So I'm completely lost with certificates. I've searched all over the web for solutions and tutorials for this and found nothing that can really help me.
What I'm trying to do is to have both server and client certificate validation for my WCF client-server application. The application is hosted on IIS.
I want it on my dev computer (the server is localhost) and in test (where im the client and the server is a windows server).
the configuration I have now is:
Client:
<behaviors>
<endpointBehaviors>
<behavior name="myBehaviorConfig">
<clientCredentials>
<clientCertificate findValue="CN=MyTestClientCertificate"
storeLocation="LocalMachine"
x509FindType="FindBySubjectDistinguishedName"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="MyBindingConfig">
<security mode="TransportWithMessageCredential">
<transport realm=""/>
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost/Service.Calculator.svc"
binding="wsHttpBinding"
bindingConfiguration="MyBindingConfig"
behaviorConfiguration="MyBehaviorConfig"
contract="Service.ICalculator"
name="ICalculatorServiceEndpoint">
<identity>
<servicePrincipalName value="host"/>
</identity>
</endpoint>
</client>
Server:
<behaviors>
<serviceBehaviors>
<behavior name="myBehavior">
<serviceCredentials>
<serviceCertificate findValue="CN=MyTestRootCA"
storeLocation="LocalMachine"
x509FindType="FindBySubjectDistinguishedName"/>
<userNameAuthentication userNamePasswordValidationMode="Windows"/>
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust"/>
</clientCertificate>
</serviceCredentials>
<serviceMetadata httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<unity operationContextEnabled="true"
instanceContextEnabled="true"
contextChannelEnabled="true"
serviceHostBaseEnabled="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="MyBinding">
<security mode="TransportWithMessageCredential">
<transport realm=""/>
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="Service.Calculator"
behaviorConfiguration="myBehavior">
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="MyBinding"
contract="Service.ICalculator" />
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange"
name="CalculatorServiceMex" />
</service>
</services>
"CN=MyTestRootCA" is the "Authority" the "Creating" certificate and I put him in the trusted root certificates on the localComputer as well as in the personal directory in the local computer.
And it is the issuer of the client certificate "CN=MyTestClientCertificate".
Few things..
I know that the client certificate should be in the CurretUser directory in the "MMC" but when its there i have an exception that the app can't find the certificate.
I tried locating it by "FindBySubjectDistinguishedName" and with "FindByThumbprint", both time was the same exception "Cant find certificate with the given criteria ..." so i put it in the LocalMachine and its fine.
Any one has an idea why it didn't work?
I had lots of problems and exceptions with this =\ the current one is:
"The private key is not presented in the X.509 certificate"
Anybody familiar with this exception and know how to fix it?
thanks a lot for your answers, i'm sitting on this for few days now
Your configuration file does not specify the clientCertificate storeLocation value, therefore the client certificate needs to be in the LocalMachine store, which is the default value for storeLocation.
Consider the following example from msdn which sets the client certificate store location:
<clientCertificate>
<certificate
findValue="www.cohowinery.com"
storeLocation="CurrentUser"
storeName="TrustedPeople"
x509FindType="FindByIssuerName" />
<authentication …
Note: the other error, “The private key is not presented in the X.509 certificate”, is mostly likely thrown because your certificate does not have an associated private key or your process’ user context does not have permission to access the private key.
Related
I’m trying to setup a security transport using certificates over a SSL service.
The service is installed over IIS, I have configured it using a “MyLaptop” certificate (stored on local machine/Personal) validated by a self-signed certificate (“My Root CA” certificate – stored on local machine Trusted Root Certification Authorities). Everything seems to be OK with the service; I can access it using the Internet Explorer.
On the server side the web.config looks like
<behaviors>
<serviceBehaviors>
<behavior name="EchoServiceBehavior">
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck" />
</clientCertificate>
</serviceCredentials>
<serviceMetadata httpsGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="MutualSslBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="EchoServiceBehavior" name="HttpsBindingDemo.EchoService">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="MutualSslBinding"
contract="HttpsBindingDemo.IEchoService">
<identity>
<dns value="MyLaptop" />
</identity>
</endpoint>
<host>
<baseAddresses>
<add baseAddress="https://MyLaptop:12643/EchoService/" />
</baseAddresses>
</host>
</service>
On the client side I have installed a new certificate “MyClient” (stored on CurrentUser/Personal) validated by the same “My Root CA” certificate.
