I'm having the following error:
System.IdentityModel.Tokens.SecurityTokenValidationException
The X.509 certificate CN=RootCA chain building failed. The
certificate that was used has a trust chain that cannot be verified.
Replace the certificate or change the certificateValidationMode. A
certificate chain processed, but terminated in a root certificate
which is not trusted by the trust.
The certificate I'm using is the one that you can create following this tutorial: How to: Create Temporary Certificates for Use During Development specifically the "RootCA" certificate.
I have genuinely no idea how to solve it. The things I have already tried:
Setting certificateValidationMode to "None", setting revocationMode
to "NoCheck"
Creating a certificate that has as "parent" the certificate I'm
using right now and trying with it (as in the example there is in the previous link)
Importing the certificate to Trusted People and Entrusted Root
folders
Setting storeName to "TrustedPeople" in the "serviceCertificate"
node and trustedStoreLocation to "LocalMachine" in the
"authentication" node -along with the point 3-
Using CurrentUser as storeLocation
My current code is (I need to hide the name of my files for privacy):
Client
<bindings>
<basicHttpBinding>
<binding name="basicHttpEndpointBinding">
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:51845/XXXXX.svc" behaviorConfiguration="BCertificado"
binding="basicHttpBinding" bindingConfiguration="basicHttpEndpointBinding"
contract="XXXXXF1Service.IXXXXXF1Service" name="basicHttpEndpoint">
<identity>
<certificate encodedValue="Huge string" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="BCertificado">
<clientCredentials>
<clientCertificate findValue="RootCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
Server
<bindings>
<basicHttpBinding>
<binding name="basicHttpEndpointBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:01:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ServiceBehavior" name="service1">
<endpoint address="XXXXXServices" binding="basicHttpBinding" bindingConfiguration="basicHttpEndpointBinding"
name="basicHttpEndpoint" contract="IXXXXF1Service" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- Para evitar revelar información de los metadatos, establezca los valores siguientes en false antes de la implementación -->
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="false"/>
<!-- Para recibir detalles de las excepciones en los errores para la depuración, establezca el siguiente valor en true. Para no revelar información sobre las excepciones establézcalo en false antes de la implementación -->
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
<behavior name="ServiceBehavior">
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<serviceCertificate findValue="RootCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine"/>
<clientCertificate>
<authentication certificateValidationMode="None" revocationMode="NoCheck"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<protocolMapping>
<add binding="basicHttpBinding" scheme="http" />
</protocolMapping>
Any other advice related to those files is also appreciated since I dont know what I'm doing to be honest. Thank you so much in advance.
Try adding the endpoint behavior in your client application and set the behavior configuration you added in the endpoint.
<behaviors>
<endpointBehaviors>
<behavior name="BCertificado">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="None" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
Related
I'm have created a self hosted WCF service that act as REST API service with webHttpBinding and support of CORS. I consume this service from the browser.
When I tried to add https, it didn't work.
I created the CERTS, and combine them according to this tutorial:
https://www.youtube.com/watch?v=ugpPSNxtAmY
my config is:
<system.serviceModel>
<services>
<service name="MyService.MyService">
<endpoint address="" binding="webHttpBinding" contract="MyService.IMyService" behaviorConfiguration="jsonBehavior">
<identity>
<dns value="MyMachine" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<extensions>
<behaviorExtensions>
<add name="crossOriginResourceSharingBehavior" type="Company.Common.EnableCrossOriginResourceSharingBehavior, Company.Common" />
</behaviorExtensions>
</extensions>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information,
set the values below to false before deployment -->
<serviceMetadata httpGetEnabled="True" httpsGetEnabled="True"/>
<!-- To receive exception details in faults for debugging purposes,
set the value below to true. Set to false before deployment
to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="False" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="jsonBehavior">
<webHttp />
<crossOriginResourceSharingBehavior />
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding crossDomainScriptAccessEnabled="true" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647" maxBufferPoolSize="524288"
transferMode="Buffered">
<readerQuotas maxDepth="32" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</webHttpBinding>
</bindings>
<standardEndpoints>
<webScriptEndpoint>
<standardEndpoint name="" crossDomainScriptAccessEnabled="true" />
</webScriptEndpoint>
</standardEndpoints>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true"/>
When I try to consume I got an error.
How can I do it.
