WCF client only works after accessing URL with IE

0
votes

We have a wcf client, which calls an external webservice. The service is accessed over SSL. The certificate is not a self signed cert. It is issued by Verisign.

The client is hosted in IIS 6 and the application pool's identity is a domain service user.

Every time we want our client to access the remote service we get the following well known exception: "Could not establish trust relationship for the SSL/TLS secure channel with authority-.."

It turned out, that once you access the URL with IE on the same server, our WCF client is working as expected and the certificate is accepted!

My conclusion is, that the URL accessed with IE modified the server in a way, that our WCF client is able to do the validation afterwards. What is our WCF client missing?

(I'm aware that one can circumvent certificate validation by returning true in the ServerCertificateValidationCallback, but this is not an option for production.)

1
wcfiissslssl-certificate
Is there a particular reason for not using ServerCertificateValidationCallback?Ali Khalid
Do you get a certificate validation error when navigating to the service URL in IE?RoccoC5

1 Answers

1
votes

Considering the situation as described, I suspect that your IIS hosted client is not able to load the Verisign root certificate. And it is always a bit unclear to me under which account such IIS based client is trying to access the certificate store. It might be your domain service account user, it might be the ASP.NET user, it might be some other system defined account. This often causing the error.

When you browse the service with IE, there is no doubt about the user (your own credentials) being able to load the Verisign root certificate and resolve the trust relationship correctly.

Please:

  1. Make sure the Verisign root certificate in in the Trusted Root Authorities store under the Local Computer Account
  2. Have your app.config of your client refer to the correct root certificate to be loaded from the correct store.
  3. You might want to run ProcessMonitor to find out which user is trying to load the certificate from the store.