System.ServiceModel.Security.SecurityNegotiationEx ception

Hi,

I created a web service and hosted it in Windows Services. It is working
fine. Now I am trying to implement the X509 certificates for message layer
security. But it is throwing the following exception:

An unhandled exception of type
'System.ServiceModel.Security.SecurityNegotiationE xception' occurred in
mscorlib.dll

Additional information: Secure channel cannot be opened because security
negotiation with the remote endpoint has failed. This may be due to absent
or
incorrectly specified EndpointIdentity in the EndpointAddress used to
create
the channel. Please verify the EndpointIdentity specified or implied by
the
EndpointAddress correctly identifies the remote endpoint.
The WinSvchost file is:

namespace PreprocessingWinSvcHost
{
public partial class PreprocessingWinSvc : ServiceBase
{
private ServiceHost myHost;
public PreprocessingWinSvc()
{
InitializeComponent();
}

protected override void OnStart(string[] args)
{
try
{
//Create the host.

Uri address = new
Uri("http://localhost:8080/PreprocessingService");
WSHttpBinding binding = new WSHttpBinding();
Type contract = typeof(IPreprocess);

binding.MaxBufferPoolSize = 200000000;
binding.MaxReceivedMessageSize = 200000000;
binding.Name = "WSHttpBinding_IPreprocess";

binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType =
MessageCredentialType.Certificate;

myHost = new ServiceHost(typeof(PreprocessingService));
myHost.AddServiceEndpoint(contract, binding, address);

myHost.Credentials.ServiceCertificate.SetCertifica te(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName, "windowshost");

ClientCredentials creds = new ClientCredentials();
// Configure peer trust.

creds.ServiceCertificate.Authentication.Certificat eValidationMode =
X509CertificateValidationMode.PeerOrChainTrust;

//Creates an output file.
Stream MyOutputFile =
File.Create("c:\\checklog\\Logfile1.txt");
TextWriterTraceListener TextListener1 = new
TextWriterTraceListener(MyOutputFile);
Trace.Listeners.Add(TextListener1); //Add a listner to the
Trace.

// Writes output message to the output file and to a
console
screen.
Trace.WriteLine(DateTime.Now.ToLongTimeString() + " -
Service starting...");
myHost.Open();

Trace.WriteLine("state = "+ myHost.State);

// Flush and close the output file.
Trace.Flush();
TextListener1.Flush();
TextListener1.Close();
}
catch (Exception e)
{
Console.WriteLine("Message: {0}", e.Message);
}
}

and the Client is:
namespace PreprocessingClient
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("**** Preprocessing Client ****");
EndpointAddress address = new
EndpointAddress("http://localhost:8080/PreprocessingService");
WSHttpBinding binding = new WSHttpBinding();
binding.MaxBufferPoolSize = 200000000;
binding.MaxReceivedMessageSize = 200000000;
System.ServiceModel.ChannelFactory<IPreprocesscf =
new
System.ServiceModel.ChannelFactory<IPreprocess>(bi nding,
address);
cf.Credentials.ClientCertificate.SetCertificate(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName, "WCFUser");
cf.Credentials.ServiceCertificate.SetDefaultCertif icate(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName,"windowshost");
IPreprocess proxy = cf.CreateChannel();
// PreprocessClient proxy = new PreprocessClient();
//proxy.Open(); //open the client's proxy

proxy.EnableMatGui(false);
}
The app.config for the client is :
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IPreprocess"
closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00"
sendTimeout="00:40:00"
bypassProxyOnLocal="false" transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="200000000"
maxReceivedMessageSize="20000000"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32"
maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384"
/>
<reliableSession ordered="true"
inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:8080/PreprocessingService"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IPreprocess"
contract="ServiceReference1.IPreprocess"
name="WSHttpBinding_IPreprocess">
<identity>
<servicePrincipalName value="host/Avacta-n31m-1" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>

cheers,

Manjree

Try changing
<identity>
<servicePrincipalName value="host/Avacta-n31m-1" />
</identity>

to the common name of your service certificate?

