We Keep Coding

WCF SOAP security negotiation after changing certificate

After I changed self-signed certificate "localhost" (DNS=localhost) to "Cloudflare Origin Certificate" (dns=mydomain.com) I get following error:
SOAP security negotiation with 'http://localhost:8000/MyService.svc' for target 'http://localhost:8000/MyService.svc' failed. See inner exception for more details.
Inner exception:
Either the client credential was invalid or there was an error collecting the client credentials by the SSPI.
What I noticed is after I start up client I get window to enter credentials. Dunno why.
What I did exactly:
Generated certificate request in IIS
Completed certificate on CloudFlare
Received key pasted into text file with CloudFlare Root CA
Completed certificate in IIS (Personal, LocalMachine)
In MMC added to Trusted Publishers CloudFlare Root CA (LocalMachine)
For WCF website changed SSL certificate to CloudFlare
Changed in client value from "localhost" to "mydomain.com"
Changed in server value from "localhost" to "mydomain.com"
Changed findValue for
WCF web.config
<system.serviceModel>
<client />
<behaviors>
<serviceBehaviors>
<behavior name="authBehavior">
<serviceAuthorization principalPermissionMode="UseWindowsGroups">
<authorizationPolicies>
<add policyType="WCF.Common.AuthorizationPolicy, WCF" />
</authorizationPolicies>
</serviceAuthorization>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WCF.Common.IdentityValidator, WCF" />
<serviceCertificate findValue="CloudFlare Origin Certificate" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My" />
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="svcBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpsBinding>
<binding name="basicHttpsEndpointBinding" maxReceivedMessageSize="1073741824" maxBufferSize="1073741824" maxBufferPoolSize="1073741824">
<readerQuotas maxDepth="32" maxArrayLength="1073741824" maxStringContentLength="1073741824" />
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpsBinding>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding"></binding>
</wsHttpBinding>
</bindings>
<services>
<service name="WCF.MyService" behaviorConfiguration="svcBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" contract="WCF.IMyService">
<identity>
<dns value="mydomain.com" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
Client app.config
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="MessageAndUserName">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
<binding name="WSHttpBinding_IMyService" />
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:8777/MyService.svc"
binding="wsHttpBinding" contract="WCF.IMyService"
name="WSHttpBinding_IMyService">
<identity>
<dns value="mydomain.com" />
</identity>
</endpoint>
</client>
<behaviors>
<serviceBehaviors>
<behavior name="DefaultServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
I host addional services in my WCF and also I host some services in Client but none of them are needed.
I use wsHttpBindings between WCF and Client. What can I do to get rid of this error?
What is purpose of ussing wsHttpBinding etc...: Allow only this Client to communicate with MyService.. no one else will be allowed. Client app will run on multiple computers in domain. Do you suggest ussing different approach?
Thanks for any idea!
EDIT: Computer with error is not running in domain. Neither work for computer in domain :/
EDIT2: Security mode transport
WCF web.config bindings:
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Transport">
<message clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
Client side config bindings:
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IMyService">
<security mode="Transport">
<message clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost:8001/MyService.svc"
binding="wsHttpBinding" contract="WCF.IMyService"
name="WSHttpBinding_IMyService">
<identity>
<dns value="mydomain.com" />
</identity>
</endpoint>
</client>
IIS:

Here a few resources to review to help determine if NetTcpBinding would work for you, it sounds like it would since you are consuming the web service internally.
NetTcpBinding
netTcpBinding is best when WCF service and its clients are in intranet infrastructure. As it supports only TCP protocol and not HTTP, so service cannot be accessed over internet.
This is secure binding is used to send binary encoded SOAP messages with in intranet computers. It supports reliability, transaction and security. If your using netTcpBinding and host WCF service in IIS, you need to make some settings on system and IIS this article will help you for required settings.
A few tips for troubleshooting related issues:
Double click on the cert in MMC does it give you any error messages
under the Certificate Information header?
Are you able to browse the service from your client in a browser?
Is the cert assigned in IIS
Do you have the correct binding
Is the client using the same binding as the service host?
Does your endpoint reference the correct binding and service behavior
Additional helpful information about NetTcpBinding:
https://stackoverflow.com/a/3375161/2016162

