2
votes

I'm trying to get my WCF service to use certificate-based encryption in my local environment so that it'll talk to machines in different domains when its out in the live environment. I had the service working perfectly before trying to implement security, so I'm confident the fault isn't in the service.

I generated some certificates using makecert.exe. To start with I created two that I just called WCFclient and WCFServer and I added them to the trusted folder for current user in mmc. However that yielded the error:

Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'localhost' but the remote endpoint provided DNS claim 'WCfServer'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'WCfServer' as the Identity property of EndpointAddress when creating channel proxy

Which I figured occured because I was issuing my certificate to a non-existent domain called "WCFServer". So I created another cert and gave it a CN of "localhost" and tried to configure both client and server to use it. Now I'm getting this message:

The remote certificate is invalid according to the validation procedure.

I've set certificateValidationMode="None" in my client config, so I don't think this is due to an expired certificate or suchlike. Does anyone know what else might be causing this error? Is it because i'm trying to use the same cert on both client and server ends, and if so how do I set the config files to avoid getting the previous error message about the DNS identity?

1

1 Answers

1
votes

The previous error message can be avoided by using following definition of client endpoint:

<endpoint  name="..." address="..." binding="..." contract="...">
  <identity>
    <dns value="WCFServer" />
  </identity>
</endpoint>

For second error it should be enough to use PeerTrust validation mode.