tags:

views:

621

answers:

1
+1  Q: 

Why does WCF complain over identity check failure?

I'm creating a WCF application where I'll be using certificates to encrypt the communication between the client and server. In my development environment, I want to use a test certificate / self signed certificate which I've created using makecert. (Only the server will have a certificate, the client won't).

I've installed the certificate into a certificate store, and everything is working fine. On the client, certificateValidationMode is currently set to "false", since I'm working with a test certificate.

My problem:

In the app.config on the client, I need to specify the identity element as this:

<endpoint ... >
   <identity>
      <dns value="<Name-Of-Server-Computer>"/>
   </identity>
</endpoint>

If I remove the identity element, I get the following error message in the client when I try to connect to the server:

Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'localhost' but the remote endpoint provided DNS claim 'Name-Of-Server-Computer'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'Name-Of-Server-Computer' as the Identity property of EndpointAddress when creating channel proxy.

So here's my questions:

  • Is the identity check only done when using a test/self-signed certificate? When I deploy my application using a real, trusted, certificate purchased from a CA, will the identity check still be made?

  • Is there a way to disable the identity check? I know I can create my own custom certificate validator, but there doesn't seem to be a way to override the identity check using these.

+2  A: 

The check is done always - and should be. Basically, WCF will check that the certificate is issued to the domain name (yourcompany.com) or machine name where your service resides. This is a security check which I'd never disable! Otherwise, anyone spoofing your service could use any certificate made out to an arbitrary domain / machine name and get your traffic - not what you want!

So what you need to make sure is that your real certificate on the production server is indeed issued to that domain name that the production server will be part of, e.g. if your production server is going to be in "production.yourcompany.com", the certificate needs to be made out to that domain.

Marc

marc_s  2009-10-27 11:38:14
> "This is a security check which I'd never disable!"Just to make sure I understand. Does that mean that there's actually a way to disable it? I do understand the benefits of the check...
Nitramk  2009-10-27 12:00:50
I've never even thought about doing this, so I never felt the urge to check if there is a way to turn it off. I don't know, sorry.
marc_s  2009-10-27 15:10:04

related questions

How do I setup an MX record for a sub-domain?
Wildcards in a hosts file
Best DNS with API access.
How to gain SSL load balancing!!!
How do I get a list of all subdomains of a domain?
Using glibc, why does my gethostbyname fail after I/DHCP has changed the DNS server?
How does my shared host's nameserver resolve http://servername.com/~username/ to my top level domain?
Regular expression to match hostname or IP Address?
Can I lookup the IP address of a hostname from javascript?
DNS- Route DNS for subfolder to different server?
Python + DNS : Cannot get RRSIG records: No Answer
Hosting a website on your own server
Does a caching-nameserver usually cache the negative DNS response SERVFAIL
Blocking part of a website
How can I find the current DNS server?
How to use getaddrinfo_a to do async resolve with glibc
Setting Nameservers - how?
Redirect from domain name to a dotted quad hosted box
Redirecting ".local" subdomain to unicast DNS
Does the PHP mail() function work if I don't own the MX record
How do I find the authoritative name-server for a domain name?
How to redirect siteA to siteB with A or CNAME records
How do I prevent dnsmasq from appending my domain name to invalid domain requests?
Reverse DNS in Ruby?
How to make subdomain user accounts in a webapp