0

Client certificate (from commercial CA) was changed due to expiration and communication to one service stopped functioning - we get following error on server trace

System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate CN=aaa.ccc.ff, O=XXXXX, L=Brbr, C=XX chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

The same certificate is used to authenticate to other company's service that uses the same configuration and it's working fine the whole time.

service's configuration is following:

 <system.serviceModel>
    <extensions>
      <behaviorExtensions>
        <add name="A2AValidation" type="xxxyyyzzz.A2AValidation+CustomBehaviorSection, xxxyyyzzz A2A, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />      
      </behaviorExtensions>
    </extensions>
    <protocolMapping>
      <add scheme="http" binding="wsHttpBinding" />
    </protocolMapping>
    <bindings>
      <wsHttpBinding>
        <binding name="WcfServiceBinding">
          <security mode="Message">
            <message clientCredentialType="Certificate" negotiateServiceCredential="true" establishSecurityContext="true" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <services>
      <service behaviorConfiguration="ClientSecBehavior" name="xxxyyyzzz.Service">
        <endpoint address="" behaviorConfiguration="A2AValidationBehavior" binding="wsHttpBinding" bindingConfiguration="WcfServiceBinding" name="A2AmessageEndpoint" contract="xxxyyyzzz.IService" />
        <endpoint address="mex" binding="mexHttpsBinding" name="A2AMessageEndpointMex" contract="IMetadataExchange" />
    <host>
       <baseAddresses>
          <add baseAddress="http://xxxyyyzzz:10002/XX/A2A/Service.svc" />
       </baseAddresses>
    </host>
      </service>
    </services>
    <behaviors>
      <endpointBehaviors>
        <behavior name="A2AValidationBehavior">
          <A2AValidation />
        </behavior>
      </endpointBehaviors>
      <serviceBehaviors>
        <behavior name="ClientSecBehavior">
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceCredentials>
            <clientCertificate>
              <authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="LocalMachine" revocationMode="NoCheck" mapClientCertificateToWindowsAccount="true" /> 
            </clientCertificate>
        <serviceCertificate findValue="______" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
          </serviceCredentials>
        </behavior>       
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
    <diagnostics wmiProviderEnabled="true">
      <messageLogging logEntireMessage="true" logKnownPii="false" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" maxMessagesToLog="500" />
      <endToEndTracing messageFlowTracing="true" />
    </diagnostics>
  </system.serviceModel>

Client side config is as following (also contains config for the other service that runs OK in other company):

<system.serviceModel>
    <diagnostics>
      <messageLogging
                     logEntireMessage="true"
                     logMalformedMessages="true"
                     logMessagesAtServiceLevel="true"
                     logMessagesAtTransportLevel="true"
                     maxMessagesToLog="3000"
                     maxSizeOfMessageToLog="2000"/>
    </diagnostics>
    <bindings>
      <wsHttpBinding>
        <binding name="YYYY_A2AMessageEndpoint_BindingConfig" maxReceivedMessageSize="2147483647">
          <security>
            <message clientCredentialType="Certificate" />
          </security>
        </binding>
        <binding name="XXXYYYZZZ_A2AMessageEndpoint_BindingConfig">
          <security>
            <message clientCredentialType="Certificate" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="YYYY_A2AMessageEndpoint_BehaviorConfig">
          <clientCredentials>
            <serviceCertificate>
              <authentication
                certificateValidationMode="PeerOrChainTrust"
                revocationMode="NoCheck"
                trustedStoreLocation="LocalMachine" />
            </serviceCertificate>
            <clientCertificate findValue="__________" x509FindType="FindByThumbprint"  storeLocation="LocalMachine" storeName="My" />
          </clientCredentials>
        </behavior>
        <behavior name="XXXYYYZZZ_A2AMessageEndpoint_BehaviorConfig">
          <clientCredentials>
            <serviceCertificate>
              <authentication
                certificateValidationMode="PeerOrChainTrust"
                revocationMode="NoCheck"
                trustedStoreLocation="LocalMachine" />
            </serviceCertificate>
            <clientCertificate findValue="__________" x509FindType="FindByThumbprint"  storeLocation="LocalMachine" storeName="My" />
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>
      <endpoint
                name="YYYY_A2AMessageEndpoint"
                contract="A2AMessageService.IService"
                address="http://YYYY:10002/a2a/Service.svc"
                binding="wsHttpBinding" bindingConfiguration="YYYY_A2AMessageEndpoint_BindingConfig"
                behaviorConfiguration="YYYY_A2AMessageEndpoint_BehaviorConfig" >
        <identity>
          <certificate encodedValue="xyz=" />
        </identity>
      </endpoint>
      <endpoint
                name="XXXYYYZZZ_A2AMessageEndpoint"
                contract="A2APTAMessageService.IService"
                address="http://XXXYYYZZZ:10002/PTA/A2A/Service.svc"
                binding="wsHttpBinding" bindingConfiguration="XXXYYYZZZ_A2AMessageEndpoint_BindingConfig"
                behaviorConfiguration="XXXYYYZZZ_A2AMessageEndpoint_BehaviorConfig" >
        <identity>
          <certificate encodedValue="xyz=" />
        </identity>
      </endpoint>
    </client>
  </system.serviceModel>

The certificate is correctly registered in IIS Certificate Mapping and also in AD Certificate mapping, the whole certificate chain is displayed correctly on IIS and on AD for client certificate. The certificate that the client uses has following purposes:

  • Proves your identity to a remote computer
  • Ensures the identity of a remote computer
  • 2.23.140.1.2.2

But I don't see this as a problem as one service does not have problem with such type of certificate to use.

zdenok
  • 95
  • 10

1 Answers1

0

If the code on the successful computer is the same as yours and only the certificate is different from yours, Try exporting the certificate on a successful computer and then import to your device.

Jiayao
  • 510
  • 3
  • 7
  • unfortunately it did not helped – zdenok Dec 15 '22 at 14:33
  • Is there any progress? Personally, I think it is still related to CA certificate non-compliance. – Jiayao Dec 20 '22 at 07:25
  • No the error is still the same. One more thing to consider is that the client uses certificate that has folowing purposes: Proves your identity to a remote computer Ensures the identity of a remote computer 2.23.140.1.2.2 – zdenok Dec 20 '22 at 08:41
  • I agree that according to the log it's problem with accepting CA certificate but I could not find a reason fot that as the CA certificates are registered correctly on IIS as well as AD on the server's side. – zdenok Dec 20 '22 at 08:48
  • By the way, the certificate that the client uses is the same, it's used to call two WCF services at two different organizations but the service on the server side is using the same configuration of WCF service security, certificate mapping etc. – zdenok Dec 20 '22 at 08:51
  • Check out [this Case](https://stackoverflow.com/questions/47391739/wcf-certificate-authentication-not-working)to see if it helps you. – Jiayao Dec 21 '22 at 09:32
  • We are using PeerOrChain trust, this is production environment so we would not use PeerTrust. We have made all the settings mentioned in that thread except our appliction pool identity does not load UserProfile, but all the other IIS servers hosting this type of service configuration have this LoadUserProfile set to false and they are working fine. – zdenok Dec 23 '22 at 08:02
  • The current situation is because the problems set in the production environment cannot be verified. Is the test environment OK ? – Jiayao Jan 13 '23 at 09:56
  • In test environment the communicanion runs OK. – zdenok Feb 13 '23 at 11:15