The client of this service is a browser
This tutorial is awesome:
http://www.allenconway.net/2012/05/creating-wcf-restful-service-and-secure.html
it explains exactly what shall be done
I've read many posts about it but I don't know what happens with my web.config.
This is de web.config code:
<system.serviceModel>
<client>
<endpoint binding="basicHttpBinding" bindingConfiguration="NewBinding0"
contract="Service.IService" />
</client>
<bindings>
<basicHttpBinding>
<binding name="NewBinding0" closeTimeout="00:05:00" openTimeout="00:05:00"
sendTimeout="00:05:00" maxBufferPoolSize="2147483647" maxBufferSize="2147483647"
maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
</binding>
</basicHttpBinding>
<webHttpBinding>
<binding name="NewBinding1" maxBufferSize="2147483647" maxBufferPoolSize="2147483647"
maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
</binding>
</webHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
I'm so sorry but I am not familiarized with the web.conf files. I've read that I have to set the maxReceivedMessageSize, but I've done it and I've received the same error.
I'm editing the file with Microsoft Service Configuration Editor.
I've tried with basicHttpBinding and without webHttpBinding, but does not work.
Every time I call the WCF, I receive the same error.
Trying in SOAPUI, when the message size is less than 65537, it works. When the message size is more than 65536, it does not work.
Thaks in advance.
Carles
Here is the working code of app.config-
<bindings>
<webHttpBinding>
<binding name="myBinding" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" maxBufferPoolSize="2147483647" transferMode="Streamed" >
<readerQuotas maxDepth="64" maxArrayLength="2147483647" maxStringContentLength="2147483647"/>
</binding>
</webHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ForecastREST_API.RESTServiceImplBehavior" name="ForecastREST_API.RestServiceImpl">
<endpoint address="http://localhost:59624/RestServiceImpl.svc" binding="webHttpBinding" contract="ForecastREST_API.IRestServiceImpl" behaviorConfiguration="Web" bindingConfiguration="myBinding">
</identity>
</endpoint>
<endpoint address="mex" binding="webHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="Web">
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
<webHttp defaultOutgoingResponseFormat="Json" automaticFormatSelectionEnabled="true" />
<dispatcherSynchronization asynchronousSendEnabled="true" />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="ForecastREST_API.RESTServiceImplBehavior">
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
The maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" and the bindingConfiguration="myBinding" is important only in service endpoint section and the bindingName is needed also in my project.
I have a WCF service that works using basicHttpBinding, I'm trying to configure it to go over https and authenticate with a SQL membership provider, and to do this I'm trying to convert it to use wsHttpBinding.
However, with the updated config I get the following error when I try to connect with the client:
Could not find default endpoint element that references contract 'KFileService.IKFileWcfService' in the ServiceModel client configuration section. This might be because no configuration file was found for your application, or because no endpoint element matching this contract could be found in the client element.
Here's the relevant portion of the web.config for the server:
<system.serviceModel>
<protocolMapping>
<remove scheme="http" />
<add scheme="https" binding="wsHttpBinding" bindingConfiguration="wsHttpBinding_IKFileWcfServiceBinding" />
</protocolMapping>
<behaviors>
<serviceBehaviors>
<behavior name="KFileWcfServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<dataContractSerializer maxItemsInObjectGraph="2147483646" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="SqlMembershipProvider" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="KFileWcfServiceBehavior" name="KFileWcfService">
<endpoint address="https://localhost:36492/KFileWcfService.svc"
binding="wsHttpBinding" bindingConfiguration="wsHttpBinding_IKFileWcfServiceBinding"
name="wsHttpBinding_IKFileWcfService" bindingName="wsHttpBinding_IKFileWcfServiceBinding"
contract="KFileWcfService.IKFileWcfService">
<identity>
<certificateReference storeLocation="CurrentUser" />
</identity>
</endpoint>
</service>
</services>
<serviceHostingEnvironment minFreeMemoryPercentageToActivateService="0" multipleSiteBindingsEnabled="true"/>
<bindings>
<wsHttpBinding>
<binding name="wsHttpBinding_IKFileWcfServiceBinding" maxBufferPoolSize="2147483647"
maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="32" maxStringContentLength="100000" maxArrayLength="2147483647"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Message">
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
And here's the client side:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpBinding_IKFileWcfService" />
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost:36492/KFileWcfService.svc"
binding="wsHttpBinding" bindingConfiguration="wsHttpBinding_IKFileWcfService"
contract="KFileWcfService.IKFileWcfService" name="wsHttpBinding_IKFileWcfService" />
</client>
</system.serviceModel>
I've done my best to go through all the existing questions and examples already, but haven't had any luck. Can anyone tell me what I'm doing wrong?
