So after having combed through MSDN, countless articles and even SO - I still have nothing to show for days of struggle.
So I have this: WCF service needs to be consumed by a client and I just keep hitting a SecurityNegotiationException
Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint.
I've seen this error all over the net and noone seems to have my exact scenario (with a feasible answer atleast).
My setup is local and not hosted by IIS (for time being) but hosted via Visual Studios 2010. My GenericIntegration (WCF service) makes use of wsHttpBinding (Message Mode) authenticated by certificates (I have a very custom username/password authentication + authorization class passed as a parameter by design) and there is no backing out of the security measures.
Host's Config
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpintBinding">
<security mode ="Message">
<message clientCredentialType="Certificate" establishSecurityContext="false" negotiateServiceCredential="false"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="wsHttpBehaviour" name="GenericIntegration.GenericService">
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpintBinding"
name="wsHttpEndpoint" contract="GenericIntegration.GenInterface" />
<host>
<baseAddresses>
<!--<add baseAddress="http://localhost:59082/GenericService.svc" />-->
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="wsHttpBehaviour">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<certificate findValue="GenIntegrationClient" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
<serviceCertificate findValue="GenIntegrationClient" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
<behavior name="metadataBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
And the Client's config
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="endpointBehaviour">
<clientCredentials>
<clientCertificate findValue="GenIntegrationClient" storeLocation="LocalMachine" storeName="My"
x509FindType="FindBySubjectName" />
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpoint" maxBufferPoolSize="20000000" maxReceivedMessageSize="20000000">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:59082/GenericService.svc"
binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint" behaviorConfiguration="endpointBehaviour"
contract="GenService.GenInterface" name="wsHttpEndpoint">
<identity>
<certificate encodedValue="AwAAAAEAAAAUAAAAKdyUELIKMtdh2MFsYQ09ja+vyeEgAAAAAQAAACICAAAwggIeMIIBi6ADAgECAhCFBfF1EXQZhkPKaBpQCl84MAkGBSsOAwIdBQAwJDEiMCAGA1UEAxMZNE1PU1RHZW5JbnRlZ3JhdGlvblNlcnZlcjAeFw0xNjA3MjgxNDQ5MjVaFw0zOTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGTRNT1NUR2VuSW50ZWdyYXRpb25DbGllbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIwsIlz5nZ3HxeYofTpYKr6RcfQMe/jZxPuHcljT+8pBOZ6KmYcyxeRTO074yP6yF8b1IqFskII+qqmCT8nDsb8xdo5Ee0oqL1LKR+xeTgg2ZXXoocxqR1AdxWFVdlMxMSjKIEGE+MnSDdB6vgXahhpUbAS7cdrNoAFKNIz+vrt1AgMBAAGjWTBXMFUGA1UdAQROMEyAEB4cu6OjBqQHct6przmowGyhJjAkMSIwIAYDVQQDExk0TU9TVEdlbkludGVncmF0aW9uU2VydmVyghD75YH5y52zsU5wcmZLJzPiMAkGBSsOAwIdBQADgYEA2BinUmEfgZKcb1qFD1T5ajc2OWHGLjDLpDi8Y7amM4P3rFGvelx7NmCNUH88iGS9LcbDsmY59HcZwUavtPOr4LMRDhl+5YuGht1fIYEk8QSDIhjevijgDOIVBBAeNIA8tva1faMNtYnFXsj0VxMvlrZ4exeKFVFjv2sib5YNFxY=" />
</identity>
</endpoint>
</client>
</system.serviceModel>
Now about the certificates (and yes this is for testing only): GenIntegrationServer.cer has been created as a selfsigned CA root certificate with a private key to sign client certificates with. Both GenIntegrationServer and GenIntegrationClient certificates were generated with makecert. The client certificate is linked to the private key and is correctly installed in the personal store.
I am still quite new to certificates, private keys and secure comms - I simply cannot reason where I make my mistake. I didn't find too many posts about specifically using certificates in this manner.
Can anyone assist before I lose more hair or sleep over this?
UPDATE
As per request, I added the logging. But the most they reveal is:
<s:Body>
<s:Fault>
<s:Code>
<s:Value>s:Sender</s:Value>
<s:Subcode>
<s:Value>a:InvalidSecurity</s:Value>
</s:Subcode>
</s:Code>
<s:Reason>
<s:Text xml:lang="en-ZA">An error occurred when verifying security for the message.</s:Text>
</s:Reason>
</s:Fault>
</s:Body>
Sadly, I still do not understand why security validation is failing. Any Ideas?
