FIX: Authentication fails when a client calls a WCF service in which a user creates a self-signed certificate for SSL authentication

You configure a Windows Communication Foundation (WCF) service to use a client certificate for Secure Sockets Layer (SSL) authentication. You create a self-signed certificate and then install it for the authentication. However, when the client calls the service, the authentication fails.

When a client sends a request to the service, the HTTP.sys driver requests a certificate from the client. The driver automatically provides a list of all known certification authorities (CA). However, the self-signed certificate is not issued by any CA in the list. Therefore, the client never returns the self-signed certificate to the HTTP.sys driver. In addition, the HTTP.sys driver builds a trust chain. The self-signed certificate is not chained to any CA in the list.

Hotfix Information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

You must have the .NET Framework 3.5 Service Pack 1 (SP1) installed to apply this hotfix.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

For all supported x86-based versions of Windows Vista SP2 and of Windows Server 2008 SP2

For all supported x64-based versions of Windows Vista SP2 and of Windows Server 2008

For all supported Itanium-based versions of Windows Server 2008 SP2

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

This hotfix changes a registry key on the computer that hosts the WCF service. On this computer, the HTTP.sys driver provides an empty CA list. Fixes an issue in which authentication fails when a user creates a self-signed certificate for SSL authentication in a service that a client calls. Then, the client can add the self-signed certificate to the empty CA list. In addition, the hotfix enables the user to create instances of the X509CertificateValidator class to use over HTTPS.