Morty

"Manjree Garg" <ga**@newsgroup.nospamwrote in message
news:59**********************************@microsof t.com...

Hi,

I created a web service and hosted it in Windows Services. It is working
fine. Now I am trying to implement the X509 certificates for message layer
security. But it is throwing the following exception:

An unhandled exception of type
'System.ServiceModel.Security.SecurityNegotiationE xception' occurred in
mscorlib.dll

Additional information: Secure channel cannot be opened because security
negotiation with the remote endpoint has failed. This may be due to absent
or
incorrectly specified EndpointIdentity in the EndpointAddress used to
create
the channel. Please verify the EndpointIdentity specified or implied by
the
EndpointAddress correctly identifies the remote endpoint.
The WinSvchost file is:

namespace PreprocessingWinSvcHost
{
public partial class PreprocessingWinSvc : ServiceBase
{
private ServiceHost myHost;
public PreprocessingWinSvc()
{
InitializeComponent();
}

protected override void OnStart(string[] args)
{
try
{
//Create the host.

Uri address = new
Uri("http://localhost:8080/PreprocessingService");
WSHttpBinding binding = new WSHttpBinding();
Type contract = typeof(IPreprocess);

binding.MaxBufferPoolSize = 200000000;
binding.MaxReceivedMessageSize = 200000000;
binding.Name = "WSHttpBinding_IPreprocess";

binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType =
MessageCredentialType.Certificate;

myHost = new ServiceHost(typeof(PreprocessingService));
myHost.AddServiceEndpoint(contract, binding, address);

myHost.Credentials.ServiceCertificate.SetCertifica te(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName, "windowshost");

ClientCredentials creds = new ClientCredentials();
// Configure peer trust.

creds.ServiceCertificate.Authentication.Certificat eValidationMode =
X509CertificateValidationMode.PeerOrChainTrust;

//Creates an output file.
Stream MyOutputFile =
File.Create("c:\\checklog\\Logfile1.txt");
TextWriterTraceListener TextListener1 = new
TextWriterTraceListener(MyOutputFile);
Trace.Listeners.Add(TextListener1); //Add a listner to the
Trace.

// Writes output message to the output file and to a
console
screen.
Trace.WriteLine(DateTime.Now.ToLongTimeString() + " -
Service starting...");
myHost.Open();

Trace.WriteLine("state = "+ myHost.State);

// Flush and close the output file.
Trace.Flush();
TextListener1.Flush();
TextListener1.Close();
}
catch (Exception e)
{
Console.WriteLine("Message: {0}", e.Message);
}
}

and the Client is:
namespace PreprocessingClient
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("**** Preprocessing Client ****");
EndpointAddress address = new
EndpointAddress("http://localhost:8080/PreprocessingService");
WSHttpBinding binding = new WSHttpBinding();
binding.MaxBufferPoolSize = 200000000;
binding.MaxReceivedMessageSize = 200000000;
System.ServiceModel.ChannelFactory<IPreprocesscf =
new
System.ServiceModel.ChannelFactory<IPreprocess>(bi nding,
address);
cf.Credentials.ClientCertificate.SetCertificate(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName, "WCFUser");
cf.Credentials.ServiceCertificate.SetDefaultCertif icate(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName,"windowshost");
IPreprocess proxy = cf.CreateChannel();
// PreprocessClient proxy = new PreprocessClient();
//proxy.Open(); //open the client's proxy

proxy.EnableMatGui(false);
}
The app.config for the client is :
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IPreprocess"
closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00"
sendTimeout="00:40:00"
bypassProxyOnLocal="false" transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="200000000"
maxReceivedMessageSize="20000000"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32"
maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384"
/>
<reliableSession ordered="true"
inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:8080/PreprocessingService"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IPreprocess"
contract="ServiceReference1.IPreprocess"
name="WSHttpBinding_IPreprocess">
<identity>
<servicePrincipalName value="host/Avacta-n31m-1" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>

cheers,

Manjree

Try changing
<identity>
<servicePrincipalName value="host/Avacta-n31m-1" />
</identity>

to the common name of your service certificate?

