.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

Why is broken Certificate Chain trusted by WCF ?

Posted By:      Posted Date: October 27, 2010    Points: 0   Category :WCF

Hi all,

I have the following scenario which I really do not understand why this is working.


1. I have secure client  on Transport Level with WsHttpBinding

                binding.Security.Mode = SecurityMode.Transport;
                binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
                binding.Security.Message.ClientCredentialType = MessageCredentialType.None;
                binding.Security.Message.NegotiateServiceCredential = false;
                binding.Security.Message.EstablishSecurityContext = false;


CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.ChainTrust;


RevocationMode = X509RevocationMode.NoCheck;

2. I have a server which is using a self signed certificate, signed by an intermediate CA and this intermediate CA was signed by a self signed root CA

3. Root CA certificate is installed in "trus

View Complete Post

More Related Resource Links

Include certificate chain in pfx export

When using the export method of an X509Certificate2 object, can anyone tell me how to include the certificate chain within the pfx file? I would like to accomplish this without using CAPICOM. I can successfuly export the certificate but the trust chain is not included in the pfx file.

Install Failure - Certificate Chain Trust?



Hello Community,

I'm trying to do a basic install of SQL Server Express 2008 on an XP SP3 machine.  It had been working prior to an install of Visual Studio 2008 (with SQL).  I had to uninstall and reinstall for testing purposes.  Now I can't get an install to complete.  After days of uninstalling and reinstalling, including blowing out all Visual Studio stuff, all .net stuff, and reinstalling .net 3.5 SP1 (no Visual Studio), I still can't get SQL Server Express 2008 installed (and running, that is...the management studio and config manger get installed).  Here is the error on install:

"A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)"

I have no idea why certificates are even looked at.  I've verified in the Configuration Manager that Encryption is set to "No".  I have full admin rights on the machine.

Trying to stop and start the SQL server in the config manager now yields a new clue in the error log:

"Server      A self-generated certificate was successfully loaded for encryption"

OK, that's good.  However, now I see this after a timeout

Bugslayer: Wait Chain Traversal


Windows Vista has a new API called Wait Chain Traversal (WCT), which allows you to determine when and why a process is deadlocked. Read on.

John Robbins

MSDN Magazine July 2007

Security Briefs: Beware of Fully Trusted Code


The vast majority of managed applications run with full trust, but based on my experience teaching . NET security to developers with a broad range of experience, most really don't understand the implications of fully trusted code.

Keith Brown

MSDN Magazine April 2004

Login control is suddenly broken in IE7 but works perfectly on Firefox (It works on both browsers lo


Hey Guys,

 I'm new around and I thought this is probably the best place to help me solve my dilemma, I am developing a website for almost a year now and the login control was implemented a logn time ago, however all of a sudden it will not authenticate on Internet Explorer 7 when the application is published, it doesn't even provide a message that authentication was unseccssful or throws any error, it just refreshes the same page. however this problem doesn't occure when I try the same website on FireFox 2.0...Also when I run the page locally on Cassini it work great on both browsers...This is one of the weirdest errors I have ever faced. what could have gone wrong on the server side to cause this? knowing nothing changed on the server-side...I'll provide a snapshot of the login control below

<asp:Login ID="LoginControl" runat="server" BackColor="Trans

Certificate API question - Private Key.

I am trying to follow http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.aspx but I am finding that the Private Key property of the certificate is always null. I created the certificate with makecert -pe -n "CN=BuySeasonsThirdParty" -r -b 08/26/2010 -e 08/26/2011 -sky exchange Amazon.cer. Then installing it on the local user store using: X509Store store = new X509Store(storeName, StoreLocation.CurrentUser); and using the same API to get the certificate from the store. The certificate that I retrieve from the store is non-null it is just the PrivateKey is null. So I can encrypt using something like: ((RSACryptoServiceProvider)cert.PublicKey.Key).Encrypt(Encoding.Unicode.GetBytes(text), true)   But since the Private Key property is NULL I cannot decrypt. Any ideas? Kevin