Turns out I needed to add the certificates to different stores.
In addition to already having the certificates set in the personal stores (as indicated by the config), I had to install the the server's certificate on the client and vice versa. I also had to make sure that the client contained the client certificate's personal key and the same with the server.
This does not sound too complete but I'll post a full article on how I did this.
Related
After I changed self-signed certificate "localhost" (DNS=localhost) to "Cloudflare Origin Certificate" (dns=mydomain.com) I get following error:
SOAP security negotiation with 'http://localhost:8000/MyService.svc' for target 'http://localhost:8000/MyService.svc' failed. See inner exception for more details.
Inner exception:
Either the client credential was invalid or there was an error collecting the client credentials by the SSPI.
What I noticed is after I start up client I get window to enter credentials. Dunno why.
What I did exactly:
Generated certificate request in IIS
Completed certificate on CloudFlare
Received key pasted into text file with CloudFlare Root CA
Completed certificate in IIS (Personal, LocalMachine)
In MMC added to Trusted Publishers CloudFlare Root CA (LocalMachine)
For WCF website changed SSL certificate to CloudFlare
Changed in client value from "localhost" to "mydomain.com"
Changed in server value from "localhost" to "mydomain.com"
Changed findValue for
WCF web.config
<system.serviceModel>
<client />
<behaviors>
<serviceBehaviors>
<behavior name="authBehavior">
<serviceAuthorization principalPermissionMode="UseWindowsGroups">
<authorizationPolicies>
<add policyType="WCF.Common.AuthorizationPolicy, WCF" />
</authorizationPolicies>
</serviceAuthorization>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WCF.Common.IdentityValidator, WCF" />
<serviceCertificate findValue="CloudFlare Origin Certificate" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My" />
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="svcBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpsBinding>
<binding name="basicHttpsEndpointBinding" maxReceivedMessageSize="1073741824" maxBufferSize="1073741824" maxBufferPoolSize="1073741824">
<readerQuotas maxDepth="32" maxArrayLength="1073741824" maxStringContentLength="1073741824" />
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpsBinding>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding"></binding>
</wsHttpBinding>
</bindings>
<services>
<service name="WCF.MyService" behaviorConfiguration="svcBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" contract="WCF.IMyService">
<identity>
<dns value="mydomain.com" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
Client app.config
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="MessageAndUserName">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
<binding name="WSHttpBinding_IMyService" />
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:8777/MyService.svc"
binding="wsHttpBinding" contract="WCF.IMyService"
name="WSHttpBinding_IMyService">
<identity>
<dns value="mydomain.com" />
</identity>
</endpoint>
</client>
<behaviors>
<serviceBehaviors>
<behavior name="DefaultServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
I host addional services in my WCF and also I host some services in Client but none of them are needed.
I use wsHttpBindings between WCF and Client. What can I do to get rid of this error?
What is purpose of ussing wsHttpBinding etc...: Allow only this Client to communicate with MyService.. no one else will be allowed. Client app will run on multiple computers in domain. Do you suggest ussing different approach?
Thanks for any idea!
EDIT: Computer with error is not running in domain. Neither work for computer in domain :/
EDIT2: Security mode transport
WCF web.config bindings:
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Transport">
<message clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
Client side config bindings:
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IMyService">
<security mode="Transport">
<message clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost:8001/MyService.svc"
binding="wsHttpBinding" contract="WCF.IMyService"
name="WSHttpBinding_IMyService">
<identity>
<dns value="mydomain.com" />
</identity>
</endpoint>
</client>
IIS:
Here a few resources to review to help determine if NetTcpBinding would work for you, it sounds like it would since you are consuming the web service internally.
NetTcpBinding
netTcpBinding is best when WCF service and its clients are in intranet infrastructure. As it supports only TCP protocol and not HTTP, so service cannot be accessed over internet.
This is secure binding is used to send binary encoded SOAP messages with in intranet computers. It supports reliability, transaction and security. If your using netTcpBinding and host WCF service in IIS, you need to make some settings on system and IIS this article will help you for required settings.
A few tips for troubleshooting related issues:
Double click on the cert in MMC does it give you any error messages
under the Certificate Information header?
Are you able to browse the service from your client in a browser?