WCF wsHttpBinding Certificate Security Negotiation Exception

So after having combed through MSDN, countless articles and even SO - I still have nothing to show for days of struggle.
So I have this: WCF service needs to be consumed by a client and I just keep hitting a SecurityNegotiationException
Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint.
I've seen this error all over the net and noone seems to have my exact scenario (with a feasible answer atleast).
My setup is local and not hosted by IIS (for time being) but hosted via Visual Studios 2010. My GenericIntegration (WCF service) makes use of wsHttpBinding (Message Mode) authenticated by certificates (I have a very custom username/password authentication + authorization class passed as a parameter by design) and there is no backing out of the security measures.
Host's Config
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpintBinding">
<security mode ="Message">
<message clientCredentialType="Certificate" establishSecurityContext="false" negotiateServiceCredential="false"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="wsHttpBehaviour" name="GenericIntegration.GenericService">
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpintBinding"
name="wsHttpEndpoint" contract="GenericIntegration.GenInterface" />
<host>
<baseAddresses>
<!--<add baseAddress="http://localhost:59082/GenericService.svc" />-->
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="wsHttpBehaviour">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<certificate findValue="GenIntegrationClient" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
<serviceCertificate findValue="GenIntegrationClient" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
<behavior name="metadataBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
And the Client's config
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="endpointBehaviour">
<clientCredentials>
<clientCertificate findValue="GenIntegrationClient" storeLocation="LocalMachine" storeName="My"
x509FindType="FindBySubjectName" />
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpoint" maxBufferPoolSize="20000000" maxReceivedMessageSize="20000000">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:59082/GenericService.svc"
binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint" behaviorConfiguration="endpointBehaviour"
contract="GenService.GenInterface" name="wsHttpEndpoint">
<identity>
<certificate encodedValue="AwAAAAEAAAAUAAAAKdyUELIKMtdh2MFsYQ09ja+vyeEgAAAAAQAAACICAAAwggIeMIIBi6ADAgECAhCFBfF1EXQZhkPKaBpQCl84MAkGBSsOAwIdBQAwJDEiMCAGA1UEAxMZNE1PU1RHZW5JbnRlZ3JhdGlvblNlcnZlcjAeFw0xNjA3MjgxNDQ5MjVaFw0zOTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGTRNT1NUR2VuSW50ZWdyYXRpb25DbGllbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIwsIlz5nZ3HxeYofTpYKr6RcfQMe/jZxPuHcljT+8pBOZ6KmYcyxeRTO074yP6yF8b1IqFskII+qqmCT8nDsb8xdo5Ee0oqL1LKR+xeTgg2ZXXoocxqR1AdxWFVdlMxMSjKIEGE+MnSDdB6vgXahhpUbAS7cdrNoAFKNIz+vrt1AgMBAAGjWTBXMFUGA1UdAQROMEyAEB4cu6OjBqQHct6przmowGyhJjAkMSIwIAYDVQQDExk0TU9TVEdlbkludGVncmF0aW9uU2VydmVyghD75YH5y52zsU5wcmZLJzPiMAkGBSsOAwIdBQADgYEA2BinUmEfgZKcb1qFD1T5ajc2OWHGLjDLpDi8Y7amM4P3rFGvelx7NmCNUH88iGS9LcbDsmY59HcZwUavtPOr4LMRDhl+5YuGht1fIYEk8QSDIhjevijgDOIVBBAeNIA8tva1faMNtYnFXsj0VxMvlrZ4exeKFVFjv2sib5YNFxY=" />
</identity>
</endpoint>
</client>
</system.serviceModel>
Now about the certificates (and yes this is for testing only): GenIntegrationServer.cer has been created as a selfsigned CA root certificate with a private key to sign client certificates with. Both GenIntegrationServer and GenIntegrationClient certificates were generated with makecert. The client certificate is linked to the private key and is correctly installed in the personal store.
I am still quite new to certificates, private keys and secure comms - I simply cannot reason where I make my mistake. I didn't find too many posts about specifically using certificates in this manner.
Can anyone assist before I lose more hair or sleep over this?
UPDATE
As per request, I added the logging. But the most they reveal is:
<s:Body>
<s:Fault>
<s:Code>
<s:Value>s:Sender</s:Value>
<s:Subcode>
<s:Value>a:InvalidSecurity</s:Value>
</s:Subcode>
</s:Code>
<s:Reason>
<s:Text xml:lang="en-ZA">An error occurred when verifying security for the message.</s:Text>
</s:Reason>
</s:Fault>
</s:Body>
Sadly, I still do not understand why security validation is failing. Any Ideas?

Turns out I needed to add the certificates to different stores.
In addition to already having the certificates set in the personal stores (as indicated by the config), I had to install the the server's certificate on the client and vice versa. I also had to make sure that the client contained the client certificate's personal key and the same with the server.
This does not sound too complete but I'll post a full article on how I did this.

WCF service and custom CA

I've created my custom Certificate Authority (CA) using openssl. Then I've created certificated using the previous one and the request from IIS. So now I have chain of certificates. Then I've bound the second one to my WCF service and every thing is fine. Then on client I've installed my CA certificate in Trusted Root Certification Authority to make it able to recognize my custom certificate.
My WCF service currently run on simple http connection.
Server side:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="SyncWcfServices.MainServiceBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="ExtendedMaxSize" maxReceivedMessageSize="2147483647">
<security mode="None">
<transport clientCredentialType="None"></transport>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="SyncWcfServices.MainService" behaviorConfiguration="SyncWcfServices.MainServiceBehavior">
<endpoint address="/syncService.svc" binding="wsHttpBinding" bindingConfiguration="ExtendedMaxSize" contract="SyncWcfServices.IMainService"></endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"></endpoint>
</service>
</services>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
Client side:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IMainService" maxReceivedMessageSize="2147483647" sendTimeout="00:10:00">
<security mode="None" />
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost/SyncService/SyncService.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IMainService"
contract="SyncServiceReference.IMainService" name="WSHttpBinding_IMainService" />
</client>
</system.serviceModel>
So, I need to change this settings to support SSL connection. I've read a lot of post how to do it but there always using 2-way certification check that mean server must check client certificate and client must check server certificate. But I only want client to check server certificate using CA that I installed. And server will check with ordinary credentials (username, password) as it was before. I think that I have to change the security mode to Transport in both sides and server mex endpoint to mexHttpsBinding but what should I do next? Please help to resolve it.
Thanks you all!

