Simon Dahlbacka

I have a problem that's got me stumped

I have a "self-hosted" server over wsHttpBinding, with message security and secured with a home-made certificate (for now at least), the clients are validated using a CustomUserNameValidator.

This is in an intranet setting, but not in a domain, firewalls switched off..

From one particular machine I've got problems connecting to the service



- I have the cert installed on the client in TrustedPeople (and using PeerOrChainTrust), the client finds the cert.

- Before i switched off negotiateServiceCredential in the client I got either "the local security authority cannot be contacted" or another one that I cannot remember right now that stated something about something that does not exist. (after that I added a <defaultCertificate ...> element to the config)

- the same machine successfully connected to another machine running the same service (with another cert)

- wcf tracing on the client did not seem to reveal anything useful

Now I just keep getting MessageSecurityExceptions no matter if I provide the wrong or correct username/password combination



I've run out of ideas what to try now.. HELP!

ps. what's up with the MessageSecurityException for failed username validation btw




Re: Windows Communication Foundation (Indigo) MessageSecurityException problem

Pedro Felix

Hello:

Have you configured the binding's "ClientCredentialType" It should be setted to "UserName". I'm asking this because by default this type is setted to "Windows" and the message "the local security authority cannot be contact" is typical in this setting.

You should enable the tracing at the server-side and locate the error messages in the trace.

Configuration check list for username+password message security:

- Both the client and service bindings must be equal (with the same configuration)
- Configure the server certificate at the server-side (this certificate must have an associated installed private key). This configuration is done in the ServerCredentials
- If the binding has negotiateServiceCredential set to false, the server certificate must also be configured at the client side (ClientCredentials)
- If the binding has negoritateServiceCredential set to true, just ensure that:
i) the server certificate is installed at the client (in the TrustedPeople store) and the validation mode is set to PeerTrust
ii) or, the server certificate's root CA certificate is installed at the client (in the TrustedRoot store) and the validation mode is set to ChainTrust

Hope it helps
Pedro Felix




Re: Windows Communication Foundation (Indigo) MessageSecurityException problem

Simon Dahlbacka

- clientCredentialType is correctly set
- to me bindings in client and server looks identical
- negotiateServiceCredential=false (to work around strange error)
- client has installed the cert in LocalMachine/TrustedPeople
- validationMode = PeerOrChainTrust

still does not work..

Basically, I have no clue how to go about and solve this one.. :(





Re: Windows Communication Foundation (Indigo) MessageSecurityException problem

Pedro Felix

What are the error messages in the server trace

Pedro




Re: Windows Communication Foundation (Indigo) MessageSecurityException problem

Ronald Ricardo Ramirez Moran

Do you can to send us the Fault Exception message




Re: Windows Communication Foundation (Indigo) MessageSecurityException problem

Simon Dahlbacka

I'm out of office until monday so I cannot do it until then, but I'll get back with that info...




Re: Windows Communication Foundation (Indigo) MessageSecurityException problem

Simon Dahlbacka

I FINALLY got this thing working...

turned out that windows was somehow corrupted..