I'm implementing a WCF service using .NET 4.5 and token-based security. On the client side, I'm calling myfact.CreateChannelWithIssuedToken() with a token previously retrieved from an STS, when I use this channel to make a call to the service, I get the following error (in the WCF service trace):
Cannot resolve KeyInfo for decryption: KeyInfo 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = EncryptedKeyIdentifierClause(EncryptedKey = qDJDOHUxLxDP8/5baRbY6LrnIX2cYLGwC8b9xDQbEfLsYhcowtszecfWK93dFQHBNV+COHSZpKapJlzrbi12QlObuhfpB08vIxrgXCLg69w4PfAq/jzJcK3N16GHHADSE6XT0KVBXQbcwJqyrELLGAc9ve3cnn52EDg6rkVKBNg=, Method 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p')
) ', available tokens 'System.ServiceModel.Security.AggregateSecurityHeaderTokenResolver'.
I suspect that this is because the service is unable to decrypt the incoming security token, but I do not know why that would be. The certificate is in the LocalMachine\My store, and has an associated private key.
How does WCF locate the necessary certificate, and why would it be failing to locate it in my case?
It turns out that the service certificate is the one used. When I corrected this (through the <serviceCertificate .../> knob:
<behavior name="my_service_behavior">
<serviceCredentials useIdentityConfiguration="true" identityConfiguration="identity">
<serviceCertificate
findValue="..."
x509FindType="FindByThumbprint"
storeName="My"
storeLocation="LocalMachine" />
</serviceCredentials>
</behavior>
Everything started working.