WCF Service with SSL and Custom Authentication - vb.net

So I am trying to create a WCF Service that uses SSL and with a Custom Authenticator.
This is the Server config:
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2"/>
</system.web>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="SSL">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="CustomValidation" name="WCFService.Service1">
<endpoint address="" binding="wsHttpBinding" contract="WCFService.IService1" bindingConfiguration="SSL"/>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="CustomValidation">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug httpsHelpPageEnabled="true" includeExceptionDetailInFaults="true" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WCFService.Verification, WCFService" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="false" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<!--
To browse web app root directory during debugging, set the value below to true.
Set to false before deployment to avoid disclosing web app folder information.
-->
<directoryBrowse enabled="false"/>
</system.webServer>
</configuration>
This is my Validation Class:
Imports System.IdentityModel.Selectors
Public Class Verification
Inherits UserNamePasswordValidator
Public Overrides Sub Validate(userName As String, password As String)
If Not (username = "Admin" AndAlso password = "Fake Password") Then
Throw New Exception("Wrong Username Password combination.")
End If
End Sub
End Class
App Config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.diagnostics>
<sources>
<source name="System.ServiceModel.MessageLogging" switchValue="Warning,ActivityTracing">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="ServiceModelMessageLoggingListener">
<filter type="" />
</add>
</listeners>
</source>
</sources>
<sharedListeners>
<add initializeData="c:\users\connor smith\documents\visual studio 2015\projects\wcfserviceconsumer\wcfserviceconsumer\app_messages.svclog"
type="System.Diagnostics.XmlWriterTraceListener, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ServiceModelMessageLoggingListener" traceOutputOptions="Timestamp">
<filter type="" />
</add>
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
</startup>
<system.serviceModel>
<diagnostics>
<messageLogging logEntireMessage="true" logMalformedMessages="true"
logMessagesAtTransportLevel="true" />
</diagnostics>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService1">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://mysite.co.uk/WCFService/Service1.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService1"
contract="AService.IService1" name="WSHttpBinding_IService1" />
</client>
</system.serviceModel>
</configuration>
I consume it in a test application, then I set the Username and Password to be Admin and Fake Password, then I go to use the service and get the following error:
Error
Edit: Some more error information:
'An unhandled exception of type 'System.ServiceModel.ProtocolException' occurred in mscorlib.dll'
Am I missing something?