On the client side the app.config looks like
<behaviors>
<endpointBehaviors>
<behavior name="EchoClientBehavior">
<clientCredentials>
<clientCertificate findValue="MyClient" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IEchoService">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://MyLaptop:12643/EchoService/EchoService.svc" behaviorConfiguration="EchoClientBehavior"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IEchoService"
contract="SecuredServices.IEchoService" name="WSHttpBinding_IEchoService">
<identity>
<dns value="MyLaptop" />
</identity>
</endpoint>
</client>
Every time when trying to execute the operations of the EchoService.svc I’m receiving the error below:
“The HTTP request was forbidden with client authentication scheme 'Anonymous'.”
Enabling the service’s log I found that first exception message is in fact “Client certificate is required. No certificate was found in the request. This might be because the client certificate could not be successfully validated by the operating system or IIS. For information on how to bypass those validations and use a custom X509CertificateValidator in WCF please see http://go.microsoft.com/fwlink/?LinkId=208540.”.
Could you please help me to understand how to correctly configure the service to avoid the described errors?
Thank you!
It looks like you are most likely missing the serviceCertificate tag inside of your serviceCredentials tag in your service behavior. Try adding this and it should resolve the issue. Each time I use certificates with a WCF service I always have to specify in the config what certificate the service should be using.
http://msdn.microsoft.com/en-us/library/ms731340%28v=vs.110%29.aspx
When you import client cert to your personal store, try to import using pfx file and specifying the password
I am creating a WCF service that requires a proxy username and password, in order to do this I need to provide a Service Certificate for which I have supplied our company Verisign Certificate which is valid.
The problem I am having is whenever I use the following configuration I get a error message "The service certificate is not provided. Specify a service certificate in ServiceCredentials."
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="false" />
<behaviors>
<serviceBehaviors>
<behavior name="WSBehaviour">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate findValue="devstage1.vcg-online.net" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="TrustedPublisher" />
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Acre.IntegrationService.CustomValidator, Acre.IntegrationService" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="Acre.IntegrationService.IntegrationService" behaviorConfiguration="WSBehaviour">
<endpoint address="http://localhost/Acre.IntegrationService/IntegrationService.svc"
binding="wsHttpBinding"
bindingConfiguration="WSBinding"
contract="Acre.IntegrationService.IIntegrationService"
name="WS" />
<endpoint address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="WSBinding" allowCookies="false">
<security mode="Message">
<message clientCredentialType="UserName" negotiateServiceCredential="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
UPDATED CONFIG
I have installed the certificate in the console using mmc.exe to the following paths
Certificates(Local Computer)/Personal/Certificates/
Certificates(Local Computer)/Trusted Root Certification Authorities/Certificates/
Certificates(Local Computer)/Trusted Publishers/Certificates/
I have searched the interweb and can not find a clear solution to my problem.
Can anyone help?
I have managed to fix the issue, #Rajesh you were correct with the clientCertificate needing to be serverCertificate, that corrected the error with not finding the certificate, thanks for that. The certificate was already installed on the machine for computer user.
The problem with the key set was the certificate did not have the correct account permission set to it. I changed the permisisons to allow the IIS_USRS to have access to the certificate and now it is fixed
Web config:
<?xml version="1.0"?>
<configuration>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceCredentialsBehavior">
<serviceCredentials>
<serviceCertificate findValue="cool" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="ServiceCredentialsBehavior" name="Service">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="MessageAndUserName" name="SecuredByTransportEndpoint" contract="IService"/>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="MessageAndUserName">
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client/>
</system.serviceModel>
<system.web>
<compilation debug="true"/>
</system.web>
Client cfg:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService" >
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:48097/WCFServer/Service.svc"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IService"
contract="ServiceReference1.IService"
name="WSHttpBinding_IService">
<identity>
<dns value ="cool" />
</identity>
</endpoint>
</client>
</system.serviceModel>
The scope is to pass ClientCredentials.UserName.UserName/Password through a secure connection.
I did x509 certificates with pluralsight self cert..
The error is:
SOAP security negotiation with 'http://localhost:48097/WCFServer/Service.svc'
for target
'http://localhost:48097/WCFServer/Service.svc'
failed. See inner exception for more
details.
InnerException:
The X.509 certificate CN=cool chain
building failed. The certificate that
was used has a trust chain that cannot
be verified. Replace the certificate
or change the
certificateValidationMode. A
certificate chain processed, but
terminated in a root certificate which
is not trusted by the trust provider.
How can i solve this exception?
Regards,
Sergiu.
