Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms

Consider the following scenario:

  • You have two Windows Communication Foundation (WCF) services that use transport security over HTTP (HTTP with Secure Sockets Layer (SSL) (HTTPS)). Each WCF service is configured to listen on a different port and is secured with a different certificate.

  • You use a WCF client to connect to one WCF service through a proxy server.

  • You use the same WCF client to connect to the other WCF service though the same proxy server.

In this scenario, the second connection fails, and a System.ServiceModel.Security.SecurityNegotiationException exception occurs. Additionally, you receive the following exception message:

The server certificate with name 'CN=Service1' failed identity verification because its thumbprint ('thumbprint_Service2') does not match the one specified in the endpoint identity (‘thumbprint_Service1’). As a result, the current HTTPS request has failed. Please update the endpoint identity used on the client or the certificate used by the server



Note For call stack information about this issue, see the "More information" section.

Cause

This issue occurs because the service certificate that is presented to the client does not match the certificate of the second WCF service.

After a secured connection is established between a WCF service and a WCF client, a service endpoint for the proxy server is created at the client side. This service endpoint exists for the lifetime of the connection to handle future requests from the same client, and caches the service certificate for future validation. When the client sends a request to the second WCF service, this connection is reused. Therefore, the client certificate validation fails, because the service certificate presented by the proxy endpoint is incorrect.

Resolution

After you apply this hotfix, WCF adds the service certificate as part of the service identity when a proxy endpoint is generated. Therefore, client requests can be directed to the appropriate service endpoint.

Hotfix information



A supported hotfix is now available from Microsoft. However, it is intended to correct only the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft website:

http://support.microsoft.com/contactus/?ws=supportNote In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Prerequisites

To apply this hotfix, you must have the .NET Framework 4.0 installed.

Restart requirement

You have to restart the computer after you apply this update if the affected files are being used.

Hotfix replacement information

This hotfix does not replace any other hotfix.

File Information

The global version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

File information for all supported x86-based versions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7:

File name

File version

File size

Date

Time

Platform

System.identitymodel.dll

4.0.30319.553

398,632

27-Jan-2012

08:12

x86

System.servicemodel.dll

4.0.30319.553

6,115,616

27-Jan-2012

08:12

x86

File information for all supported x64-based versions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows 2008 Server R2:

File name

File version

File size

Date

Time

Platform

System.identitymodel.dll

4.0.30319.553

398,632

27-Jan-2012

08:12

x86

System.servicemodel.dll

4.0.30319.553

6,115,616

27-Jan-2012

08:12

x86

File information for all supported IA-64-based versions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2:

File name

File version

File size

Date

Time

Platform

System.identitymodel.dll

4.0.30319.553

398,632

27-Jan-2012

08:12

x86

System.servicemodel.dll

4.0.30319.553

6,115,616

27-Jan-2012

08:12

x86

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

For more information about how to configure SSL for WCF, visit the following MSDN website:

How to configure SSL for WCFThe following call stack information is generated when this issue occurs: at System.ServiceModel.Channels.HttpTransportSecurityHelpers.ValidateServerCertificate(X509Certificate certificate, String thumbprint)
at System.ServiceModel.Channels.HttpTransportSecurityHelpers.AddServerCertMapping(HttpWebRequest request, String thumbprint)
at System.ServiceModel.Channels.HttpTransportSecurityHelpers.AddServerCertMapping(HttpWebRequest request, EndpointAddress to)
at System.ServiceModel.Channels.HttpsChannelFactory.HttpsRequestChannel.GetWebRequest(EndpointAddress to, Uri via, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×