Related

Message Encryption not working with wsHTTPBinding

I can't seem to get message encryption working for wsHTTPBinding.
My setup is:
IIS Server
Default Web Site requires SSL and is tied to a self signed certificate I used using the IIS Self signing cert link.
SSL allows Certificate.
In my Web.Config of the web service I've got logging turned on and this is how I see that the message is not encrypted.
Web.Config is below
App config of the calling application is below.
I believe SSL is working as expected because when I try to access the web service using http I get an error. "The page you are trying to access is secured with Secure Sockets Layer (SSL)." If I use https to access the webservice I get the standard service page offering up the metadata link.
The cert pc548.fuzzywig.com is made up but the cert I have in there appears to be working.
Web Config
<?xml version="1.0"?>
<configuration>
<system.diagnostics>
<sources>
<source name="System.ServiceModel.MessageLogging" switchValue="Warning,ActivityTracing">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="ServiceModelMessageLoggingListener">
<filter type="" />
</add>
</listeners>
</source>
</sources>
<sharedListeners>
<add initializeData="c:\github\idjcwebservices\dolwebservicehost\web_messages.svclog"
type="System.Diagnostics.XmlWriterTraceListener, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ServiceModelMessageLoggingListener" traceOutputOptions="Timestamp">
<filter type="" />
</add>
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation debug="false" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1"/>
</system.web>
<system.serviceModel>
<diagnostics>
<messageLogging logEntireMessage="true" logMalformedMessages="true"
logMessagesAtTransportLevel="true" />
</diagnostics>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_DOLService">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate" ></transport>
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="serviceCredentialBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate storeName="My" storeLocation="LocalMachine" findValue="pc548.fuzzywig.com" x509FindType="FindBySubjectName"/>
<clientCertificate>
<certificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="pc548.fuzzywig.com"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="JuvenileDataShare.DOLService.DOLService" behaviorConfiguration="serviceCredentialBehavior">
<endpoint address="https://pc548.fuzzywig.com/DOLWebservice/Service.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_DOLService"
contract="JuvenileDataShare.DOLService.IDOLService">
<identity>
<certificateReference storeName="My" storeLocation="LocalMachine" findValue="pc548.fuzzywig.com" x509FindType="FindBySubjectName" />
</identity>
</endpoint>
<endpoint address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<!--To browse web app root directory during debugging, set the value below to true.
Set to false before deployment to avoid disclosing web app folder information.-->
<directoryBrowse enabled="true"/>
</system.webServer>
</configuration>
App.Config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.1" />
</startup>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IDOLService">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://pc548.fuzzywig.com/DOLWebservice/Service.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IDOLService" behaviorConfiguration="endpointCredentialBehavior"
contract="ServiceReference1.IDOLService" name="WSHttpBinding_IDOLService">
<identity>
<certificate encodedValue="AwAAAAEAAAAUAAAAoNjSmPGA78fyuWudCXDRS+ctSL4gAAAAAQAAAOgCAAAwggLkMIIBzKADAgECAhAZR1gTdbeUs0DhGCG1RcuZMA0GCSqGSIb3DQEBBQUAMBsxGTAXBgNVBAMTEFBDNTQ4LnJlc2RhdC5jb20wHhcNMTQxMjEwMjMxMzExWhcNMTUxMjEwMDAwMDAwWjAbMRkwFwYDVQQDExBQQzU0OC5yZXNkYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3yOPbRwjthCWnrZEjXdnp2XiGfjqJKQEu3BT5Sx6JGFJnFx/EnYo9GsZY+oDQQBcvIvG1sOH7H9Egxxl4Br1m0+qfO1RkaMCa1RsloE6bgWJMtlnGO0NazfNYI8zyjkpY5VclTesa1jrrzZ1qwllmWPZftwjiKsbdewfZ6sqCwfzI6DMdbUyWkB/l7CWjixOqdkrARnnfB728MVCDAz2/2EOh3hmDC+p1uNSJ4dNumdsNKEocruM7rsOszxzRLV5jcqrg/wG1RwSa2jdZ3ncyshBHlGtnfN+Rq7IEd3c1iwmjEgZFyppjyGi6JLLXU5QvnFOj75t12YoBWgaiIqNwIDAQABoyQwIjALBgNVHQ8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBACzT10S1nrPONEVR5oHzIieg2TPFKbDL/Id7Zl7Yw+zTBB2IChAeMu3DuxYIR3+Ph0S6lm82lTF7daozhDKUpOzDjjYDHd/epPNaZRUf/t6NMbIWylj0j10BdISw/dI7a0cTAJ+sP26uaD0czN21BhDAL67QSnKVLlESXDPmPGxSx3Rj6aDEQzCBJagx+gaVFjevFmrdYzUQTpAJZV6u9b3ye+q0mjXYxqDKKQ2dtt6Qbb98km1vSL602bjg0SJhEEHa76yLZZiGM7fS1YTyruyqRfmkwrtyQNiKB0xiJCj0J3BC1HKXYqdC0qeQ99aEpl4+vqRt3dr8j/6uiZwTz4w=" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="endpointCredentialBehavior">
<clientCredentials>
<clientCertificate findValue="pc548.fuzzywig.com" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
finally the log showing me that it's not encrypted.
<MessageLogTraceRecord>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/IDOLService/HelloWorld2Response</a:Action>
<a:RelatesTo>urn:uuid:ede09c2c-b46f-4277-970a-c41b556ce3d9</a:RelatesTo>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-12-12T15:54:47.304Z</u:Created>
<u:Expires>2014-12-12T15:59:47.304Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<HelloWorld2Response xmlns="http://tempuri.org/">
<HelloWorld2Result>Hello World2 # 12/12/2014 8:54:47 AM</HelloWorld2Result>
</HelloWorld2Response>
</s:Body>
</s:Envelope>
</MessageLogTraceRecord>
change the mexHttpBinding to mexHttpsBinding and then update the metadata through "Update service Reference". Check it again after doing these changes. hope this helps.

