WCF service certificate and client side endpoint identity - why it doesn't work?

Question

[Update] - I attach also full config files, for service, and for client (outside of here, not to flood the topic)

I'm having situation pretty much identical to the one outlined in this question, however my question is somewhat different.

• I'm using NetTcpBinding with security set to TransportWithMessageCredential
• I'm using Password/Username credentials backed up by ASP.NET provider
• My service is self hosted in Windows Service
• I do have in my endpoint behavior specified authentication revocationMode="NoCheck"

It is required that the service provides a certificate to authenticate itself to clients. That's OK, I just do:

<serviceCertificate findValue="***"
                    storeLocation="CurrentUser"
                    storeName="My"
                    x509FindType="FindByThumbprint"/>

Now, I somewhat imagined that now the client would end up having

<identity>
  <certificate encodedValue="encoded certificate"/>
</identity>

And it will be able to verify service's credentials without having that certificate installed in the store on client machine.

I was surprised to learn that although I set the service credentials to certificate, WSDL exposes

<Identity>
   <Dns>Foo</Dns>
</Identity>

Again, on service I can set Identity to CertificateReference and hook it up to the same certificate, and then WSDL will expose identity as X509Certificate, but when I run the client that setting is ignored, and I end up with error message:

System.ServiceModel.Security.SecurityNegotiationException: The X.509 certificate CN=xxx is not in the trusted people store. The X.509 certificate CN=xxx chain building failed. The certificate that was used has a trust chain that can not be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Is there a way to make client use that value from config and work without having to install a service certificate (nor its root) on client' machine?

[UPDATE] While setting certificateValidationMode to none will make the exception go away, it is unacceptable solution from security point of view.

It makes the client merely acknowledge that it receive ''some'' certificate, without getting into details. This makes all range of man in the middle attacks possible. It still won't validate the information sent by (alleged) service against the certificate dumped in the config.

Answer 1

Solution sketch:

1) Define and register a custom X509CertificateValidator on the client

2) In the Validate method, compare the given certificate with the one present in the client's EndpointAddress.Identity property. The object referenced by this property should have the X509CertificateEndpointIdentity exact type.

I didn't test this solution, however it makes perfect sense to me.

HTH Pedro

Answer 2

[UPDATE] While setting certificateValidationMode to none will make the exception go away, it is unacceptable solution from security point of view.

It makes the client merely acknowledge that it receive ''some'' certificate, without getting into details. This makes all range of man in the middle attacks possible. It still won't validate the information sent by (alleged) service against the certificate dumped in the config.

You are wrong. This will do perfectly. That's actually what you want - your certificate to not be validated. All you need is to set the identity of the endpoint on the client to

<identity>
  <certificate encodedValue="encoded certificate"/>
</identity>

When the client connects to the server WCF will compare the two certificates and throw an exception if they do not match. And you are perfectly safe.

Using a custom validator like Pedro Felix suggested is completely unnecessary in your case. That's exactly what the endpoint identity is for.

Answer 3

Sorry, I cannot comment on other answers.

I just tested this in .NET 4.0 and I can confirm that the "Zeratul"'s answer is correct. Explicitly settings the identity of the service either in config, or programmatically is sufficient for server authentication. There is no need to validate certificate by any other means (i.e. you can set "certificateValidationMode" to "None") since you are using the ultimate validation method - comparison of the thumbprint of the certificate.

@AlexDrenea

"serviceCertificate" is not used for validation. It is used with message security to encrypt messages before they are sent to the server. See Microsoft's documentation about this:

http://msdn.microsoft.com/en-us/library/ms731782.aspx