Edit:
For further reference, here's the server side configuration that works with basicHttpBinding:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false before deployment -->
<serviceMetadata httpGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
<dataContractSerializer maxItemsInObjectGraph="2147483646" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="KFileWcfService">
<endpoint address="https://localhost:36492/KFileWcfService.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IKFileWcfService" contract="KFileService.IKFileWcfService" name="BasicHttpBinding_IKFileWcfService" />
</service>
</services>
<serviceHostingEnvironment minFreeMemoryPercentageToActivateService="0" multipleSiteBindingsEnabled="true"/>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IKFileWcfService" maxBufferSize="2147483647" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" transferMode="Streamed">
<readerQuotas maxDepth="32" maxStringContentLength="100000" maxArrayLength="2147483647" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</binding>
</basicHttpBinding>
</bindings>
</system.serviceModel>
And client:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IKFileWcfService" />
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost:36492/KFileWcfService.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IKFileWcfService"
contract="KFileService.IKFileWcfService" name="BasicHttpBinding_IKFileWcfService" />
</client>
</system.serviceModel>
The type of the service contract on the client which you're trying to use, based on your error messsage:
KFileService.IKFileWcfService
The type of the service contract interface which you have on your client config:
KFileWcfService.IKFileWcfService
They should be the same. Change the client config to
... contract="KFileService.IKFileWcfService" ...
And it should work.
I have a service, that principal I would like to be duplex, however, for some operations, I need to use the streamed transfer mode, so I would like to have two contracts, one is the general contract, that let me interact with the database and send messages to the client from the service if I need it, and other contract to interact with files, save and get the files to the database.
I need the two contracts because the tcp binding is not compatible with duplex.
The service is hosted in a WPF application, and the config files is the following:
<system.serviceModel>
<services>
<service name="GTS.CMMS.Service.Service" behaviorConfiguration="behaviorConfig">
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:7997/CMMSHost"/>
<add baseAddress="http://localhost:7998/CMMSHost"/>
</baseAddresses>
</host>
<endpoint address="/ServiceCore"
binding="netTcpBinding"
bindingConfiguration="tcpBinding"
name="ServiceCore"
contract="GTS.CMMS.Service.IService">
<!--<identity>
<dns value="localhost" />
</identity>-->
</endpoint>
<endpoint address="/ServiceDocumentos"
binding="netTcpBinding"
bindingConfiguration="tcpBindingDocumentos"
name="ServiceDocumentos"
contract="GTS.CMMS.Service.IServiceDocumentos">
<!--<identity>
<dns value="localhost" />
</identity>-->
</endpoint>
<endpoint contract="IMetadataExchange" binding="mexTcpBinding" address="net.tcp://localhost:5000/mex" />
</service>
</services>
<!--El behavior son datos de configuración del servicio que no forman parte del endpoint.
