Is client certificate necessary in trusted peoples store when using TransportWithMessageCredential

Question

I have a WCF service with securitymode set to TransportWithMessageCredential.

This is working fine when the client X509 certificate is installed in the Trusted People Store on the server side.

Removing the client certificate from this store causes a MessageSecurityException on the client side.

From the windows event log this boils down to a SecurityTokenValidationException: ID4257

• validation failed by the token handler.
• cert is not in the trusted people store.
• cert chain building failed
• The certificate that was used has a trust chain that cannot be verified

Is this the expected behavior or is there something wrong with the client X509 certificate?

I was assuming a chain trust could be established as long as the signing CA of the client X509 is present on the server.

Answer 1

No :

• override the service SecurityTokenHandler
• build the X509chain with your own policy and the incoming client certificate
• verify the chain at will