asp.net partially trusted code

This is being asked here because their is no supported asp.net forum; So please don't ask me to go there.  Also you don't get responses even if you post to the newsgroup.  The concerige said to post here.   I have an asp.net 4.0 app on a win7 64bit box.  It debugs fine. When I deploy to 08 server  in a 4.0 classic application pool  I get the error Assembly ' Version=, Culture=neutral, PublicKeyToken=null' is marked with the AllowPartiallyTrustedCallersAttribute, and uses the level 2 security transparency model. Level 2 transparency causes all methods in AllowPartiallyTrustedCallers assemblies to become security transparent by default, which may be the cause of this exception. I have AllowPartiallyTrustedCallers set in the dll and in the web app. It doesn't error on an 2003 server

Error on executing VB file : The assembly does not allow partially trusted callers

Dear All ! Though there are many posts stated with solutions, im still facing the error in my application. I have created a VB Class Library project in VS 2008 which on execution in another application (ERP) will open a VB form holding a report. Its working fine in Server machine. The report is drawn from a DB placed on another server. Everything works fine in Server. But in another machine its not.  I did opened the project from the local machine, Build it so tht the dll be caught in the ERP application and so it did, iam able to see the dll within the application. but on execution its throwing the error 'The Call to member failed. The assembly does not allow partially trusted callers ' What should i do in order to execute the project in all local machines application ??   Thanks in Advance... waiting for a solution.. Radhai.  

sslstream client certificate validation error

Hi,I have taken server and client program from MSDN2 for sslstream. in that code client certifiacte authetication is made false  i want to enable that and do the code i have done some modification to the code but is giving error "RemoteCertificateNotAvailable" and i think that its not getting the client certificate at server side.So please can any one help me to do client server program using sslstream in which client certificate also needs to be validated.I am attaching my modified code of MSDN2Server sideusing System;using System.Collections;using System.Net;using System.Net.Sockets;using System.Net.Security;using System.Security.Authentication;using System.Text;using System.Security.Cryptography.X509Certificates;using System.IO;namespace Examples.System.Net{    public sealed class SslTcpServer     {        static X509Certificate serverCertificate = null;        // The certificate parameter specifies the name of the file         // containing the machine certificate.        // The following method is invoked by the RemoteCertificateValidationDelegate.        public static bool ValidateClientCertificate(              object sender,              X509Certificate certificate,              X509Chain chain,              SslPolicyErrors sslPolicyErrors)        {            SslPolicyErrors errors = sslPolicyErrors;            if (errors != SslPolicyErrors.None)            {

Certificate Signing Request Tool

Hi All, Currently there is a requirement in our application for creating a SSL Certificate Signing Request (CSR) message. Is it possible to develop one on .Net Framework 3.5 Some of the websites lilke Verisign do not mention any such procedure where they say that a custom tool is available apart from OpenSSL but they basically have provided a list all the webservers where their Digital Certificates are compatible and the instructions which say how the CSR's can be generated on these web servers.  I understand that the CSR contain the Web Server's public key, organization information and a unique match for server's private key. The certificates issued by the Certifying Authority  is used for Cient/Server authentication over TCP/IP. Look forward for some replies Thanks

Copy/paste broken in SSMS 2008 R2

After uninstalling an SSMS addin (from Red Gate), my copy/paste functionality in SSMS broke -- don't know if it's correlated.  As documented in the bug https://connect.microsoft.com/SQLServer/feedback/details/126743/copy-paste-stop-working-in-sql-2005 it seems that paste is working fine, because it works when I copy from other programs.  When I paste from SSMS, though, I can't paste anywhere.  It's as though SSMS clears the clipboard and that's all she wrote. Anyone else seeing this problem? -matthew

