WCF Settings in IIS having certificate

See more:

WCF

policy

HI All,

I am facing an issue regarding the WCF certificates.
I have created certificates and stored in my local machine as well as in Trusted root folder.
I have applied custom binding in my WCF Web.Config file.
Kindly help its urgent...Thanks in advance.


Here is the web.config file.

<configuration>
  <appSettings/>
  <connectionStrings/>
  <system.web>
    <compilation debug="true" targetFramework="4.0"/>
    <!--
        The <authentication> section enables configuration 
        of the security authentication mode used by 
        ASP.NET to identify an incoming user. 
    -->
    <authentication mode="Windows"/>
    <!--
        The <customErrors> section enables configuration 
        of what to do if/when an unhandled error occurs 
        during the execution of a request. Specifically, 
        it enables developers to configure html error pages 
        to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
         <error statusCode="403" redirect="NoAccess.htm" />
         <error statusCode="404" redirect="FileNotFound.htm" />
        </customErrors>
    -->
    <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID"/>
  </system.web>
  <!-- 
      The system.webServer section is required for running ASP.NET AJAX under Internet
      Information Services 7.0.  It is not necessary for previous version of IIS.
  -->
  <system.serviceModel>
    <services>
      <service name="WcfServicetoConcat.Service1" behaviorConfiguration="WcfServicetoConcat.Service1Behavior">
        <!-- Service Endpoints -->
        <endpoint address="" binding="customBinding" bindingConfiguration="PolicyBinding" contract="WcfServicetoConcat.IService1">
          <!-- 
              Upon deployment, the following identity element should be removed or replaced to reflect the 
              identity under which the deployed service runs.  If removed, WCF will infer an appropriate identity 
              automatically.
          -->
          <identity>
            <!--<dns value="localhost"/>-->
            <certificateReference findValue="WCfServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
          </identity>
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="WcfServicetoConcat.Service1Behavior">
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpGetEnabled="true"/>
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false"/>
          <serviceCredentials>
            <clientCertificate>
              <authentication certificateValidationMode ="PeerTrust"/>
            </clientCertificate>
            <serviceCertificate findValue="WCfServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding">
          <security>
            <message clientCredentialType="Certificate"/>
          </security>
        </binding>
      </wsHttpBinding>

      <customBinding>
        <binding name="PolicyBinding">
          <transactionFlow transactionProtocol="WSAtomicTransactionOctober2004"/>
          <security defaultAlgorithmSuite="Default" authenticationMode="MutualCertificate" requireDerivedKeys="true" securityHeaderLayout="Strict" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" requireSignatureConfirmation="true">
            <secureConversationBootstrap/>
          </security>
          <mtomMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Default" maxBufferSize="2147483647" writeEncoding="utf-8">
            <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
          </mtomMessageEncoding>
          <httpTransport manualAddressing="false" maxBufferPoolSize="524288" maxReceivedMessageSize="2147483647" allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true" maxBufferSize="2147483647" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true"/>
        </binding>
      </customBinding>
      
    </bindings>
    
  </system.serviceModel>
</configuration>

Client Web.config file

<configuration>
  <appSettings/>
  <connectionStrings/>
  <system.web>
    <compilation debug="true" targetFramework="4.0"/>
    <!--
            The <authentication> section enables configuration 
            of the security authentication mode used by 
            ASP.NET to identify an incoming user. 
        -->
    <authentication mode="Windows"/>
    <!--
            The <customErrors> section enables configuration 
            of what to do if/when an unhandled error occurs 
            during the execution of a request. Specifically, 
            it enables developers to configure html error pages 
            to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm"/>
            <error statusCode="404" redirect="FileNotFound.htm"/>
        </customErrors>
        -->
    <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID"/>
  </system.web>
  <!-- 
        The system.webServer section is required for running ASP.NET AJAX under Internet
        Information Services 7.0.  It is not necessary for previous version of IIS.
    -->
  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_IService1" closeTimeout="00:01:00"
          openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
          bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
          maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Mtom"
          textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00"
            enabled="false" />
          <security mode="Message">
            <transport clientCredentialType="Windows" proxyCredentialType="None"
              realm="" />
            <message clientCredentialType="Certificate" negotiateServiceCredential="true"
              algorithmSuite="Default" />
          </security>          
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
      <endpoint address="http://inbom1-w0040.mcint.local/WCFService/Service1.svc"
        binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService1"
        contract="WCFService.IService1" name="WSHttpBinding_IService1" behaviorConfiguration="ClientCert">
        <identity>
          <certificate encodedValue="AwAAAAEAAAAUAAAAMkf8a3FWNN+RnQynuNXaS1KCMD0gAAAAAQAAAPwBAAAwggH4MIIBYaADAgECAhB9by+wm+d+vkI71UqWf8hwMA0GCSqGSIb3DQEBBAUAMBUxEzARBgNVBAMTClJvb3RDQVRlc3QwHhcNMTMwMTI4MDUyMDMyWhcNMzkxMjMxMjM1OTU5WjAUMRIwEAYDVQQDEwlXQ2ZTZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMz9tAEOxFyLnk4JrLEmXP+anZ+LNHex0m3lU4WZ/i70Sr4SU04gu/bH42HveLrbhfOPRVAcqp+2STBKQmwNoTELx8EuP8sqtrX2abncbxMh4mM+4v8lLPsVSop8Pr/qb+T9FtSZu+KUFKZFYdmG1Bht954QC1A3RrzAKYry7sD/AgMBAAGjSjBIMEYGA1UdAQQ/MD2AEALyFbbJwckwFdikG7azmiGhFzAVMRMwEQYDVQQDEwpSb290Q0FUZXN0ghC2nVqXi142i03XiRUwYKbsMA0GCSqGSIb3DQEBBAUAA4GBAC3rBQWRz4/Fln7ovKxg8NA1QhFsOp1nSpxCo9Av8XqmsUPt+CHbQ/857I8/KFubttprjuOsdR/XZqEaCsXlecvW7L3PpixL+ZqDTFJAxzpxCplBomFITTJ+tY8/Y/Fu0gXuMljqtKQqXZDvuliBPDODxEoojhLwT6x3LhoyyBCb" />
        </identity>
      </endpoint>
    </client>
    <behaviors>      
      <endpointBehaviors>
        <behavior name="ClientCert">
          <clientCredentials>
            <clientCertificate findValue="WcfClient" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
            <serviceCertificate>
              <authentication certificateValidationMode="PeerTrust"/>
            </serviceCertificate>            
          </clientCredentials>             
        </behavior>
      </endpointBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

Error in IE
An error occurred when verifying security for the message.


i get the following exception from event veiwer

Exception information:
Exception type: SecurityNegotiationException
Exception message: Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint.


After enabling the WCF trace i have found the below error

Excpetion type :System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

Message :Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security


Kindly help