You are using self signed certificate which is not trusted by default. You must tell your client application that it should trust the certificate:
<behaviors>
<endpointBehaviors>
<behavior name="LocalCertValidation">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
Reference this behavior from your endpoint configuration in client by behaviorConfiguration="LocalCertValidation". To make it work you must install public certificate to current user's certification store under trusted people. You can also set validation mode to None and certificate will not be validated at all but that should be used only in development environment.
I have created a Service where I need the client to pass the credentials (username and password). This behavior requires a X509 certificate, so i started for development issues with a self-signed one using makecert.exe.
Because I'm so newbie with certificates, i see that this certificate created on the IIS Server Certificates section, I need my service to be self hosted later on a windows service, for testing purposes i use a console host application and a simple winform app client.
So my question is, How do i deploy this certificate? I don't want to use IIS in anyway, I can embed the certificate where i noticed i can export as .pfx file inside the console/windows service host? And how?
I'm posting my service and client config files for help on understanding what I need.
Server Configuration:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<services>
<service name="B2B.WCF.Service.B2BService" behaviorConfiguration="wsBehavior">
<endpoint name="WSHttpEndpointB2B"
bindingConfiguration="WSBinding"
address ="http://localhost:8768/ServB2B"
binding="wsHttpBinding"
contract="B2B.WCF.Contracts.IB2BContracts">
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="wsBehavior">
<serviceMetadata httpsGetEnabled="false"/>
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate findValue="MyServerCert" x509FindType="FindBySubjectName"
storeLocation="LocalMachine" storeName="My" />
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="B2B.WCF.Service.UserValidator, B2B.WCF.Service" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="WSBinding">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
</configuration>
Client Configuration:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<client>
<endpoint name="WSHttpEndpointB2B"
bindingConfiguration="WSBinding" behaviorConfiguration="wsBehavior"
address ="http://localhost:8768/ServB2B"
binding="wsHttpBinding"
contract="B2B.WCF.Contracts.IB2BContracts">
<identity>
<dns value="MyServerCert"/>
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="wsBehavior">
<clientCredentials>
<clientCertificate findValue="MyServerCert" x509FindType="FindBySubjectName"
storeLocation="LocalMachine" storeName="My"/>
<serviceCertificate>
<authentication certificateValidationMode="None"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="WSBinding">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
</configuration>
Thanx in advance
Your certificates need to be imported into the Windows Certificate Store on the machine that is hosting your web service (i.e. "the server") and (optionally) on the machine that is using your web service (i.e. "the client", if it is a different machine).
You should use the Microsoft Management Console (MMC) to do this. First, you should set it up according to this article. Then import your certificates according to the steps in this article. Make sure you choose the correct store for the client certificate (i.e. 'Personal') and root certificate (i.e. 'Trusted Root Certification Authorities').
Your web service won't start unless it finds the correct certificates that are referenced in your configuration files. In your case, this is the "MyServerCert" certificate that you want to store in the 'Personal' store.
I've been struggling with the configuration for this blasted WCF service for the past week, and I'm slowing beginning to suspect that what I'm trying to do is just not possible, despite the documentation.
Quite simply, I want to have a WCF service require a client certificate (which the server will have in its cert store), and then access that identity with System.ServiceModel.ServiceSecurityContext. Additionally, this needs to use transport security.
Here's my server config:
<system.serviceModel>
<services>
<service behaviorConfiguration="requireCertificate" name="Server.CXPClient">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" name="wsHttpEndpoint" contract="PartnerComm.ContentXpert.Server.ICXPClient" />
<endpoint address="mex" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" name="mexEndpoint" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="https://localhost:8371/Design_Time_Addresses/Server/CXPClient/" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="requireCertificate">
<serviceMetadata httpsGetEnabled="true" />
<serviceCredentials>
<serviceCertificate findValue="CyberdyneIndustries" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" trustedStoreLocation="LocalMachine" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding" maxBufferPoolSize="5242880" maxReceivedMessageSize="5242880">
<readerQuotas maxDepth="32" maxStringContentLength="5242880" maxArrayLength="1073741824" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
Here's my client config:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpoint" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost:8371/Design_Time_Addresses/Server/CXPClient/"
binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint" behaviorConfiguration="ClientCertificateBehavior"
contract="ContentXPertServer.ICXPClient" name="wsHttpEndpoint" />
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ClientCertificateBehavior">
<clientCredentials>
<clientCertificate x509FindType="FindBySubjectName" findValue="CyberdyneIndustries" storeLocation="LocalMachine" storeName="TrustedPeople" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
The code all works perfectly when security mode='None' over http, but of course, there's no authentication, and nothing in System.ServiceModel.ServiceSecurityContext. I've tried dozens of variations on all of these elements, and it all ends up inevitably with the request throwing an exception "An existing connection was forcibly closed by the remote host".
