addresses, on the default port 443. the ssl certificate selected is a purchased, dedicated certificate.

The site is running in an dedicated app pool, with a dedicated user

The certificate chain is installed on the webserver, under the local machine in the following locations:

• Root ca - Trusted root certification authorities
• organisation validation ca - intermediate certification authorities
• pfx certificate - personal

At the pfx certificate i granted the dedicated user read rights in the 'manage private key' option. while debugging i also granted the following accounts read access:

• networkService
• iusr
• iis_iusr

i've added diagnostics to the webservice to create an svclog and also enabled logging for the instance of the webservice on IIS. Both logs seem to hold no information.

While troubleshooting the issue i tried to run a local test client. for this i needed to install the *.cer file in the personal store of the current user.

Mind you, we tried this on the webserver but also on the local machine. it both results in the following error message:

Could not establish trust relationship for the SSL/TLS secure channel with authority my.domain.com

The config of the client:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <startup>
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
    </startup>
    <system.serviceModel>
        <bindings>
            <basicHttpsBinding>
                <binding name="*MyServiceBinding*" sendTimeout="00:05:00" maxReceivedMessageSize="2147483647" maxBufferPoolSize="2147483647" >
                    <security mode="Transport">
                        <transport clientCredentialType="Certificate" />
                    </security>
                </binding>
            </basicHttpsBinding>
        </bindings>
        <behaviors>
            <endpointBehaviors>
                <behavior name="endpointBehavior">
                    <clientCredentials >
                        <clientCertificate findValue="my.domain.com" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
                    </clientCredentials>
                </behavior>
            </endpointBehaviors>
        </behaviors>
        <client>
            <endpoint address="https://my.domain.com/myService.svc"
                behaviorConfiguration="endpointBehavior" binding="basicHttpsBinding"
                bindingConfiguration="myServiceBinding" contract="MyService.IMyService"
                name="MyServiceEndpoint">
                <identity>
                    <certificateReference findValue="my.domain.com" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" isChainIncluded="false" />
                </identity>
            </endpoint>
        </client>
    </system.serviceModel>
</configuration>

The config of the webservice, i extracted only the relevant parts (as far as i know):

<bindings>
    <basicHttpsBinding>
        <binding name="basicHttpsEndpointBinding">
            <security mode="Transport">
                <transport clientCredentialType="Certificate"/>
            </security>
        </binding>
    </basicHttpsBinding>
</bindings>

<serviceBehaviors>
    <behavior name="httpsBehaviour">
        <serviceMetadata httpsGetEnabled="true" httpGetEnabled="false" httpsGetBindingConfiguration="basicHttpsEndpointBinding"  />
        <serviceDebug includeExceptionDetailInFaults="true" />
        <serviceCredentials>
            <serviceCertificate findValue="my.domain.com" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
        </serviceCredentials>
    </behavior>
</serviceBehaviors>

<service behaviorConfiguration="httpsBehaviour" name="My.Service.MyService">
    <endpoint binding="basicHttpsBinding" bindingConfiguration="basicHttpsEndpointBinding" name="MyServiceEndpoint" contract="My.Service.MyService.Interfaces.IMyInterFace">
        <identity>
            <certificateReference findValue="my.domain.com" isChainIncluded="false" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
        </identity>
    </endpoint>
</service>

<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true">
    <baseAddressPrefixFilters>
        <add prefix="https://my.domain.com/" />
    </baseAddressPrefixFilters>
</serviceHostingEnvironment>

If any extra information is required, then i am happy and willing to supply it. If anything is unclear please ask and i will try to clarify as much as i can.

Any help is greatly appreciated!

Edit: formatting, logging information

Answer 1

Eventually i solved the problem by using the stackoverflow question below:

HTTP error 403.16 - client certificate trust issue

in short, Microsoft has updated its security in windows server 2012. This means that if any certificate in the Trusted Root Certification Authorities store exists where the subject is not equal to , the service will return a 403.16 http exception.

The error message is logged by IIS at C:\inetpub\logs\LogFiles\W3SV*. the '*' is the id of your site in IIS.

Be aware, the logging of IIS is added to the log files at intervals!

After reviewing the log files i came accross the 403.16 exception, and came to the above stack overflow question.

I removed all certificates that we added, that were self signed and where the issuer and the subject did not match. This solved the problem.