I'm using wsHttpBinding with TransportWithMessageCredential, message clientCredentialType="UserName"
Trying to configure my service client to work against my public deployed address, I tested first by changing to "localhost", since localhost is the same IIS instance, just going through loopback instead of my PC's hostname. With loopback it fails validation.
My client config looks like:
<client>
<endpoint address="https://win7/Services/Foo.svc"
behaviorConfiguration="ServiceCertificate"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IFoo"
contract="FooReference.IFoo"
name="WSHttpBinding_IFoo">
<identity>
<dns value="www.foo.net" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ServiceCertificate">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
WIN7 is the name of my workstation. My service call works fine with WIN7. However, if I change the address to https://localhost/Services/Foo.svc it fails with a CommunicationObjectFaultedException.
According to Juval Lowy's Programming WCF Services book, on page 497:
WCF by default expects the service certificate name to match the service host's domain (or machine name). To compensate, the client must explicitly specify the test certificate name in the endpoint identity's DNS section:
He indicates the certificate must be in the "Trusted People" store (which it is). Then he gives the sample, which is what I used to base my client config above.
What I've found, though, is in my situation, no matter what I change dns value to, the client validates fine (seem to ignore this part). It is only when I change the address of the endpoint that the failure happens, and when I change it, I would expect the client to lookup the certificate by the value in the dns attribute. It seems not.
I also refer to MSDN reference: http://msdn.microsoft.com/en-us/library/ms733130.aspx under "Identify Checking at Runtime"
DNS. WCF ensures that the certificate provided during the SSL handshake contains a DNS or CommonName (CN) attribute equal to the value specified in the DNS identity on the client.
I have indeed loaded this certificate in the "Trusted People" store (as well as the Personal (My) store just for convenience all around).
Essentially, I have to be able to change the address to production, but I cannot even get the address change working with localhost, much less my public site.