FIX: Authentication fails when a client calls a WCF service in which a user creates a self-signed certificate for SSL authentication

You configure a Windows Communication Foundation (WCF) service to use a client certificate for Secure Sockets Layer (SSL) authentication. You create a self-signed certificate and then install it for the authentication. However, when the client calls the service, the authentication fails.
When a client sends a request to the service, the HTTP.sys driver requests a certificate from the client. The driver automatically provides a list of all known certification authorities (CA). However, the self-signed certificate is not issued by any CA in the list. Therefore, the client never returns the self-signed certificate to the HTTP.sys driver. In addition, the HTTP.sys driver builds a trust chain. The self-signed certificate is not chained to any CA in the list.
Note If you are using the .NET Framework 3.5 Service Pack 1 on Windows 7 or on Windows Server 2008 R2, install the hotfix that is described in the following Microsoft Knowledge Based article:
977420 A hotfix rollup is available to fix problems in Windows Communication Foundation in the .NET Framework 3.5 SP1 for Windows 7 and for Windows Server 2008 R2

Hotfix Information

A supported hotfix is now available from Microsoft. However, it is intended to correct only the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft website:Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.


You must have the .NET Framework 3.5 Service Pack 1 (SP1) installed to apply this hotfix.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
For all supported x86-based versions of Windows Vista SP2 and of Windows Server 2008 SP2
File nameFile versionFile sizeDateTimePlatform

For all supported x64-based versions of Windows Vista SP2 and of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform

For all supported Itanium-based versions of Windows Server 2008 SP2
File nameFile versionFile sizeDateTimePlatform

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
This hotfix changes a registry key on the computer that hosts the WCF service. On this computer, the HTTP.sys driver provides an empty CA list. Fixes an issue in which authentication fails when a user creates a self-signed certificate for SSL authentication in a service that a client calls. Then, the client can add the self-signed certificate to the empty CA list. In addition, the hotfix enables the user to create instances of the X509CertificateValidator class to use over HTTPS.

Article ID: 973606 - Last Review: 03/01/2011 06:28:00 - Revision: 2.0

Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5 Service Pack 1

  • kbexpertiseadvanced kbsurveynew kbqfe KB973606