Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. SecurityNegotiationException exception when a .NET Framework 4-based WCF client connects to a WCF service through a proxy server

SecurityNegotiationException exception when a .NET Framework 4-based WCF client connects to a WCF service through a proxy server

Symptoms

Consider the following scenario:
  • You have two Windows Communication Foundation (WCF) services that use transport security over HTTP (HTTP with Secure Sockets Layer (SSL) (HTTPS)). Each WCF service is configured to listen on a different port and is secured with a different certificate.
  • You use a WCF client to connect to one WCF service through a proxy server.
  • You use the same WCF client to connect to the other WCF service though the same proxy server.
In this scenario, the second connection fails, and a System.ServiceModel.Security.SecurityNegotiationException exception occurs. Additionally, you receive the following exception message:
The server certificate with name 'CN=Service1' failed identity verification because its thumbprint ('thumbprint_Service2') does not match the one specified in the endpoint identity (‘thumbprint_Service1’). As a result, the current HTTPS request has failed. Please update the endpoint identity used on the client or the certificate used by the server


Note For call stack information about this issue, see the "More information" section.

↑ Back to the top

Cause

This issue occurs because the service certificate that is presented to the client does not match the certificate of the second WCF service.

After a secured connection is established between a WCF service and a WCF client, a service endpoint for the proxy server is created at the client side. This service endpoint exists for the lifetime of the connection to handle future requests from the same client, and caches the service certificate for future validation. When the client sends a request to the second WCF service, this connection is reused. Therefore, the client certificate validation fails, because the service certificate presented by the proxy endpoint is incorrect.

↑ Back to the top

Resolution

After you apply this hotfix, WCF adds the service certificate as part of the service identity when a proxy endpoint is generated. Therefore, client requests can be directed to the appropriate service endpoint.

Hotfix information

A supported hotfix is now available from Microsoft. However, it is intended to correct only the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft website:
http://support.microsoft.com/contactus/?ws=support
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Prerequisites

To apply this hotfix, you must have the .NET Framework 4.0 installed.

Restart requirement

You have to restart the computer after you apply this update if the affected files are being used.

Hotfix replacement information

This hotfix does not replace any other hotfix.

File Information

The global version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
File information for all supported x86-based versions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7:
File nameFile versionFile sizeDateTimePlatform
System.identitymodel.dll4.0.30319.553398,63227-Jan-201208:12x86
System.servicemodel.dll4.0.30319.5536,115,61627-Jan-201208:12x86
File information for all supported x64-based versions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows 2008 Server R2:
File nameFile versionFile sizeDateTimePlatform
System.identitymodel.dll4.0.30319.553398,63227-Jan-201208:12x86
System.servicemodel.dll4.0.30319.5536,115,61627-Jan-201208:12x86
File information for all supported IA-64-based versions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2:
File nameFile versionFile sizeDateTimePlatform
System.identitymodel.dll4.0.30319.553398,63227-Jan-201208:12x86
System.servicemodel.dll4.0.30319.5536,115,61627-Jan-201208:12x86

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

For more information about how to configure SSL for WCF, visit the following MSDN website:
How to configure SSL for WCF
The following call stack information is generated when this issue occurs:
   at System.ServiceModel.Channels.HttpTransportSecurityHelpers.ValidateServerCertificate(X509Certificate certificate, String thumbprint)
   at System.ServiceModel.Channels.HttpTransportSecurityHelpers.AddServerCertMapping(HttpWebRequest request, String thumbprint)
   at System.ServiceModel.Channels.HttpTransportSecurityHelpers.AddServerCertMapping(HttpWebRequest request, EndpointAddress to)
   at System.ServiceModel.Channels.HttpsChannelFactory.HttpsRequestChannel.GetWebRequest(EndpointAddress to, Uri via, TimeoutHelper& timeoutHelper)
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
 
Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

↑ Back to the top

Keywords: kbqfe, kbhotfixserver, kbfix, kbexpertiseadvanced, kbsurveynew, kbhotfixdev, kb

↑ Back to the top

Article Info
Article ID : 2564823
Revision : 1
Created on : 1/7/2017
Published on : 3/9/2012
Exists online : False
Views : 80