SSL Using Server Created Certificate

We need to secure a SQL server using an SSL certificate and I understand there are a couple of ways of doing it.  One of which is having SQL Server generate a self-signed certificate which exposes the man-in-the-middle attack vulernability.  Thus we want to avoid this approach.  My question is, can we just allow the Windows Server 2003 we are running to be configured to be a Ceriifcate Authority and ust it create an SSL certificate.  Is that just a secure as getting an SSL certificate from a third party company such as Verisign?  If it is better to go with a third party company, how do you get a certificate from them when it is not going to be used for a website? Thanks NickNick's Programming Tips

connect client certificate to an account in a membership database

Hello I have created a web service that authenticates with username and password, works fine.Basically this one, http://msdn.microsoft.com/en-us/library/ff649647.aspxNow I also want to connect to this web service using client certificates, works finehttp://msdn.microsoft.com/en-us/library/cc948997.aspx But I would like to when authenticated via client certificates, connect that certificate to a user in the membership database.So that I can use Roles.IsUserInRole(...) and such.I thought that, well if I implement a Custom certificate Validatorhttp://msdn.microsoft.com/en-us/library/ms733806.aspxthen I could check for example subject and map that against a created username in the membership database.But in the class X509CertificateValidatorpublic override void Validate(X509Certificate2 certificate)I don't have the same ability as when the user is authenticatedlike  void OnAuthenticateRequest(object source, EventArgs eventArgs)HttpApplication app = (HttpApplication)source;Basically how can I do this app.Context.User = new GenericPrincipal(new GenericIdentity(username, "Membership Provider"),roles);withinpublic override void Validate(X509Certificate2 certificate)and if that is not possible, can this be solved differently?Bottom line, how do I connect a client certificate to a user account in the membership database. Is there a MSDN article

RSACryptoServiceProvider + smart card with X509 certificate = Bad Key.

Hello! I'm trying the interop with Java. The task: create  SHA1withRSA signature of the document hash with .NET CLR. The singer key is an X509 certificate from external CA, and this signer certificate is on the smart card. 1. First solution: the .NET CLR SignedCms class passes the document hash to the Windows CryptoApi (and to the smart card), and the result is a PKCS#7 message with the signature. This solution works well with smart card, but the requirement is only the "SHA1withRSA" signature of document hash, the PKCS#7  message will be created at Java side. 2. Second attempt, create only "SHA1withRSA" signature:             // choosing certificate from smart card             X509Certificate2 card = GetCertificate();             // this fails when certificate is on the smart card:             RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)card.PrivateKey;             // only the signed hash needed             byte[] signedHashValue1 = rsa.SignData(documentHash, new SHA1Managed()); The problem: the car

Getting client information from X.509 certificate in C# code

I have a WCF service which accepts X.509 certificate signed incoming messages. As per my understanding the client will send the message with signature encrypted using his private key and web services will decrypt the signature with client's public key. This ensures that the sender of the message is holder of the private key and that he is certified by the server trusted CA as "He is what he claims to be". It's being a highly secure application I need to give access to only certain clients regardless of whether they are trusted or not. (This is to take care of good turned bad scenario :-)) How do I achieve this? Is there any way to get the client information as subject name etc from his certificate in C# code? Is there any example of this usage? Thanks in advance,Jeet.    

WPF Security + Certificate HELP - xbap

Hello everyone,   I got a problem with my current XBAP application. Everyone had no problem running my application until on person had the following error: <!-- [if gte mso 10]> <mce:style> * An exception occurred while determining trust. Following failure messages were detected:                         + User has refused to grant required permissions to the application.   Then I researched and found out I needed to set up a certificate and have them put it IE. However now the people that once had no problem need to install the certificate.   I was wondering how to revert the project so EVERYONE can run my application WithOut a certificate.   *This application requires full trust.   Can anyone please help me?  

Claims Walkthrough: Creating Trusted Login Providers (SAML Sign-in) for SharePoint 2010

Learn how to create a custom security token service (STS) and set up a trust relationship between a SharePoint 2010 farm and the custom STS
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend