Error accessing web service through SSL from IIS-hosted application

Question

This has been bothering me for three days now and after tons of googling around I decided to post a question. I have a WCF service application ("local service") that connects to a "remote web service" (Java) securely (2-way certificate authentication).

My service-side config:

<system.serviceModel>
  <bindings>
      <basicHttpBinding>
          <binding name="IhAdapterPortBinding" closeTimeout="00:01:00"
              openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
              allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
              maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
              messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
              useDefaultWebProxy="true">
              <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                  maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              <security mode="Transport">
                  <transport clientCredentialType="Certificate" proxyCredentialType="None"
                      realm="" />
                  <message clientCredentialType="UserName" algorithmSuite="Default" />
              </security>
          </binding>              
      </basicHttpBinding>
  </bindings>
  <client>
      <endpoint address="https://someserver.com:8085/IhAdapter" binding="basicHttpBinding"
          bindingConfiguration="IhAdapterPortBinding" contract="IHAdapter.IhAdapter"
          name="IhAdapterPort" behaviorConfiguration="IHAdapterEndpointBehavior" />       
  </client>
<services>
  <service name="SomeCompany.SomeService">
    <endpoint address="" binding="basicHttpBinding"
      contract="SomeCompany.ISomeService" />
  </service>
</services>
<behaviors>
  <endpointBehaviors>
    <behavior name="IHAdapterEndpointBehavior">
             <clientCredentials>
                  <clientCertificate storeLocation="LocalMachine" storeName="My" findValue="123...abc" x509FindType="FindByThumbprint"/>
                  <serviceCertificate>
                       <authentication certificateValidationMode="None" revocationMode="NoCheck"/>
                  </serviceCertificate>
             </clientCredentials>
        </behavior>
  </endpointBehaviors>
  <serviceBehaviors>
    <behavior name="">
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
    </behavior>
  </serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />

Now to the problem. When hosting the service in Visual Studio Web Development Server or calling the remote service from local test client (.exe), the call succeeds. But when the local service is IIS-hosted (localhost or some other server IIS), I get exception:

Could not establish secure channel for SSL/TLS with authority 'https://someserver.com:8085'

with Inner Exception:

The request was aborted: Could not create SSL/TLS secure channel.

What I tried or checked so far:

• correct cert store location (Local Computer, not User)
• Private Key Permissions (went to MMC, found cert, right click, All Tasks, Manage Private Key, set to all permissions to Everyone)
• set the IIS application user (Connect As) to the local user with administrative privileges

One more thing: the current remote server cert is issued for another hostname, so I have to override the validation programmatically. So to create a remote service object in local service, I have theese lines of code:

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
ServicePointManager.ServerCertificateValidationCallback = ((senderParam, certificate, chain, sslPolicyErrors) => true);

IHAdapter.IhAdapterClient ihAdapter = new IHAdapter.IhAdapterClient();

ihAdapter.SomeMethod(parameters); // the exception gets thrown here

What else could I be missing? Any ideas, pointers?

Answer 1

I think all such messages are due to some machine in the chain (client, proxy, server) not "liking" a certificate for some reason.

To elaborate on what twk said, if you're using self-signed certificates, or your own CA, you need to install the signing cert in the trusted authorities store on the server at least, and possibly on the proxy.

Common problems I've encountered:

• The certificate on the server is not signed by an authority that the PROXY or the CLIENT trusts
• The certificate on the CLIENT is not signed by an authority that the PROXY or the SERVER trusts
• Oops, I forgot to export the private key when I created the cert to be installed on the client
• My process does not have read permissions to the private key on the client
• The client certificate is password protected and I didn't specify credentials when reading the certificate.

For more visit Could not create SSL/TLS secure channel - Could the problem be a proxy server?

Answer 2

Ok, answering my own question.

Based on this link: How to give ASP.NET access to a private key in a certificate in the certificate store? I solved my problem.

The key to my solution was this check list:

1. Create / Purchase certificate. Make sure it has a private key.
2. Import the certificate into the "Local Computer" account. Best to use Certificates MMC. Make sure to check "Allow private key to be exported"
3. Based upon which, IIS 7.5 Application Pool's identity use one of the following:
   • IIS 7.5 Website is running under ApplicationPoolIdentity. Using Certificates MMC, added "IIS AppPool\AppPoolName" to Full Trust on certificate in "Local Computer\Personal". Replace "AppPoolName" with the name of your application pool.
   • IIS 7.5 Website is running under NETWORK SERVICE. Using Certificates MMC, added "NETWORK SERVICE" to Full Trust on certificate in "Local Computer\Personal".
   • IIS 7.5 Website is running under "MyIISUser" local computer user account. Using Certificates MMC, added "MyIISUser" (a new local computer user account) to Full Trust on certificate in "Local Computer\Personal".

I almost surely did all of those things but obviously never all together at once. Hopefully this helps someone else. Thanks anyway for all the help.