Morty

"Manjree Garg" <ga**@newsgroup.nospamwrote in message
news:59**********************************@microsof t.com...

Hi,

I created a web service and hosted it in Windows Services. It is

fine. Now I am trying to implement the X509 certificates for message

security. But it is throwing the following exception:

An unhandled exception of type
'System.ServiceModel.Security.SecurityNegotiationE xception' occurred in
mscorlib.dll

Additional information: Secure channel cannot be opened because security
negotiation with the remote endpoint has failed. This may be due to

or
incorrectly specified EndpointIdentity in the EndpointAddress used to
create
the channel. Please verify the EndpointIdentity specified or implied by
the
EndpointAddress correctly identifies the remote endpoint.
The WinSvchost file is:

namespace PreprocessingWinSvcHost
{
public partial class PreprocessingWinSvc : ServiceBase
{
private ServiceHost myHost;
public PreprocessingWinSvc()
{
InitializeComponent();
}

protected override void OnStart(string[] args)
{
try
{
//Create the host.

Uri address = new
Uri("http://localhost:8080/PreprocessingService");
WSHttpBinding binding = new WSHttpBinding();
Type contract = typeof(IPreprocess);

binding.MaxBufferPoolSize = 200000000;
binding.MaxReceivedMessageSize = 200000000;
binding.Name = "WSHttpBinding_IPreprocess";

binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType =
MessageCredentialType.Certificate;

myHost = new ServiceHost(typeof(PreprocessingService));
myHost.AddServiceEndpoint(contract, binding, address);

myHost.Credentials.ServiceCertificate.SetCertifica te(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName, "windowshost");

ClientCredentials creds = new ClientCredentials();
// Configure peer trust.

creds.ServiceCertificate.Authentication.Certificat eValidationMode =
X509CertificateValidationMode.PeerOrChainTrust;

//Creates an output file.
Stream MyOutputFile =
File.Create("c:\\checklog\\Logfile1.txt");
TextWriterTraceListener TextListener1 = new
TextWriterTraceListener(MyOutputFile);
Trace.Listeners.Add(TextListener1); //Add a listner to

Trace.

// Writes output message to the output file and to a
console
screen.
Trace.WriteLine(DateTime.Now.ToLongTimeString() + " -
Service starting...");
myHost.Open();

Trace.WriteLine("state = "+ myHost.State);

// Flush and close the output file.
Trace.Flush();
TextListener1.Flush();
TextListener1.Close();
}
catch (Exception e)
{
Console.WriteLine("Message: {0}", e.Message);
}
}

and the Client is:
namespace PreprocessingClient
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("**** Preprocessing Client ****");
EndpointAddress address = new
EndpointAddress("http://localhost:8080/PreprocessingService");
WSHttpBinding binding = new WSHttpBinding();
binding.MaxBufferPoolSize = 200000000;
binding.MaxReceivedMessageSize = 200000000;
System.ServiceModel.ChannelFactory<IPreprocesscf =
new
System.ServiceModel.ChannelFactory<IPreprocess>(bi nding,
address);
cf.Credentials.ClientCertificate.SetCertificate(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName, "WCFUser");
cf.Credentials.ServiceCertificate.SetDefaultCertif icate(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName,"windowshost");
IPreprocess proxy = cf.CreateChannel();
// PreprocessClient proxy = new PreprocessClient();
//proxy.Open(); //open the client's proxy

proxy.EnableMatGui(false);
}
The app.config for the client is :
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IPreprocess"
closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00"
sendTimeout="00:40:00"
bypassProxyOnLocal="false" transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="200000000"
maxReceivedMessageSize="20000000"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32"
maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384"
/>
<reliableSession ordered="true"
inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint

binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IPreprocess"
contract="ServiceReference1.IPreprocess"
name="WSHttpBinding_IPreprocess">
<identity>
<servicePrincipalName value="host/Avacta-n31m-1" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>

cheers,

Manjree

Hi Manjree,

From the description, the problem occurs when you try using x509
certificate based message security in a windows service hosted WCF service.