Finally I found the correct way! So server side:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="SyncWcfServices.MainServiceBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate
findValue = "*.mydomain.com"
storeLocation = "LocalMachine"
storeName = "My"
x509FindType = "FindBySubjectName"
/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="ExtendedMaxSize" maxReceivedMessageSize="2147483647">
<security mode="Transport">
<transport clientCredentialType="None"></transport>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="SyncWcfServices.MainService" behaviorConfiguration="SyncWcfServices.MainServiceBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="ExtendedMaxSize" contract="SyncWcfServices.IMainService"></endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"></endpoint>
<host>
<baseAddresses>
<add baseAddress="http://localhost:8095/Design_Time_Addresses/SyncWcfServices/MainService/" />
</baseAddresses>
</host>
</service>
</services>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
Client Side:
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name = "ServiceCertificate">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode = "ChainTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="ExtendedMaxSize" maxReceivedMessageSize="2147483647">
<security mode="Transport">
<transport clientCredentialType="None"></transport>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost/SyncService/SyncService.svc"
binding="wsHttpBinding" bindingConfiguration="ExtendedMaxSize"
behaviorConfiguration = "ServiceCertificate"
contract="SyncServiceReference.IMainService" name="WSHttpBinding_IMainService">
</endpoint>
</client>
</system.serviceModel>
Hope it will help someone!
Also please look at "Programming WCF Services" (4th edition) book by Juval Lowy & Michael Montgomery. It's a great book!

WCF service is working on dev server but on production it is not woking

I have a .net client and I am consuming the WCF service and able to do that sucessfully. but when i try to post that on our production I am not able to consume the same service. Below is my web.config :
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="MyBehavior">
<useRequestHeadersForMetadataAddress></useRequestHeadersForMetadataAddress>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="TestProject.Implementations.AuthenticateUser,TestProject"/>
<serviceCertificate findValue="localhost" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="TestProject.Implementations.ServiceCustom" behaviorConfiguration="MyBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="SampleServiceBinding" contract="TestProject.Interfaces.IServiceCustom"></endpoint>
<endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex"></endpoint>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="SampleServiceBinding">
<security mode ="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
and also I want to make my service HTTPS enabled.
I get below errormessage:
There was no endpoint listening at http://url.com that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.

This error clearly suggest that the WCF service you are trying to access is not clearly hosted, or the address you are using to connect to is not pointing to the service, make sure by using the address in a browser you are able to access that service.
If you are able to access the service , check your client application web.config and find out the end point details for that service. If the endpoint url is mismatched you may get this error.

I fixed the error and below is the web config code:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="MyBehavior">
<useRequestHeadersForMetadataAddress></useRequestHeadersForMetadataAddress>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="TestProject.Implementations.AuthenticateUser,TestProject"/>
<serviceCertificate findValue="localhost" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="TestProject.Implementations.Test" behaviorConfiguration="MyBehavior">
<endpoint address="http://rul" binding="wsHttpBinding" bindingConfiguration="SampleServiceBinding" contract="TestProject.Interfaces.Test"></endpoint>
<endpoint address="https:url" binding="wsHttpBinding" bindingConfiguration="SampleServiceBindingHttps" contract="TestProject.Interfaces.ITest"></endpoint>
<endpoint contract="IMetadataExchange" binding="mexHttpsBinding" address="mex"></endpoint>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="SampleServiceBinding">
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
<binding name="SampleServiceBindingHttps">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
I changed the security mode to TransportWithMessageCredential mode and change few config like binding = "mexHttpsBinding"

WCF service - Getting Runtime error in basicHttpBinding configuration transport clientCredentialType to Basic

I have created a web service and I am using basicHttpBinding but the thing is when I set the clientCredentialType to None I can able to access the service but if I set to Basic/Windows I am getting error like "Runtime error".In IIS basic authentication is used. I need security for basicHttpbinding. How to resolve this issue.
Code in Web.Config:
<services>
<service name="HealthCareService" behaviorConfiguration="Behavior_Service1">
<endpoint address="" contract="IHealthCareService" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding1" />
<endpoint address="mex" contract="IMetadataExchange" binding="mexHttpBinding"/>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="basicHttpBinding1">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="Behavior_Service1">
<serviceThrottling maxConcurrentSessions="10000"/>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
Error Screen shot:

Enable tracing on the WCF server as described in this MSDN article. The trace should give you enough info to troubleshoot the problem.
If it works with clientCredentialType = None, perhaps your client is not configured correctly - the configuration of client and server need to be compatible.