OutOfMemoryException in wcf

Am new to width web services I have windows mobile 5 application that I want pull 10000 records from a SQL 2005 database. Every time I click the sync button I get the OutOfMemoryException. He's there anything I need to do in web config to allow prevent this error?
My Code
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<configSections>
</configSections>
<connectionStrings>
providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<compilation debug="true" />
<httpRuntime maxRequestLength="1572864"/>
</system.web>
<runtime>
<gcAllowVeryLargeObjects enabled="true" />
</runtime>
<!-- When deploying the service library project, the content of the config file must be added to the host's
app.config file. System.Configuration does not support config files for libraries. -->
<system.serviceModel>
<services>
<service name="WcfServiceLibrary1.LocalDataCache1SyncService" behaviorConfiguration="WcfServiceLibrary1.LocalDataCache1SyncServiceBehavior">
<host>
<baseAddresses>
<add baseAddress ="http://fo me to know/LocalDataCache1SyncService/"/>
</baseAddresses>
</host>
<!-- Service Endpoints -->
<!-- Unless fully qualified, address is relative to base address supplied above -->
<endpoint address ="" binding="basicHttpBinding" contract="WcfServiceLibrary1.ILocalDataCache1SyncContract"/>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="WcfServiceLibrary1.LocalDataCache1SyncServiceBehavior">
<serviceMetadata httpGetEnabled="True" />
<serviceDebug includeExceptionDetailInFaults="True" />
<dataContractSerializer maxItemsInObjectGraph="2147483647"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<system.diagnostics>
<sources>
<source name="System.ServiceModel"
switchValue="Information, ActivityTracing"
propagateActivity="true">
<listeners>
<add name="traceListener"
type="System.Diagnostics.XmlWriterTraceListener"
initializeData= "c:\log\Traces.svclog" />
</listeners>
</source>
</sources>
</system.diagnostics>
</configuration>
My problem was fix. Please see updated we.config. My windows mobile device have 4G storage and the server 1T with 10G of RAM.
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<configSections>
</configSections>
<connectionStrings>
<add name="CPXZMobileAssistantServer.My.MySettings.ServerCPXZMobile2005_Data1ConnectionString"
connectionString="Your Data Source"
providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<compilation debug="true" />
</system.web>
<system.serviceModel>
<diagnostics>
<messageLogging logEntireMessage="true" logMalformedMessages="true" />
</diagnostics>
<bindings>
<basicHttpBinding>
<binding name="WindowsSecured" maxBufferSize="2147483647" maxBufferPoolSize="2147483647"
maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="CPXZMobileAssistantServer.LocalDataCache1SyncServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="CPXZMobileAssistantServer.LocalDataCache1SyncServiceBehavior"
name="CPXZMobileAssistantServer.LocalDataCache1SyncService">
<endpoint binding="basicHttpBinding" bindingConfiguration="WindowsSecured" bindingName="" contract="CPXZMobileAssistantServer.ILocalDataCache1SyncContract" />
<endpoint address="mex" binding="mexHttpBinding" bindingName="" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://cpxzpos.com" />
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>
<system.diagnostics>
<sources>
<source name="System.ServiceModel"
switchValue="Information, ActivityTracing"
propagateActivity="true">
<listeners>
<add name="traceListener"
type="System.Diagnostics.XmlWriterTraceListener"
initializeData="c:\log\Traces.svclog" />
</listeners>
</source>
</sources>
</system.diagnostics>
</configuration>