The error message does indicate that the "identity" of the endpoint hasn't
be specified. I think the endpoint identity should be the service
endpoint's identify setting(at service side). In the code you provided, you
programmtically create the servicehost and add the endpoint, however, you
didn't add an endpoint identity for it.

I've also replied you in another WCF windows service hosted thread. In that
thread you mentioend that you can not get WCF configuration (in app.config)
work with Windows service, correct? I've tested and verify that windows
service can correctly load WCF configuration settings just like other
application(console or winform or asp.net...) without problem. have you
made sure the app.config is correctly copied with the windows service exe(
as windowsservice.exe.config file)?

Also, generally for such scenario, I suggest you first create a normal
console application and copy the WCF code(change it to
configuration/declarative style) into the console applicaiton to test. This
can simplfy the troubleshooting and also detect whether the problem is
specific to windows service.

BTW, here is the test configuration setting( for server and client) I used:
==============server====================
<system.serviceModel>
<services>
<service name="WcfService1.Service1"
behaviorConfiguration="WcfService1.Service1Behavio r">
<endpoint address="" binding="wsHttpBinding"
bindingConfiguration="certBinding"
contract="WcfService1.IService1">

<identity>
<certificateReference storeName="My"
storeLocation="LocalMachine"
x509FindType="FindByThumbprint"
findValue="b0d98888fc2fec907661ef11aa430f29e6ae8a9 1" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange"/>
</service>
</services>
======client =============
<client>
<endpoint address="http://localhost:33382/Service1.svc"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IService1"
contract="WCFCert.IService1"
name="WSHttpBinding_IService1">
<identity>
<certificateReference storeLocation="LocalMachine"
storeName="My"
x509FindType="FindByThumbprint"
findValue="b0d98888fc2fec907661ef11aa430f29e6ae8a9 1"/>

</identity>
</endpoint>
</client>
==================

Anyway, you need to make sure the one you specified at service side also
matches the client-side's.

If there is anything else unclear, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: =?Utf-8?B?TWFuanJlZSBHYXJn?= <ga**@newsgroup.nospam>
References: <59**********************************@microsoft.co m>
<1B**********************************@microsoft.co m>
Subject: Re: System.ServiceModel.Security.SecurityNegotiationEx ception
Date: Fri, 23 May 2008 02:12:00 -0700
Thanks Morten. But it is still throwing the same exception. :(
Manjree.

"Morten Abrahamsen" wrote:

Try changing
<identity>
<servicePrincipalName value="host/Avacta-n31m-1" />
</identity>

to the common name of your service certificate?

Morty

"Manjree Garg" <ga**@newsgroup.nospamwrote in message
news:59**********************************@microsof t.com...

Hi,
>
I created a web service and hosted it in Windows Services. It is

working

fine. Now I am trying to implement the X509 certificates for message

layer

security. But it is throwing the following exception:
>
An unhandled exception of type
'System.ServiceModel.Security.SecurityNegotiationE xception' occurred in
mscorlib.dll
>
Additional information: Secure channel cannot be opened because security
negotiation with the remote endpoint has failed. This may be due to