Por ejemplo, si el servicio da una excepción, se querrá informar al cliente.-->
<behaviors>
<serviceBehaviors>
<behavior name="behaviorConfig">
<serviceMetadata httpGetEnabled="true" />
<dataContractSerializer maxItemsInObjectGraph="2147483647"/>
<!--Necesario para poder mandar excepciones desde el servicio hasta el cliente.-->
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceThrottling maxConcurrentCalls="100" maxConcurrentSessions="100" />
</behavior>
<behavior name="behaviorConfigDocumentos">
<!--<serviceMetadata httpGetEnabled="true" />-->
<dataContractSerializer maxItemsInObjectGraph="2147483647"/>
<!--Necesario para poder mandar excepciones desde el servicio hasta el cliente.-->
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceThrottling maxConcurrentCalls="100" maxConcurrentSessions="100" />
<serviceMetadata/>
</behavior>
</serviceBehaviors>
</behaviors>
<!--Se necesita la configuración del binding para que funcione correctamente la comunicación entre el cliente y el servidor.-->
<bindings>
<netTcpBinding>
<!--Se configura el binding que se utilizará para el endPoint ChatServiceAssembly.IChat-->
<binding name="tcpBinding" maxBufferSize="67108864"
maxReceivedMessageSize="67108864" maxBufferPoolSize="67108864"
transferMode="Buffered" closeTimeout="00:00:10"
openTimeout="00:00:10" receiveTimeout="00:20:00"
sendTimeout="00:01:00" maxConnections="100">
<security mode="None"/>
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647"/>
<reliableSession enabled="true" inactivityTimeout="00:20:00" />
</binding>
<binding name="tcpBindingDocumentos" maxBufferSize="67108864"
maxReceivedMessageSize="67108864" maxBufferPoolSize="67108864"
transferMode="Streamed" closeTimeout="00:00:10"
openTimeout="00:00:10" receiveTimeout="00:20:00"
sendTimeout="00:01:00" maxConnections="100">
<security mode="None"/>
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647"/>
<reliableSession enabled="true" inactivityTimeout="00:20:00" />
</binding>
</netTcpBinding>
</bindings>
</system.serviceModel>
To check if all works, I go to the internet explorer and go to:
http://localhost:7998/CMMSHost
If I have the two endpoints, the page is not found, but if I comment the second endpoint, the "/ServiceDocumentos" the page is found and I can use svcutil to create the proxy.
How could I configure many endpoints?
Thanks.
I have WCF service. I demand clients to authenticate with certificate.
This is service configuration:
<system.serviceModel>
<services>
<service name="FilmLibrary.FilmManager" behaviorConfiguration="FilmService.Service1Behavior">
<endpoint address="manager" name="certBinding" binding="basicHttpBinding" contract="FilmContract.IFilmManager" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="certBinding">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="FilmService.Service1Behavior">
<serviceCredentials>
<clientCertificate>
<authentication trustedStoreLocation="LocalMachine"
certificateValidationMode="PeerTrust" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
Public key is installed in LocalMachine, Trusted People
Client configuration is as follows:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="certBinding" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="certBehaviour">
<clientCredentials>
<clientCertificate findValue="SubjectKey" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="[...]/Service1.svc/manager"
binding="basicHttpBinding" bindingConfiguration="certBinding" behaviorConfiguration="certBehaviour"
contract="FilmsService.IFilmManager" name="certBinding" />
</client>
</system.serviceModel>
Private key is installed in Personal, current user.
Without security, service works. With security enabled - it does not. I tried several configurations and I got errors like authentication failed or that I have to set service certificate in clientCredentials element. Which I don't understand because I do not want to authenticate service at all.
I found the following guide extremely helpful and very detailed.
https://notgartner.wordpress.com/2007/09/06/using-certificate-based-authentication-and-protection-with-windows-communication-foundation-wcf/
It covers creating the service, the client, the certificates and adjusting the 2 configs.
Server:
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<!--only accept certificates in "Trusted People"-->
<authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
Client:
<bindings>
<basicHttpBinding>
<binding name="customBinding1">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="customBehavior1">
<clientCredentials>
<!--fabrkam-->
<clientCertificate storeName="My" storeLocation="CurrentUser" x509FindType="FindByThumbprint" findValue="d2 31 6a 73 1b 59 68 3e 74 41 09 27 8c 80 e2 61 45 03 b1 7e"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
We auto-redirect any HTTP requests to HTTPS so we have to use TransportWithMessageCredential type security. For normal Http using just Message as security type should also work.
Instead of
<serviceCredentials>
<clientCertificate>
<authentication trustedStoreLocation="LocalMachine"
certificateValidationMode="PeerTrust" />
</clientCertificate>
</serviceCredentials>
I think you are supposed to have
<serviceCredentials>
<serviceCertificate findValue="SubjectKey" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>
</serviceCredentials>
You are not authenticating the service by this, instead you are telling the service how the client is to be authenticated.
I was able to accomplish the same thing by using a customBinding, like this:
<customBinding>
<binding name="bindingName">
<security authenticationMode="UserNameOverTransport" />
<httpsTransport requireClientCertificate="true"/>
</binding>
</customBinding>
(I omitted the attributes not relevant to your case.)
As far as authenticationMode, I think you can probably use any of them--the httpsTransport with requireClientCertificate are the important parts here.