i need to consume WCF service over SSL while the request needs to be sign with one certificate and the response needs to be validated with another certificate.
i get this error while executing the code:
Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.
according to WCF tracing it fails while trying to validate the response signature, because i can see the response from the server.
<system.serviceModel>
<diagnostics>
<messageLogging logEntireMessage="true" logKnownPii="true" logMalformedMessages="true"
logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" />
<endToEndTracing propagateActivity="true" activityTracing="true"
messageFlowTracing="true" />
</diagnostics>
<behaviors>
<endpointBehaviors>
<behavior name="CHClientCertificateBehavior">
<clientCredentials supportInteractive="true">
<clientCertificate findValue="clientcert" storeLocation="LocalMachine"
storeName="My" x509FindType="FindBySubjectName" />
<serviceCertificate>
<defaultCertificate findValue="servercert" storeLocation="LocalMachine"
storeName="My" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="None" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="DPBasicHttpBindingWithSSL" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:02:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="2097152" maxBufferSize="524288" maxReceivedMessageSize="524288"
textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"
messageEncoding="Text">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
<customBinding>
<binding name="DPCustomHttpBindingWithSSL">
<security authenticationMode="CertificateOverTransport" allowSerializedSigningTokenOnReply="true" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireDerivedKeys="false"
securityHeaderLayout="Lax" />
<textMessageEncoding messageVersion="Soap11" />
<httpsTransport maxBufferPoolSize="2097152" maxBufferSize="524288" maxReceivedMessageSize="524288" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://myserver/service.asmx"
behaviorConfiguration="CHClientCertificateBehavior" binding="customBinding"
bindingConfiguration="DPCustomHttpBindingWithSSL" contract="ServiceRef.smssoap"
name="smsEndpoint">
<identity>
<certificateReference storeName="My" storeLocation="LocalMachine"
x509FindType="FindBySubjectName" findValue="myserver" />
</identity>
</endpoint>
</client>
</system.serviceModel>
as you can see, i tried both basicHttpBinding and customBinding (converted with the online tool http://webservices20.cloudapp.net/default.aspx), i tried to set different variations of settings combinations but still get this error.
any idea? canceling response certificate signing validation is also an option, but how do i set it??
SOLVED!
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="DPSSLXDIG">
<clientCredentials supportInteractive="false">
<clientCertificate findValue="clientcert" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
<serviceCertificate>
<defaultCertificate findValue="servercert" storeName="TrustedPeople" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="None" revocationMode="NoCheck" />
</serviceCertificate>
<windows allowNtlm="false" allowedImpersonationLevel="None" />
<httpDigest impersonationLevel="None" />
<peer>
<peerAuthentication revocationMode="NoCheck" />
</peer>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="DPSSLXDIG">
<textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
<security allowSerializedSigningTokenOnReply="true" authenticationMode="MutualCertificateDuplex"
requireDerivedKeys="false" securityHeaderLayout="Lax" messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSecurityContextCancellation="false">
<secureConversationBootstrap />
</security>
<httpsTransport authenticationScheme="Anonymous" requireClientCertificate="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://myserver/webservice.asmx"
behaviorConfiguration="DPSSLXDIG" binding="customBinding"
bindingConfiguration="DPSSLXDIG" contract="serviceRef.smssoap"
name="smsEndpoint">
<identity>
<dns value="servercert" />
</identity>
</endpoint>
</client>
</system.serviceModel>