After update, service can't activate without certificate

I’m attempting to test out a simple update from 10.1.400.22 to 400.38, using a remote virtualization of the application server and the domain controller via Datto. I can get through all the steps in the update guide through deployment and restarting the task agent, until I need to log in for the first time and update the database.

I get the “service cannot be activated, see diagnostic trace logs” error, but when I check, it’s not the usual memory error:

WebHost failed to process a request.
Sending Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/61381290
Exception: System.ServiceModel.ServiceActivationException: The service ‘/E10Prod/Ice/Lib/SessionMod.svc’ cannot be activated due to an exception during compilation. The exception message is: The ChannelDispatcher at ‘http://[server]/E10Prod/Ice/Lib/SessionMod.svc’ with contract(s) ‘“SessionModSvcContract”’ is unable to open its IChannelListener…—> System.InvalidOperationException: The ChannelDispatcher at ‘http://[server]/E10Prod/Ice/Lib/SessionMod.svc’ with contract(s) ‘“IssueAndRenewSession”’ is unable to open its IChannelListener. —> System.InvalidOperationException: The service certificate is not provided. Specify a service certificate in ServiceCredentials.
at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider()

Cut for length. The other AppServers, which I didn’t deploy the update for, aren’t having the same issues. I’ve recycled app pools, restarted the task service, ran IISRESET, and even restarted the server.

Is it possible the error is due to the sandbox environment? The user listed on the errors is a domain account, which again works fine for the other AppServers. If not, any ideas?

I’m shocked that I actually found the answer to this on the EpicCare Knowledge Base. Should have looked there as well before posting!

Edit the web.config of the site in question. In the <serviceCredentials> element, uncomment the serviceCertificate element and/or enter the certificate name in the findValue attribute.

<serviceCertificate x509FindType=“FindBySubjectName” findValue=“localhost” storeLocation=“LocalMachine” storeName=“My” />

Remove the <!-- that is above and the --> that is below the serviceCertificate line. Save and try connecting again.


This also can happen if you work with SourceDay, they add some config stuff to your web.config. But Epicor Admin Console does not recognize your need for SSL and disables that section oddly. Which may have been the case in this topic, if you user UsernameWindowsChannel - why the need to the cert section :slight_smile: who knows #deploybugs maybe

1 Like