Is it possible to have an WCF Rest Webservice which excepts SSL Client Certificates and have the IIS SSL Setting to not set to "require SSL" and to anly "accept" client certificates and not "require" them?
I have the following config:
<system.serviceModel>
<services>
<service behaviorConfiguration="RestServiceBehaviour" name="PM.WCF.Service.PmRestService">
<endpoint address="" behaviorConfiguration="web" binding="webHttpBinding"
bindingConfiguration="StreamedRequestWebBinding" contract="PM.WCF.Service.IPmRestService" />
</service>
</services>
<bindings>
<webHttpBinding>
<binding name="StreamedRequestWebBinding"
bypassProxyOnLocal="true"
useDefaultWebProxy="false"
hostNameComparisonMode="WeakWildcard"
sendTimeout="10:15:00"
openTimeout="10:15:00"
receiveTimeout="10:15:00"
maxReceivedMessageSize="2147483647"
maxBufferSize="2147483647"
maxBufferPoolSize="2147483647"
transferMode="StreamedRequest">
<readerQuotas maxArrayLength="2147483647" maxStringContentLength="2147483647" />
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</webHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="web">
<webHttp />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="RestServiceBehaviour">
<serviceMetadata httpsGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
My problem is the following line:
<transport clientCredentialType="Certificate"/>
If i use this setting and IIS configured to accept, but not require client certificates, I get the following error:
The SSL settings for the service 'SslRequireCert' does not match those of the IIS 'SslNegotiateCert'.
Sadly setting
<transport clientCredentialType="None"/>
Does not work either. I'm pretty sure the browser/client does send it's certificate, but OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.IsAuthenticated is False.
Is there any other way then to have two IIS Websites, one configured to require SSL and client certificates and one which does not?
Even if there is no way around it. How do I debug this in Visual Studio? Because the moment I require SSL client certificates, I can't just start the webservice. Visual Studio tries to access http://localhost/Foo.WCF.Service/debugattach.aspx and fails because of the missing client certificate.
Related
I'm getting the error while make call to the service "The HTTP request was forbidden with client authentication scheme 'Anonymous'."
actually im hosting this service in plesk, and in the plesk Anonymous authentication is enabled.
WCF Config
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<services>
<service name="SampleService.ServiceContracts.SampleService" behaviorConfiguration="mexBehaviour">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpConfig" contract="SampleService.ServiceContracts.ISampleService"></endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="basicHttpConfig" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Text" receiveTimeout="00:00:10">
<readerQuotas maxDepth="2000000" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="mexBehaviour">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true"></serviceDebug>
</behavior>
</serviceBehaviors>
</behaviors>
<protocolMapping>
<add binding="basicHttpBinding" scheme="https" />
</protocolMapping>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<directoryBrowse enabled="true"/>
</system.webServer>
</configuration>
Client
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_ISampleService">
<security mode="Transport" />
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://samplewcf.packletsgo.com/ServiceContracts/SampleService.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_ISampleService"
contract="ServiceReference1.ISampleService" name="BasicHttpBinding_ISampleService" />
</client>
</system.serviceModel>
This error typically occurred when the server authenticates the client with a certificate, nothing business with your current scenario. If the certificate's trust relationship between the client and server is not established, this error will occur.
I doubt whether the client configuration is automatically generated by using the above server configuration. In the above configuration, we should add an https bind to the website on the server-side in order to suit the Basichttpbinding with transport security mode. On the client-side, we should trust the server certificate before calling the service, or we will get the below similar error.
“The underlying connection is closed: trust cannot be established for
the SSL/TLS security channel”.
In short, we need to validate whether the remote certificate is valid before communicating with the server.
At last, why does the service contain the following fragment, and do you use the virtual path?
https://localhost/SampleService/AuthService/AuthService.svc
I would like to know more details about how the error occurred. Feel free to let me know if there is anything I can help with.
The WCF is deployed as a windows service in the server. And the client is a windows form applicaiton. When the client is interacting with the WCF server, is there any kind of authentication going on here?
I got how to resolve this here
I want to know what is the default security mode for NetTCP in WCF? I had nothing related with security in my config file as below. So what is the default?
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
<behaviors>
<serviceBehaviors>
<behavior name="BasicServiceBehavior">
<serviceMetadata httpGetEnabled="false"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
<dataContractSerializer maxItemsInObjectGraph="2147483647"/>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="HCCNetTcpBinding" >
<dataContractSerializer maxItemsInObjectGraph="2147483647"/>
</behavior>
</endpointBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="BasicServiceBehavior" name="HCC.SMS4.SERVICES.BASIC.MainServices">
<endpoint address="" binding="netTcpBinding" contract="HCC.SMS4.SERVICES.BASIC.IMainServices" bindingConfiguration="HCCNetTcpBinding" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
<host>
<baseAddresses>
<add baseAddress="http://xxxx:44008/HCsmsBasicServices/"/>
<add baseAddress="net.tcp://xxxx:45008/HCsmsBasicServices/"/>
</baseAddresses>
</host>
</service>
</services>
<bindings>
<netTcpBinding>
<binding name="HCCNetTcpBinding" maxConnections="1000" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647"
openTimeout="14:00:00" receiveTimeout="14:00:00" sendTimeout="14:00:00">
<readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
</binding>
</netTcpBinding>
</bindings>
</system.serviceModel>
The transport security mode of the NetTcpBinding is Transport and the ClientCredentialType is Windows. This is equivalent to the following settings.
<netTcpBinding>
<binding name="netTcp">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
So when you use the client proxy class to call the service, you could refer to the following code.