Is the cert assigned in IIS
Do you have the correct binding
Is the client using the same binding as the service host?
Does your endpoint reference the correct binding and service behavior
Additional helpful information about NetTcpBinding:
https://stackoverflow.com/a/3375161/2016162
I've WCF service that is working great with authentication and Message Security Type.
But I need to communicate with the WCF over https (its have to be in the url), so I need to add Transport Security Type.
(I'm using self sign certificate)
This is my binding config:
<bindings>
<wsHttpBinding>
<binding name="Binding">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
This is my Services config :
<services>
<service name="WcfService1.Service1" behaviorConfiguration="MyServiceTypeBehaviors">
<host>
<baseAddresses>
<add baseAddress="https://localhost/Service1.svc"/>
</baseAddresses>
</host>
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="Binding" contract="WcfService1.IService1" />
</service>
</services>
This is my Behavior config:
<behavior name="MyServiceTypeBehaviors" >
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WcfService1.UserValidate,WcfService1"/>
<serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
</serviceCredentials>
</behavior>
But like a true WCF Service nothing goes smooth:
When I execute the WCF its automatically open the page : "http://localhost:22535/" in the browser instead of https like I specified in the base address.
When I open the page (no https) "http://localhost:22535/Service1.svc" I get the error :
Could not find a base address that matches scheme https for the endpoint with binding WSHttpBinding. Registered base address schemes are [http].
When I try to reach the page "https://localhost/Service1.svc" which I specified in the base address i get:
This webpage is not available
This is my entire Web.Config :
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5"/>
</system.web>
<system.serviceModel>
<services>
<service name="WcfService1.Service1" behaviorConfiguration="MyServiceTypeBehaviors">
<host>
<baseAddresses>
<add baseAddress="https://localhost/Service1.svc"/>
</baseAddresses>
</host>
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="Binding" contract="WcfService1.IService1" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="Binding">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<!--My Custom Behavior-->
<behavior name="MyServiceTypeBehaviors" >
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WcfService1.UserValidate,WcfService1"/>
<serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<directoryBrowse enabled="true"/>
</system.webServer>
</configuration>
Thanks in advance.
Update
I've set the IIS application to bind on Https (Thanks Daniel Holmkviste).
Now I get 404 (not found) for the base address. ("https://localhost/Service1.svc")
But the good news I have a green lock and when I press it i see "LocalHost" with identity verified.
But why now it cant find the page ?
The Http (the automatically URL address when execute the wcf from the VS) "http://localhost:22535/Service1.svc" still give this error :
Could not find a base address that matches scheme https for the endpoint with binding WSHttpBinding. Registered base address schemes are [http].
Finally! the answer is to turn the HTTP Activation On.
Search "Turn Windows Features on or off" in windows.
Open .NET Framework 4.5 Advanced Services
Open WCF Services
Check HTTP Activation
Specify the metadata.
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetaDataExchange"/>
To enable https in VS you have to configure the properties of your project to use IIS.
I have a .net client and I am consuming the WCF service and able to do that sucessfully. but when i try to post that on our production I am not able to consume the same service. Below is my web.config :
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="MyBehavior">
<useRequestHeadersForMetadataAddress></useRequestHeadersForMetadataAddress>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="TestProject.Implementations.AuthenticateUser,TestProject"/>
<serviceCertificate findValue="localhost" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="TestProject.Implementations.ServiceCustom" behaviorConfiguration="MyBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="SampleServiceBinding" contract="TestProject.Interfaces.IServiceCustom"></endpoint>
<endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex"></endpoint>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="SampleServiceBinding">
<security mode ="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
and also I want to make my service HTTPS enabled.
I get below errormessage:
There was no endpoint listening at http://url.com that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
This error clearly suggest that the WCF service you are trying to access is not clearly hosted, or the address you are using to connect to is not pointing to the service, make sure by using the address in a browser you are able to access that service.
If you are able to access the service , check your client application web.config and find out the end point details for that service. If the endpoint url is mismatched you may get this error.
