Search code examples
asp.net-web-api2wcf-security

Calling WCF service from WebApi throws MessageSecurityException

I use 3rd party client library which internally communicates with server (somewhere in cloud) using WCF (I only can configure few key/value settings, the library creates all the WCF client proxy stack within its code).

If I use the library in WinForms or console application it works well, however calling the library API from within WebApi it ends up with error:

An exception of type 'System.ServiceModel.Security.MessageSecurityException' occurred in mscorlib.dll but was not handled in user code

Additional information: The Identity check failed for the outgoing message. 
The remote endpoint did not provide a domain name system (DNS) claim and therefore did not satisfied DNS identity 'serverName'. 
This may be caused by lack of DNS or CN name in the remote endpoint X.509 certificate's distinguished name.

Why there is a difference? The server side is the same, so does this mean the identity check is not performed when running in WinForms app? Or the identity check is performed differently when running in WebApi? How can I fix it?

I run the code from within VS2015, WebApi is hosted in IISExpress. The library uses NetTcpBinding with TransportWithMessageCredential and MessageCredentialType.UserName

Solution

  • Try adding this to your app.config file

    <configuration>
    <runtime>
        <AppContextSwitchOverrides value="Switch.System.IdentityModel.DisableMultipleDNSEntriesInSANCertificate=true" />
    </runtime>
</configuration>

    From MSDN:

    Starting with apps that target the .NET Framework 4.6.1, the X509CertificateClaimSet.FindClaims method will attempt to match the claimType argument with all the DNS entires in its SAN field. Impact

    This change only affects apps that target the .NET Framework 4.6.1.

    For apps that target previous versions of the .NET Framework, the X509CertificateClaimSet.FindClaims method attempts to match the claimType argument only with the last the DNS entry. Mitigation

    If this change is undesirable, apps that target the .NET Framework 4.6.1 can opt out of it by adding the following configuration setting to the section of the app’s configuration file:

    https://msdn.microsoft.com/en-us/library/mt620030%28v=vs.110%29.aspx