Florian Broeder

Hi NG,

i have got a question regarding WCF and CardSpace. I have a service and a consumer on the same machine running in a console application. Binding is wsFederationHTTPBinding.

Yesterday i fought against the SecurityNegotiationException - SOAP Security Negotiation faild.

After putting the service-certifiate in my trusted people store and adding the following line of code it works.

Code Block

proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;

My questions:

1) if i use (instead of PeerOrChainTrust) "ChainTrust" it does not work (->> SecurityNegotiationException - SOAP Security Negotiation faild) BUT: the chain is ok, alle certificates are in the right stores.

2) what¡¯s the default validationmode

3) do i have to put the certificate of the service into the trusted people store from every client what if i do not know my consumers

thanks for your answers...



Re: Windows CardSpace (InfoCard) CardSpace and WCF - Security negotiation

Toland Hon - MSFT

1. ChainTrust refers to the fact that your certificate chains up to a certificate in your Trusted Root CA store.

PeerTrust refers to the fact that a particular certificate is in your Trusted People store.

Therefore I can see why having the service certificate in your trusted people store won't work with ChainTrust.

2. The default validation CardSpace goes through checks to see if the certificate chains up to a Trusted Root CA (in the local machine) or if the certificate is in the user's Trusted People store.

3. If you do not want to have the service certificate in everyone's trusted people store, you'll need to purchase a certificate from a Trusted Root CA (e.g. Verisign) which is by default in Trusted Root CA store.





Re: Windows CardSpace (InfoCard) CardSpace and WCF - Security negotiation

Florian Broeder

Hi Toland,

thanks for your answer.

Toland Hon - MSFT wrote:

1. ChainTrust refers to the fact that your certificate chains up to a certificate in your Trusted Root CA store.

PeerTrust refers to the fact that a particular certificate is in your Trusted People store.

Is there a difference of the Trusted Root CA Store localmachine and current user I also imported the Root-Certificate into the root CA store of localmachine and also the CA-Certificate into the CA-Store from localmachine. So now the service' root-ca and ca certificate are in trustred root ca and ca store of both currentuser and localmachine. But still it doesn¡¯t work witch chaintrust. It only works when i put the certificate of the server in the "trusted people store" and set the validation mode to .peertrust...

Toland Hon - MSFT wrote:

Therefore I can see why having the service certificate in your trusted people store won't work with ChainTrust.

ok, now the situation is: service certificate in trusted people store AND the same certificate chains up to my trusted root store...but "chaintrust" does not work, only peertrust.

Toland Hon - MSFT wrote:

3. If you do not want to have the service certificate in everyone's trusted people store, you'll need to purchase a certificate from a Trusted Root CA (e.g. Verisign) which is by default in Trusted Root CA store.

ok, that makes sense and is a good way...

thanks so far!





Re: Windows CardSpace (InfoCard) CardSpace and WCF - Security negotiation

rakeshb

Hi Florian,

Can you give more details regarding the error:

1. When do you see the error

2. Does cardspace come up successfully

Thanks,

Rakesh





Re: Windows CardSpace (InfoCard) CardSpace and WCF - Security negotiation

Florian Broeder

Hi Rakesh,

thanks for your answer!

while writing this reply i found the solution ;-) The chain is / was allright, i did not have an CRL. i put in the client:

Code Block
proxy.ClientCredentials.ServiceCertificate.Authentication.RevocationMode = System.Security.Cryptography.X509Certificates.
X509RevocationMode.NoCheck;

so it works now

thanks a lot!