I fixed the error and below is the web config code:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="MyBehavior">
<useRequestHeadersForMetadataAddress></useRequestHeadersForMetadataAddress>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="TestProject.Implementations.AuthenticateUser,TestProject"/>
<serviceCertificate findValue="localhost" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="TestProject.Implementations.Test" behaviorConfiguration="MyBehavior">
<endpoint address="http://rul" binding="wsHttpBinding" bindingConfiguration="SampleServiceBinding" contract="TestProject.Interfaces.Test"></endpoint>
<endpoint address="https:url" binding="wsHttpBinding" bindingConfiguration="SampleServiceBindingHttps" contract="TestProject.Interfaces.ITest"></endpoint>
<endpoint contract="IMetadataExchange" binding="mexHttpsBinding" address="mex"></endpoint>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="SampleServiceBinding">
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
<binding name="SampleServiceBindingHttps">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
I changed the security mode to TransportWithMessageCredential mode and change few config like binding = "mexHttpsBinding"
I am trying to set up message security in a WCF service and disable the X.509 certificate validation in the process. I'd like to validate the client with a username and password only and not validate the server at all. At least for now.
Referring to the first answer here:
How do I tell WCF to skip verification of the certificate?
How do I achieve the following programmatically on the client?
<behavior name="DisableServiceCertificateValidation">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="Custom"
customCertificateValidatorType="MyCertificateValidator, Client"
revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
</behavior>
I have got this:
With myServiceClient.ClientCredentials
.UserName.UserName = "username"
.UserName.Password = "password"
.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.Custom
.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck
End With
I can't work out how to set the "customCertificateValidatorType" and how to wire it to the MyCertificateValidator class.
Does this bypass the requirement of a client certificate, a server certificate or both?
Here is my server web.config file.
<?xml version="1.0"?>
<configuration>
<system.web>
<customErrors mode="Off"/>
<trust level="Full"/>
<compilation debug="true"/>
</system.web>
<system.serviceModel>
<services>
<service name="HelloWorldService.HelloWorldService" behaviorConfiguration="BehaviourMessageSecurity">
<endpoint address ="" binding="wsHttpBinding" contract="HelloWorld.IHelloWorldService" bindingConfiguration="BindingMessageSecurity"/>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
<host>
<baseAddresses>
<add baseAddress="http://www.example.com/HelloWorldService.svc"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="BehaviourMessageSecurity">
<serviceMetadata httpGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="HelloWorldService.ServiceAuthenticator, HelloWorldService" />
<serviceCertificate findValue="localhost" x509FindType="FindBySubjectName"
storeLocation="LocalMachine" storeName="My" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="BindingMessageSecurity">
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
<system.webServer>
<directoryBrowse enabled="true"/>
</system.webServer>
</configuration>
Czustom means you write your own validation method. If you don't want to check the certificate at all, use None:
.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None
I would like to implement WCF service with server and client certificates.
When I try to connect to service on IIS I get the following error:
Test method
TestProject1.UnitTest1.TestMethod1
threw exception:
System.ServiceModel.Security.SecurityNegotiationException:
Secure channel cannot be opened
because security negotiation with the
remote endpoint has failed. This may
be due to absent or incorrectly
specified EndpointIdentity in the
EndpointAddress used to create the
channel. Please verify the
EndpointIdentity specified or implied
by the EndpointAddress correctly
identifies the remote endpoint. --->
System.ServiceModel.FaultException:
The request for security token has
invalid or malformed elements..
My web.config:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="DotNetStoreBinding" receiveTimeout="00:00:15">
<reliableSession inactivityTimeout="00:00:20" />
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ServiceBehavior" name="WcfServiceCustumer.Service1">
<endpoint binding="wsHttpBinding" contract="WcfServiceCustumer.IService1">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceMetadata httpsGetEnabled="true" httpGetEnabled="true"/>
<serviceCredentials>
<serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" findValue="CN=DotNetStore" />
<clientCertificate>
<certificate storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectDistinguishedName" findValue="CN=Bob"/>
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
</serviceCredentials>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
After I have created server I created new project and added service reference. I call the service like this:
EndpointAddress address = new EndpointAddress(
new Uri("http://localhost/CustomerServiceSite/Customer.svc"),
EndpointIdentity.CreateDnsIdentity("DotNetStore"),
new AddressHeaderCollection()
);
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
var client = new CustomerService.Service1Client(binding, address);
client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerTrust;
client.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectDistinguishedName, "CN=Bob");
IList<Product> allProducts = client.GetAllProducts();
Any help would be appreciated.
The problem was occuring becouse of certificates. I did not have correct pairs on client and service.
A good description how to correctly use certificates can be found here:
http://www.codeproject.com/KB/WCF/9StepsWCF.aspx?msg=3181718