WCF - basicHttpBinding configuration (exception: Identity check failed for outgoing message. The expected DNS identity of the remote endpoint ...)

Question

I'm trying to make a soap client in VisualStudio. First thing I've done was generating proxy class with delivered WSDL file (using Add Service Reference option in VisualStudio). It was generated with wrong binding configuration - message security should be: DefaultAsymmetricSignatureAlgorithm - "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" DefaultCanonicalizationAlgorithm - "http://www.w3.org/2001/10/xml-exc-c14n#" and DefaultDigestAlgorithm - "http://www.w3.org/2001/04/xmlenc#sha256",

while it is: DefaultAsymmetricSignatureAlgorithm "http://www.w3.org/2000/09/xmldsig#rsa-sha1" DefaultCanonicalizationAlgorithm "http://www.w3.org/2001/10/xml-exc-c14n#" and DefaultDigestAlgorithm "http://www.w3.org/2000/09/xmldsig#sha1".

I changed basicHttpBinding settings in App.conf by adding:

<security mode="Message">
            <message algorithmSuite="Basic256Sha256" clientCredentialType="Certificate"/>
</security>

and binding settings changed properly, I also set certificates:

var cert = new X509Certificate2(AppDomain.CurrentDomain.BaseDirectory + "//cert.p12", "Pass");
client.ChannelFactory.Credentials.ClientCertificate.Certificate = cert;
client.ClientCredentials.ClientCertificate.Certificate = cert;

Unfortunately I got exception: The service certificate is not provided for target 'http://.../service'. Specify a service certificate in ClientCredentials.

I tried using the same certificate for ClientCertificate and ServiceCertificate (I don't know it is okey).

client.ClientCredentials.ServiceCertificate.DefaultCertificate = cert;

But I got error: The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode.

Changing mode to None gives excepion Security not found.

I added <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/> in serviceBehaviors/behavior/serviceCredentials/clientCertificate, and it doesn't work.

I also tried adding <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/> in endpointBehaviors/behavior/clientCredentials/serviceCertificate,

but I got another error: "Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'nameA' but the remote endpoint provided DNS claim 'nameB'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'nameB' as the Identity property of EndpointAddress when creating channel proxy. ”

And I'm not sure if I go right way anymore. I don't know what to do :(

In general, sending request using SoupUI works fine, but I can't make right configuration in my client service to send any request.

Jiayao Jiayao · Accepted Answer · 2021-09-29T07:06:29

When you change the certificate, you need to update it :

<identity>
     <certificate encodedValue="xxx" />
</identity>

It might still be pointing to the original.

WCF - basicHttpBinding configuration (exception: Identity check failed for outgoing message. The expected DNS identity of the remote endpoint ...)

1 Answers