absent

or
incorrectly specified EndpointIdentity in the EndpointAddress used to
create
the channel. Please verify the EndpointIdentity specified or implied by
the
EndpointAddress correctly identifies the remote endpoint.
>
>
The WinSvchost file is:
>
>
>
namespace PreprocessingWinSvcHost
{
public partial class PreprocessingWinSvc : ServiceBase
{
private ServiceHost myHost;
public PreprocessingWinSvc()
{
InitializeComponent();
}
>
protected override void OnStart(string[] args)
{
try
{
//Create the host.
>
Uri address = new
Uri("http://localhost:8080/PreprocessingService");
WSHttpBinding binding = new WSHttpBinding();
Type contract = typeof(IPreprocess);
>
binding.MaxBufferPoolSize = 200000000;
binding.MaxReceivedMessageSize = 200000000;
binding.Name = "WSHttpBinding_IPreprocess";
>
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType =
MessageCredentialType.Certificate;
>
myHost = new ServiceHost(typeof(PreprocessingService));
myHost.AddServiceEndpoint(contract, binding, address);
>
myHost.Credentials.ServiceCertificate.SetCertifica te(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName, "windowshost");
>
ClientCredentials creds = new ClientCredentials();
// Configure peer trust.
>
creds.ServiceCertificate.Authentication.Certificat eValidationMode =
X509CertificateValidationMode.PeerOrChainTrust;
>
//Creates an output file.
Stream MyOutputFile =
File.Create("c:\\checklog\\Logfile1.txt");
TextWriterTraceListener TextListener1 = new
TextWriterTraceListener(MyOutputFile);
Trace.Listeners.Add(TextListener1); //Add a listner to

the

Trace.
>
// Writes output message to the output file and to a
console
screen.
Trace.WriteLine(DateTime.Now.ToLongTimeString() + " -
Service starting...");
>
>
myHost.Open();
>
Trace.WriteLine("state = "+ myHost.State);
>
// Flush and close the output file.
Trace.Flush();
TextListener1.Flush();
TextListener1.Close();
}
catch (Exception e)
{
Console.WriteLine("Message: {0}", e.Message);
}
>
>
}
>
and the Client is:
>
>
namespace PreprocessingClient
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("**** Preprocessing Client ****");
EndpointAddress address = new
EndpointAddress("http://localhost:8080/PreprocessingService");
WSHttpBinding binding = new WSHttpBinding();
binding.MaxBufferPoolSize = 200000000;
binding.MaxReceivedMessageSize = 200000000;
System.ServiceModel.ChannelFactory<IPreprocesscf =
new
System.ServiceModel.ChannelFactory<IPreprocess>(bi nding,
address);
cf.Credentials.ClientCertificate.SetCertificate(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName, "WCFUser");
cf.Credentials.ServiceCertificate.SetDefaultCertif icate(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName,"windowshost");
IPreprocess proxy = cf.CreateChannel();
// PreprocessClient proxy = new PreprocessClient();
//proxy.Open(); //open the client's proxy
>
proxy.EnableMatGui(false);
}
>
>
The app.config for the client is :
>
>
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IPreprocess"
closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00"
sendTimeout="00:40:00"
bypassProxyOnLocal="false" transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="200000000"
maxReceivedMessageSize="20000000"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32"
maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384"
/>
<reliableSession ordered="true"
inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint

address="http://localhost:8080/PreprocessingService"

Hi Manjree,

From the description, the problem occurs when you try using x509
certificate based message security in a windows service hosted WCF

>
The error message does indicate that the "identity" of the endpoint

be specified. I think the endpoint identity should be the service
endpoint's identify setting(at service side). In the code you provided,

programmtically create the servicehost and add the endpoint, however, you
didn't add an endpoint identity for it.

I've also replied you in another WCF windows service hosted thread. In

thread you mentioend that you can not get WCF configuration (in

work with Windows service, correct? I've tested and verify that windows
service can correctly load WCF configuration settings just like other
application(console or winform or asp.net...) without problem. have you
made sure the app.config is correctly copied with the windows service

as windowsservice.exe.config file)?

