WCF Service consumed by Sharepoint App throwing "Could not establish trust relationship" Error
This one was one of those that end up being a simple issue that was causing a lot of confusion.
So, I got this issue in one of my labs where I had one of those simple Sharepoint Apps that needed to upload data when a specific timer event was occurring...pretty simple right?.
I had this very neat scenario put in place where my client Sharepoint App and my WCF Service were exchanging mutual certificates and the authentication was being enforced on both sides (WCF Client and WCF Server).
This was been running for a awhile now without any issues at all.
Suddenly I started to see a lot of the typical certificate errors as below being logged in in my logs:
"Could not establish trust relationship"
System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'josepen.dev.local'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
This was somehow kind of puzzling for me since I had validated all my certificates that I was using and could not found anything missing in my certificates configurations.
I did all my check on the usual Trusted Personal Store and Trusted Certified Authorities Store and everything seems ok. I even went to the point of creating a simple console application to use the same certificates and code that my Sharepoint app was using and could not reproduce the issue.
However the fact that I was able to run the same code with same certificates without the Sharepoint and not seeing any error made me "suspecting" that there was indeed an issue on my Sharepoint configuration.
Not the big problem was that I "really" do not know much about Sharepoint itself and this, of course, was challenge, but I went for it anyway.
So, I took the most simple approach on this and try to not overcomplicate.
The first step was to get my WCF Service identified so I did the below:
- Browse to the WCF Service from the IE so I can clearly see which certificate is being used
- I clicked on the Security Icon (the infamous padlock) which is next to the URL in the address bar.
- From the resulting pop-up I went to the "Certificate Path" tab
- Now I was able to see the certificate being used by the WCF Service (something like the below)
- After that I clicked on each certificate and click on “View Certificate” button and in the resulting pop-up go to the “Details” tab and export the Certificate.
So now, I had for sure the WCF Certificate that my Sharepoint that was running my App should trust, so I validated that on my Sharepoint and "voila", it seems that someone had messed up with the certificate, meaning it was not there...
To correct this the solution was again pretty much straightforward
- Open SharePoint Central Administration.
- Browse to “Security” -> “Manage Trust”
- Click on “New” from the ribbon in the resulting window
- Give it a name and select the Certificate to be trusted
- Do this for every certificate you exported in the above action
- Forced the immediate run of the "Refresh Trusted Security Token Services Metadata" timerjob
- Restarted IIS on each of the SharePoint WFEs
And voila (again), everything started working as it should
Now the next step would be find the little mouse that had eaten my certificate :-)
Hope that helps