I'm using a self-signed cert "CyberdyneIndustries", whose CA cert I've added to the trusted CA store. The cert checks out when I view it. I've gone through the hell of http namespace management, and solved those problems as well. It simply looks like WCF doesn't really support this...please tell me I'm wrong.
TIA.
Ultimately, I decided to try message security, to see if that would shed some light on the situation - it did, and I'm going to cut my losses and go with that. So, there's no definitive answer to this.
Implementing message security did, however, expose a BIG problem, and this may have been the root of the transport security problem. There is a piece of poison documentation from MSDN:
http://msdn.microsoft.com/en-us/library/ff650751.aspx
On this page, the command to create the self-signed cert is as follows:
makecert -sk MyKeyName -iv
RootCaClientTest.pvk -n
"CN=tempClientcert" -ic
RootCaClientTest.cer -sr currentuser
-ss my -sky signature -pe
The argument "signature" should instead be "exchange". Once I regenerated all my certs, message security started working. One big takeaway from all of this is that if you're wanting to implement transport security, get message security working first, because the error messages you get from the system are much more descriptive.
Does the SSL handshake succeed? Enable SChannel logging to troubleshoot the SSL layer. See this old KB article: How to enable Schannel event logging in IIS. Although is an KB for W2K and XP, the steps to enable SChannel logging are the same and still valid on newer systems. With the logging enabled you'll be able to determine why is SSL rejecting the certificate.
I know this is 3 years old, but for those who might still be interested...
I'm in the process of learning WCF (security among other things) and was able to get things working properly with netTcpBinding (presumably, this will work for WsHttpBindings as well) using Transport security mode with a clientCredentialType="Certificate" (and, protectionLevel="EncryptAndSign", though that wasn't germane to the issue).
I did encounter the force connection close error from the server-side too, but discovered I was missing one piece of configuration. It's all working now.
Here's my server-side config:
<configuration>
<system.serviceModel>
<services>
<service name="MyNamespace.MyService" behaviorConfiguration="MyServiceBehavior">
<endpoint address="net.tcp://localhost:9002/MyServer" binding="netTcpBinding" bindingConfiguration="TcpCertSecurity" contract="MyNamespace.IMyService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceBehavior">
<serviceCredentials>
<serviceCertificate findValue="MyServiceCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<clientCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="TcpCertSecurity">
<security mode="Transport">
<transport clientCredentialType="Certificate" protectionLevel="EncryptAndSign" />
</security>
</binding>
</netTcpBinding>
</bindings>
</system.serviceModel>
</configuration>
And my client-side configuration:
<configuration>
<system.serviceModel>
<client>
<endpoint address="net.tcp://localhost:9002/MyServer" binding="netTcpBinding"
bindingConfiguration="TcpCertSecurity" contract="MyNamespace.IMyService"
behaviorConfiguration="MyServiceBehavior">
<identity>
<dns value="MyServiceCert" />
</identity>
</endpoint>
</client>
<bindings>
<netTcpBinding>
<binding name="TcpCertSecurity">
<security mode="Transport">
<transport clientCredentialType="Certificate" protectionLevel="EncryptAndSign" />
</security>
</binding>
</netTcpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="MyServiceBehavior">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" />
</serviceCertificate>
<clientCertificate findValue="MyServiceCert" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
I created a certificate chain for the server (self-signed Trusted Root certificate + a certificate built using that root) using the technique described here and stored both the Root cert and child cert in the certificate store of my server host machine. And, finally, I imported that server certificate + public key into the cert store on my client host machine (in LocalMachine/TrustedPeople).
WsHttpBinding DOES support certificate authentication for transport security.
There can be a few things wrong:
Did you add both certificates to your store? CyberdyneIndustries as well a CA that you used to sign it? CA should be in "Trusted Root Certification Authorities"
Also, i've done this self-hosted, never in Visual Studio Dev server. Try to host your service in IIS at least. I am not sure if VS Dev server supports certificates.
Try to turn off service authentication. So the client doesn't have to authenticate the service. I don't know if you want this in your app or not but just for testing so we can rule that out
<behavior name="ClientCertificateBehavior">
<clientCredentials>
<clientCertificate x509FindType="FindBySubjectName" findValue="CyberdyneIndustries" storeLocation="LocalMachine" storeName="TrustedPeople" />
<serviceCertificate>
<authentication certificateValidationMode="None"/>
</serviceCertificate>
</clientCredentials>