Also, generally for such scenario, I suggest you first create a normal
console application and copy the WCF code(change it to
configuration/declarative style) into the console applicaiton to test.

can simplfy the troubleshooting and also detect whether the problem is
specific to windows service.

BTW, here is the test configuration setting( for server and client) I

>

==============server====================
<system.serviceModel>
<services>
<service name="WcfService1.Service1"
behaviorConfiguration="WcfService1.Service1Behavio r">
<endpoint address="" binding="wsHttpBinding"
bindingConfiguration="certBinding"
contract="WcfService1.IService1">

<identity>
<certificateReference storeName="My"
storeLocation="LocalMachine"
x509FindType="FindByThumbprint"
findValue="b0d98888fc2fec907661ef11aa430f29e6ae8a9 1" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange"/>
</service>
</services>
======client =============
<client>
<endpoint address="http://localhost:33382/Service1.svc"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IService1"
contract="WCFCert.IService1"
name="WSHttpBinding_IService1">
<identity>
<certificateReference storeLocation="LocalMachine"
storeName="My"
x509FindType="FindByThumbprint"
findValue="b0d98888fc2fec907661ef11aa430f29e6ae8a9 1"/>

</identity>
</endpoint>
</client>
==================

Anyway, you need to make sure the one you specified at service side also
matches the client-side's.

If there is anything else unclear, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you.

feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to

ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no

>

--------------------
From: =?Utf-8?B?TWFuanJlZSBHYXJn?= <ga**@newsgroup.nospam>
References: <59**********************************@microsoft.co m>
<1B**********************************@microsoft.co m>
Subject: Re: System.ServiceModel.Security.SecurityNegotiationEx ception
Date: Fri, 23 May 2008 02:12:00 -0700
Thanks Morten. But it is still throwing the same exception. :(
Manjree.

"Morten Abrahamsen" wrote:

Try changing
<identity>
<servicePrincipalName value="host/Avacta-n31m-1" />
</identity>

to the common name of your service certificate?

Morty

"Manjree Garg" <ga**@newsgroup.nospamwrote in message
news:59**********************************@microsof t.com...

Hi,
>
I created a web service and hosted it in Windows Services. It is

working

fine. Now I am trying to implement the X509 certificates for message

layer

security. But it is throwing the following exception:
>
An unhandled exception of type
'System.ServiceModel.Security.SecurityNegotiationE xception' occurred

mscorlib.dll
>
Additional information: Secure channel cannot be opened because

negotiation with the remote endpoint has failed. This may be due to

absent

or
incorrectly specified EndpointIdentity in the EndpointAddress used to
create
the channel. Please verify the EndpointIdentity specified or implied

the
EndpointAddress correctly identifies the remote endpoint.
>
>
The WinSvchost file is:
>
>
>
namespace PreprocessingWinSvcHost
{
public partial class PreprocessingWinSvc : ServiceBase
{
private ServiceHost myHost;
public PreprocessingWinSvc()
{
InitializeComponent();
}
>
protected override void OnStart(string[] args)
{
try
{
//Create the host.
>
Uri address = new
Uri("http://localhost:8080/PreprocessingService");
WSHttpBinding binding = new WSHttpBinding();
Type contract = typeof(IPreprocess);
>
binding.MaxBufferPoolSize = 200000000;
binding.MaxReceivedMessageSize = 200000000;
binding.Name = "WSHttpBinding_IPreprocess";
>
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType =
MessageCredentialType.Certificate;
>
myHost = new ServiceHost(typeof(PreprocessingService));
myHost.AddServiceEndpoint(contract, binding, address);
>
myHost.Credentials.ServiceCertificate.SetCertifica te(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName, "windowshost");
>
ClientCredentials creds = new ClientCredentials();
// Configure peer trust.
>
creds.ServiceCertificate.Authentication.Certificat eValidationMode =
>

