BrandonW

Greetings,

I have come across the same problem I think many people have encountered, but can't find any resource that resolves my questions, so I come here .

Basically, I have the certs set up correctly (or so I think), as according to having them be exchangeable, private key exportable, using makecert. They are in the correct store and all, but I am getting the error:

The X.509 certificate CN=xxxxx chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.

So I have come upon the post http://blogs.msdn.com/sajay/archive/2007/01/05/thoughts-on-basichttpbinding-security-and-ssl.aspx describing how to allow a test certificate to be validated by a permissive security policy for testing purposes. My only problem is this: How do you enable this policy for a service hosted in ASP.NET, where the only interface (I think) I have is the declarative administrative interface (the web.config file), and there isn't (at least not that I know of) a way to procedurally effect the construction of the service parameters.

Thanks for the help!

-Brandon



Re: Windows Communication Foundation (Indigo) Enabling Permissive Policy on WCF service hosted in ASP.NET

BrandonW

An update of my progress with this issue:

I think I had misunderstood the use of the PermissiveCertificatePolicy from the blog posting by Sajay. The policy (I believe) is intended to be used on the client, so that any certificate validation action that the client wants to perform (like to validate the server's certificate against the chain of certificate authorities), you can control whether it validates successfully or not.

So I have installed this policy on the client using this class, and it seems to work up until the point that I call the service operation. It still returns the same chain building failed error, and it does not reach the callback method RemoteCertValidate that is assigned when you set the Enact the PermissiveSecurityPolicy on the certificate that the service host will be using.

All I did was copy paste the example PermissiveCertificatePolicy code into a class on the client, call PermissiveCertificatePolicy.Enact("CN=xxxxx"); before I instantiate the service client, and then instantiate the client and try to call the operation.

Has anyone come across this before

Thanks,

Brandon

EDIT: I should also note that I am not using Transport Protection, but rather Message level protection. So I am not using SSL to encrypt the transport layer and have the endpoint be a secure http address, but rather just encrypt the Message layer so that I can have the endpoint be a standard http address with an encrypted message. I'm not sure that that would make a difference when validating a host's certificate, but the sample from Sajay uses an SSL certificate and endpoint, so I thought it might be a factor.





Re: Windows Communication Foundation (Indigo) Enabling Permissive Policy on WCF service hosted in ASP.NET

James.Zhang - MSFT

First, MakeCert.exe creates certificates whose root authority is called "Root Agency". you need to copy it to the ¡°Trusted Root Certification Authorities¡±. Please see the following articles for detail

http://msdn2.microsoft.com/en-us/library/ms733813.aspx

Make sure it works for self-Host case.

Then, you need to add the certificate to IIS, type inetmgr.exe to get IIS manager dialog (I am using IIS5/IIS6 as a sample), go to the "Directory Security" tab, you will find where you can add it.






Re: Windows Communication Foundation (Indigo) Enabling Permissive Policy on WCF service hosted in ASP.NET

BrandonW

James,

Thanks for the reply. I had just figured out the solution-- it was basically me trying to not validate network level security certificates, when I was actually using message level security. So all I had to do was set the client config to use certificateValidationMode="None".

I am having another problem relating to behaviors, but can't seem to use this thread to post it. I will start a new thread and see if that helps.

-Brandon