WCF WSHttpBinding Certificate PeerTrust

[Rick]

I am developing a WCF based app on Vista using IIS 7.0 but it will be
deployed on Microsoft Server 2003 with IIS 6.0. The app uses WSHttpBinding
and mutual Certificate authentication. The app works fine in the Vista IIS7.0
environment, but when moving it to the test environment that matches
production, I cannot get certificate authentication to work. I get the
following error: "The certificate that was used has a trust chain that cannot
be verified. Replace the certificate or change the
certificateValidationMode."

The strange this is that I have the certifcateValidationMode set to PeerTrust.
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust"
trustedStoreLocation="LocalMachine" />
</clientCertificate>
<serviceCertificate findValue="AdcBehindTheFirewall"
storeLocation="LocalMachine" storeName="My"
x509FindType="FindBySubjectName" />
</serviceCredentials>

I also tried changing certificateValidationMode="None" and still got the
same error.

Any ideas on what may be wrong in the Server 2003 environment?

 

[Rick]

I have a bit more information regarding my issue. When testing the services
in Vista I was using certificates created with the MakeCert command. When
running the services on Server 2003, the certificates were created by the
client's IT department. One difference, is that my certificates were
self-signed while the certificates they created are signed by a root
authority. I moved the MakeCert generated certs to Server 2003 and the
service works with one setup difference. I had to put the public key cert not
only in the Trusted People store on the client, but also in the Trusted Root
CA store on the client. I am not sure why I had to do that since I am using
PeerTrust and did not have to do that on Vista.

Any idea on why the I have to put the cert in the Trusted Root CA store on
the client?