Why we Use Certificates In WCF

I am working on University Management System on which i am making WCF service....
my requirement is to Secure my web service (WCF) over the internet for this someone told me use certificates but i do not know how to use certificates
i have also implemented Https protocol and i am using WshttpBinding
This is My Web.config file :-
<?xml version="1.0"?>
<configuration>
<system.diagnostics>
<sources>
<source name="System.ServiceModel.MessageLogging" switchValue="Warning,ActivityTracing">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="ServiceModelMessageLoggingListener">
<filter type="" />
</add>
</listeners>
</source>
<source propagateActivity="true" name="System.ServiceModel" switchValue="Warning,ActivityTracing">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="ServiceModelTraceListener">
<filter type="" />
</add>
</listeners>
</source>
</sources>
<sharedListeners>
<add initializeData="d:\khurram\projectalahsaan2014\alahsaan\dal\web_messages.svclog"
type="System.Diagnostics.XmlWriterTraceListener, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ServiceModelMessageLoggingListener" traceOutputOptions="Timestamp">
<filter type="" />
</add>
<add initializeData="d:\khurram\projectalahsaan2014\alahsaan\dal\web_tracelog.svclog"
type="System.Diagnostics.XmlWriterTraceListener, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ServiceModelTraceListener" traceOutputOptions="Timestamp">
<filter type="" />
</add>
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics>
<connectionStrings>
<add name="DAL.Properties.Settings.ConStr" connectionString="Data Source=.\SQL2012;Initial Catalog=AlAhsaan2014;Integrated Security=True" providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<!--<httpRuntime maxRequestLength="2147483647" executionTimeout="3600" enable="true" />-->
<!--2147483647-->
<sessionState mode="InProc" cookieless="true" timeout="20"> </sessionState>
</system.web>
<system.serviceModel>
<diagnostics>
<messageLogging logEntireMessage="true"
logMalformedMessages="true"
logMessagesAtTransportLevel="true" />
</diagnostics>
<bindings>
<wsHttpBinding>
<binding name="secureWsHttpBinding"
maxBufferPoolSize="2147483647"
maxReceivedMessageSize="524288000"
messageEncoding="Mtom"> <!--500MB Download-->
<readerQuotas maxArrayLength="1572864"/> <!--1.5MB Upload-->
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<protocolMapping>
<remove scheme="https"/>
<add scheme="https" binding="wsHttpBinding" bindingConfiguration="secureWsHttpBinding"/>
</protocolMapping>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpsGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="DAL.AlahsaanDSL">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="secureWsHttpBinding"
contract="DAL.IAlahsaanDSL" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
My Question is :-
What are the mechanism of Certificates?
How to Use Certificates?
Does Certificate provide (PKI) (public key infrastructure)?

WCF Service with wsHttpBinding, ssl and TransportWithMessageCredential

I've got wcf service with ssl communication, wsHttpBinding and Transport security, but when I try to change it to:
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName"/>
</security>
I'm getting error:
An unsecured or incorrectly secured fault was received from the other party. See the
inner FaultException for the fault code and detail.
I change security mode on client side and server side and I have up to date contract.
I can't find any solution to this problem.
Will you help me?
Client.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IDatabaseService">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://dbservice:3915/DatabaseService.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IDatabaseService"
contract="DBService.IDatabaseService" name="WSHttpBinding_IDatabaseService">
<identity>
<dns value="dbservice" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
Server.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
</configSections>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<!--<roleManager defaultProvider="CustomRoleProvider" enabled="true">
<providers>
<clear />
<add name="CustomRoleProvider" type="CustomRoleProvider" />
</providers>
</roleManager>-->
<!--<membership defaultProvider="CustomMembershipProvider">
<providers>
<clear />
<add name="CustomMembershipProvider" type="CustomMembershipProvider" />
</providers>
</membership>-->
</system.web>
<system.diagnostics>
<trace autoflush="true" />
<sources>
<source name="System.ServiceModel" switchValue="Information, ActivityTracing" propagateActivity="true">
<listeners>
<add name="sdt" type="System.Diagnostics.XmlWriterTraceListener" initializeData="SdrConfigExample.e2e" />
</listeners>
</source>
</sources>
</system.diagnostics>
<system.serviceModel>
<services>
<service name="DBService.DatabaseService" behaviorConfiguration="ServiceBehavior">
<endpoint address="https://dbservice:3915/DatabaseService.svc" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IDatabaseService" contract="DBService.IDatabaseService">
<identity>
<dns value="dbservice" />
</identity>
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<!-- To avoid disclosing metadata information, set the values below to false before deployment -->
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
<!--<serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="CustomRoleProvider" />-->
<serviceCredentials>
<!--<userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="CustomMembershipProvider" />-->
<serviceCertificate findValue="dbservice" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IDatabaseService">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<protocolMapping>
<add binding="wsHttpBinding" scheme="https" />
</protocolMapping>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.SqlConnectionFactory, EntityFramework" />
</entityFramework>
<connectionStrings>
<add name="WypozyczalniaDataContext" connectionString="metadata=res://*/Wypozyczalnia.csdl|res://*/Wypozyczalnia.ssdl|res://*/Wypozyczalnia.msl;provider=System.Data.SqlServerCe.4.0;provider connection string="data source=C:\Users\Wojciech\Desktop\Wypozyczalnia\Wypozyczalnia.sdf"" providerName="System.Data.EntityClient" />
</connectionStrings>
</configuration>
After 8 hours, finally I've found the problem. I've been editing DBSerivce.config, but I've forgotten, that there is separate App.config for my self-hosting application...
Be aware of that or you'll lose half a day :P.

