0

I`m trying to use wcf to make SOAP call with mutual certificates but keeps getting errors either

'The request was aborted: Could not create SSL/TLS secure channel.' or

'The remote server returned an error: (500) Internal Server Error Missing wsse:Security header in request'

Similar request done in SOAP UI works but n C# doesnt want to pass. I also looked what exactly is being sent and found that soap envolope indeed is missing wsse:Security in headers. How I can make it work?

WSHttpBinding myBinding = new WSHttpBinding();
myBinding.Security.Mode = SecurityMode.Transport;
myBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;

EndpointAddress ea = new EndpointAddress("https://[securedEndpoint]/Calculator");

CalculatorClient cc = new CalculatorClient(myBinding, ea);

cc.ClientCredentials.ClientCertificate.SetCertificate(
    StoreLocation.CurrentUser,
    StoreName.Root,
    X509FindType.FindBySerialNumber,
    "37802b632e74e355");

cc.ClientCredentials.ServiceCertificate.SetDefaultCertificate(
    StoreLocation.CurrentUser,
    StoreName.Root,
    X509FindType.FindBySerialNumber,
    "29f3e22fc1ae45be");

// Begin using the client.
try
{
    cc.Open();
    Console.WriteLine(cc.Add(200, 1111));
    Console.ReadLine();

    // Close the client.
    cc.Close();
}
Qba
  • 148
  • 1
  • 7
  • 25

1 Answers1

0

As you know, when we use a certificate to secure the communication, we should bind a certificate to the specific port. Also, if we authenticate the client with a certificate, we must establish the certificate trust relationship between the server certificate and the client certificate. Except for the Message security mode, it is enough that we generally provide a client certificate on the client-side.
I suggest you check the trust relationship state between the client-side and the server-side. In addition, to guarantee that the certificate is available we had better set up the certificate with the local machine certificate store and the certificate thumbprint. Considering the issue of accessing the certificate private key, I suggest you add the Everyone account to the certificate private key management group.
At last please ensure that the certificate has the client authenticate and the server authentication intended purposes.
Feel free to let me know if there is anything I can help with.

Abraham Qian
  • 7,117
  • 1
  • 8
  • 22
  • This must to be something related to C# and my certificates. I tried to copy paste soap envelope from SOAPUI to Postman. I run Postman with this SOAP message. Postman asked me to pick certificate I picked one from the store. It did succeded. Question is why I cannot achieve same thing in c#. – Qba Oct 14 '19 at 07:59
  • Is the certificate you selected the client certificate you provided in the code? Please delete the service certificate, Transport security does not need to configure the service certificate, this is only configured on the server-side. Besides, are you sure the certificate is trusted by the server-side? – Abraham Qian Oct 14 '19 at 09:57
  • Yes it is. I deleted service certificate and result is the same. I`m 100% sure certificate is trusted by server-side as when I do the same thing using Postman or SoapUI everything works fine. – Qba Oct 14 '19 at 11:27
  • Please attempt to specify the certificate in Local machine and add Everyone account to the management group of the certificate private key. – Abraham Qian Oct 15 '19 at 01:32
  • I moved bit forward using: https://stackoverflow.com/questions/9571058/wcf-error-incoming-message-was-signed-with-a-token-which-is-different-from-what Now I got wsse Security header right but now I`m getting different error: System.ServiceModel.Security.MessageSecurityException: 'The incoming message was signed with a token which was different from what used to encrypt the body. This was not expected.' – Qba Oct 15 '19 at 18:54
  • In my opinion on the solution, the questioner just installs the certificate and sets up the certificate in addition on the client-side. When we consume the service on the client-side by using Adding service reference, these configurations are completed automatically, add the identity section, endpoint behavior. We only need to set up the client certificate and change the service endpoint address(localhost is default value). how did you generate the client proxy to call the service before? – Abraham Qian Oct 16 '19 at 01:42
  • Managed to work things out. It turned out I was using wrong certificate, I should have used wss certificate instead tls to sign envelope. Additional problem was that response couldnt be returned because of problem with signing it. I found solution to remove security header from resposne and got that working. – Qba Nov 09 '19 at 13:59