Why does WCF complain over identity check failure?

wcf dns certificate identity
Nitramk picture Nitramk · Oct 27, 2009 · Viewed 27.8k times · Source

I'm creating a WCF application where I'll be using certificates to encrypt the communication between the client and server. In my development environment, I want to use a test certificate / self signed certificate which I've created using makecert. (Only the server will have a certificate, the client won't).

I've installed the certificate into a certificate store, and everything is working fine. On the client, certificateValidationMode is currently set to "false", since I'm working with a test certificate.

My problem:

In the app.config on the client, I need to specify the identity element as this:

<endpoint ... >
   <identity>
      <dns value="<Name-Of-Server-Computer>"/>
   </identity>
</endpoint>

If I remove the identity element, I get the following error message in the client when I try to connect to the server:

Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'localhost' but the remote endpoint provided DNS claim 'Name-Of-Server-Computer'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'Name-Of-Server-Computer' as the Identity property of EndpointAddress when creating channel proxy.

So here's my questions:

  • Is the identity check only done when using a test/self-signed certificate? When I deploy my application using a real, trusted, certificate purchased from a CA, will the identity check still be made?

  • Is there a way to disable the identity check? I know I can create my own custom certificate validator, but there doesn't seem to be a way to override the identity check using these.

Answer

Eiver picture Eiver · Nov 22, 2011

The answer to this question is in the error message itself. On the client you can do:

EndpointIdentity identity = EndpointIdentity.CreateDnsIdentity("Server");
EndpointAddress address = new EndpointAddress(new Uri("net.tcp://1.2.3.4:12345/ServiceName"), identity);

Replace "Server", by whatever is expected. Typically this would be the common name (CN) of your self-signed certificate. Doing so will not ruin security, provided you take all responsibility for making sure, that the presented certificate is valid, that is create your custom certificate validator and make relevant checks there.

Related questions

WCF client endpoint: SecurityNegotiationException without <dns>

I'm having a strange situation here. I got it working, but I don't understand why. Situation is as follows: There is a WCF service which my application (a website) has to call. The WCF service exposes a netTcpBinding and requires …

Read More
What is meant by "Domain Services"?

I am unable to get clear picture of Domain Services when studying about WCF RIA services. Can anyone explain to me what the role of domain services is?

Read More
Collection was modified; enumeration operation may not execute

I can't get to the bottom of this error, because when the debugger is attached, it does not seem to occur. Collection was modified; enumeration operation may not execute Below is the code. This is a WCF server in a …

Read More