WIF STS ID3242: The security token could not be authenticated or authorized

I'm getting the following error in my client application when it tries to authenticate to my service:
ID3242: The security token could not be authenticated or authorized
Here is the configuration of the client:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<ws2007HttpBinding>
<binding name="stsBinding">
<security mode="Message">
<message clientCredentialType="UserName"
establishSecurityContext="false"
negotiateServiceCredential="true"/>
</security>
</binding>
</ws2007HttpBinding>
<ws2007FederationHttpBinding>
<binding name="echoClaimsBinding">
<security mode="Message">
<message>
<claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false"/>
</claimTypeRequirements>
<issuer address="http://localhost:17240/STS.svc"
bindingConfiguration="stsBinding"
binding="ws2007HttpBinding">
<identity>
<dns value="WCFSTS"/>
</identity>
</issuer>
<issuerMetadata address="http://localhost:17240/STS.svc/Mex"></issuerMetadata>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="echoClaimsBehavior">
<clientCredentials>
<serviceCertificate>
<defaultCertificate
findValue="CN=WCFSTS"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectDistinguishedName"/>
<authentication
revocationMode="NoCheck"
certificateValidationMode="None"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="http://localhost:1438/EchoClaims.svc/EchoClaims"
binding="ws2007FederationHttpBinding"
bindingConfiguration="echoClaimsBinding"
contract="TestService.IEchoClaims"
name="WS2007FederationHttpBinding_IEchoClaims"
behaviorConfiguration="echoClaimsBehavior">
<identity>
<dns value="WCFServer"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
Here is the configuration of the service
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
</system.web>
<system.serviceModel>
<services>
<service name="WcfService1.EchoClaims"
behaviorConfiguration="echoClaimsBehavior">
<endpoint address=""
contract="WcfService1.IEchoClaims"
binding="ws2007FederationHttpBinding"
bindingConfiguration="echoClaimsBinding"></endpoint>
<endpoint address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="echoClaimsBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceCredentials>
<serviceCertificate
findValue="CN=WCFServer"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectDistinguishedName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<bindings>
<ws2007FederationHttpBinding>
<binding name="echoClaimsBinding">
<security mode="Message">
<message negotiateServiceCredential="true">
<!--<issuerMetadata address="http://localhost:17240/STS.svc/mex" />-->
<claimTypeRequirements>
<!--Following are the claims offered by STS 'http://localhost:17240/STS.svc'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false" />
</claimTypeRequirements>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
<diagnostics>
<messageLogging logEntireMessage="true"
logMessagesAtServiceLevel="true"
logMessagesAtTransportLevel="true"></messageLogging>
</diagnostics>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<microsoft.identityModel>
<service>
<audienceUris mode="Never"/>
<issuerNameRegistry type="WcfService1.CustomIssuerNameRegistry, WcfService1"/>
</service>
</microsoft.identityModel>
<system.diagnostics>
<sources>
<source name="System.ServiceModel" switchValue="Warning, Error, ActivityTracing"
propagateActivity="true">
<listeners>
<add name="ServiceModelTraceListener"/>
</listeners>
</source>
</sources>
<sharedListeners>
<add initializeData="ecb_tracelog.svclog"
type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ServiceModelTraceListener" traceOutputOptions="Timestamp">
<filter type="" />
</add>
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics>
</configuration>
Please let me know if anyone has an idea of how to determine why authentication is failing. I have Geneva STS tracing on verbose, but it's not giving me any messages about why the certificate isn't being authenticated.
In a similar situation, this forum post by Dominick Baier suggests that the web service rejects the token, so tracing at the STS would not show any problem.
He suggests to check this web service's <microsoft.identityModel><service><securityTokenHandlers><securityTokenHandlerConfiguration><audienceUris> section in its web.config, and to switch on the Microsoft.IdentityModel trace source in that same file.
In my case, turning tracing on revealed one more exception that was thrown before
ID3242: The security token could not be authenticated or authorized
Use this to turn on tracing on the WCF side:
<system.diagnostics>
<sources>
<source name="Microsoft.IdentityModel" switchValue="Verbose">
<listeners>
<add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="D:\Logs\rie\RIE_Trace.log" />
</listeners>
</source>
</sources>
<trace autoflush="true" />
Again, in my case, the trace files revealed the following exception:
ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris.
Audience: http://some.th.ing/
Turns out the audienceUri was not correct in the WCF Web.config.
Hope this helps