>
//Creates an output file.
Stream MyOutputFile =
File.Create("c:\\checklog\\Logfile1.txt");
TextWriterTraceListener TextListener1 = new
TextWriterTraceListener(MyOutputFile);
Trace.Listeners.Add(TextListener1); //Add a listner

the

Trace.
>
// Writes output message to the output file and to a
console
screen.
Trace.WriteLine(DateTime.Now.ToLongTimeString() + " -
Service starting...");
>
>
myHost.Open();
>
Trace.WriteLine("state = "+ myHost.State);
>
// Flush and close the output file.
Trace.Flush();
TextListener1.Flush();
TextListener1.Close();
}
catch (Exception e)
{
Console.WriteLine("Message: {0}", e.Message);
}
>
>
}
>
and the Client is:
>
>
namespace PreprocessingClient
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("**** Preprocessing Client ****");
EndpointAddress address = new
EndpointAddress("http://localhost:8080/PreprocessingService");
WSHttpBinding binding = new WSHttpBinding();
binding.MaxBufferPoolSize = 200000000;
binding.MaxReceivedMessageSize = 200000000;
System.ServiceModel.ChannelFactory<IPreprocesscf =
new
System.ServiceModel.ChannelFactory<IPreprocess>(bi nding,
address);
cf.Credentials.ClientCertificate.SetCertificate(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName, "WCFUser");
cf.Credentials.ServiceCertificate.SetDefaultCertif icate(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName,"windowshost");
IPreprocess proxy = cf.CreateChannel();
// PreprocessClient proxy = new PreprocessClient();
//proxy.Open(); //open the client's proxy
>
proxy.EnableMatGui(false);
}
>
>
The app.config for the client is :
>
>
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IPreprocess"
closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00"
sendTimeout="00:40:00"
bypassProxyOnLocal="false" transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="200000000"
maxReceivedMessageSize="20000000"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32"
maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384"
/>
<reliableSession ordered="true"
inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint

address="http://localhost:8080/PreprocessingService"

Hi Manj,

Any progress on this issue? I'm still monitoring the thread, if there is
anything else we can help, please don't hesitate to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Date: Thu, 05 Jun 2008 04:42:46 GMT
Subject: Re: System.ServiceModel.Security.SecurityNegotiationEx ception
Hi Manj,

Thanks for your reply.

The error seems still concerns with the certificate (which may not be
validated as trusted one).

Have you got the configuration setting in windows service working(setup WCF
service host without using code)? Also, as I suggested previously, you can
use a console application for test first so as to simplfy the
troubleshooting.

Here is the article which mentioned most info about using certificate
authentication with message layer security. You can check some of the
configuration setting with yours:

#WCF security: How to configure message security with x509 authentication
http://developers.de/blogs/damir_dob...09/24/931.aspx

If you still cannot find the cause, I can send you a test solution I used
on my side for your reference. BTW, for the test certificate, how did you
generate them? Are you using makecert.exe or windows certificate service?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

Hi Manj,

Any progress on this issue? I'm still monitoring the thread, if there is
anything else we can help, please don't hesitate to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you.

feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to

ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no

--------------------
Date: Thu, 05 Jun 2008 04:42:46 GMT
Subject: Re: System.ServiceModel.Security.SecurityNegotiationEx ception
Hi Manj,

Thanks for your reply.

The error seems still concerns with the certificate (which may not be
validated as trusted one).

Have you got the configuration setting in windows service working(setup

service host without using code)? Also, as I suggested previously, you

use a console application for test first so as to simplfy the
troubleshooting.

Here is the article which mentioned most info about using certificate
authentication with message layer security. You can check some of the
configuration setting with yours:

#WCF security: How to configure message security with x509 authentication
http://developers.de/blogs/damir_dob...09/24/931.aspx

If you still cannot find the cause, I can send you a test solution I used
on my side for your reference. BTW, for the test certificate, how did

generate them? Are you using makecert.exe or windows certificate service?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you.

feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to

ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no

>
--------------------