ServiceReference1.ServiceClient client = new ServiceReference1.ServiceClient();
client.ClientCredentials.Windows.ClientCredential.UserName = "administrator";
client.ClientCredentials.Windows.ClientCredential.Password = "abcd1234!";
var result = client.SayHello();
https://learn.microsoft.com/en-us/dotnet/framework/wcf/system-provided-bindings
https://learn.microsoft.com/zh-cn/dotnet/framework/wcf/feature-details/bindings-and-security
Feel free to contact me if you have any questions.
WCF, its default authentication is Windows if there is none config about it.
Per Microsoft documentation for NetTcpBinding the default security is TLS with Windows security.
I have a WCF service with two endpoints defined by the configuration file below:
<system.serviceModel>
<services>
<service name="SyncService" behaviorConfiguration="SyncServiceBehavior">
<endpoint name="Data" address="Data" binding="basicHttpBinding" bindingConfiguration="windowsAuthentication" contract="ISyncService"/>
<endpoint name="File" address="File" binding="basicHttpBinding" bindingConfiguration="httpLargeMessageStream" contract="ISyncService"/>
<endpoint address="mex" binding="webHttpBinding" bindingConfiguration="windowsAuthentication" contract="IMetadataExchange"/>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="httpLargeMessageStream" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647" transferMode="Streamed" messageEncoding="Mtom" />
<binding name="windowsAuthentication" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm=""></transport>
<message algorithmSuite="Default" clientCredentialType="UserName"/>
</security>
</binding>
</basicHttpBinding>
<webHttpBinding>
<binding name="windowsAuthentication">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"></transport>
</security>
</binding>
</webHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="SyncServiceBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<dataContractSerializer maxItemsInObjectGraph="2147483647"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true"></serviceHostingEnvironment>
</system.serviceModel>
I want to use windows authentication for the Data endpoint, but have recently discovered that you cannot use windows authentication for streaming over HTTP. I removed the security element for the File endpoint, but still get the following error:
HTTP request streaming cannot be used in conjunction with HTTP
authentication. Either disable request streaming or specify anonymous
HTTP authentication. Parameter name: bindingElement
Is it possible to have two endpoints on the same service use different authentication methods like this? Why can't I use windows authentication for streaming?
I have also tried what was suggested in this thread, but to no avail:
Which authentication mode of basichhtpbinding can be used to secure a WCF Service using Streaming?
Unfortunately this is not supported.
I'm looking for a definitive answer as to whether what I'm trying to do is supported or not.
Basically, I'm using WCF to stream large MTOM attachments (200 Mb), this works perfectly fine. The security requirements for the service is to use HTTPS and certificate-based authentication. I can run the service over HTTPS without any problems, but once I set IIS to “Accept client certificates” or “Require client certificates” (no change in the code), the following error is thrown (but only once the attachments get over about 80 Mb or so):
The socket connection was aborted.
This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue.
Local socket timeout was '00:30:00'.
I found some resources, sorry can't find them now, that indicated that the failure is probably related to the fact that the incoming messages either cannot be digitally signed, or verified due to the streaming nature of the message contents. I believe the service would have to hash the whole message contents to verify the cert, but this can't be achieved because portions of the message are in transit while validation is trying to occur.
I've setup the message contract so that the body is a single Stream element, and the other elements are contained within the header:
<MessageContract()>
Public Class StreamAttachmentRequest
<MessageHeader(MustUnderstand:=True)>
Public Property AttachmentName As String
<MessageBodyMember(Order:=1)>
Public Property Attachment As Stream
End Class
The service configuration looks as follows:
<system.serviceModel>
<!-- BINDING -->
<bindings>
<basicHttpBinding>
<binding name="TestCaseBasicBinding"
messageEncoding="Mtom"
transferMode="StreamedRequest"
maxReceivedMessageSize="2147483647"
closeTimeout="00:30:00"
openTimeout="00:30:00"
receiveTimeout="00:30:00"
sendTimeout="00:30:00">
<security mode="Transport">
<transport clientCredentialType="None"></transport>
</security>
<readerQuotas maxDepth="32"
maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
</binding>
</basicHttpBinding>
</bindings>
<!-- BEHAVIORS -->
<behaviors>
<serviceBehaviors>
<!-- TEST CASE SECURE BEHAVIOR -->
<behavior name="TestCaseSecureBehavior">
<serviceMetadata httpsGetEnabled="true" httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<serviceCertificate
storeLocation="LocalMachine"
storeName="My"
findValue="DistinguishedNameOfCert"
x509FindType="FindBySubjectDistinguishedName" />
<clientCertificate>
<authentication certificateValidationMode="ChainTrust"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<!-- SERVICES -->
<services>
<service name="StreamingMutualAuthTestCase.Web.Service.TestCaseServiceImplementation"
behaviorConfiguration="TestCaseSecureBehavior">
<!-- SERVICE -->
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="TestCaseBasicBinding"
contract="StreamingMutualAuthTestCase.Web.Service.ITestCaseService" />
<endpoint contract="IMetadataExchange" binding="mexHttpsBinding" address="mex" />
</service>
</services>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
The client configuration looks like this:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_ITestCaseService" closeTimeout="00:30:00"
openTimeout="00:30:00" receiveTimeout="00:30:00" sendTimeout="00:30:00"
maxReceivedMessageSize="2147483647" messageEncoding="Mtom"
transferMode="Streamed">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Transport">
<transport clientCredentialType="Certificate" realm="" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<!-- BEHAVIORS -->
<behaviors>
<endpointBehaviors>
<behavior name="SecureClientBehavior">
<clientCredentials>
<clientCertificate
storeLocation="LocalMachine"
storeName="My"
findValue="DistinguishedNameOfCert"
x509FindType="FindBySubjectDistinguishedName"/>
<serviceCertificate>
<authentication certificateValidationMode="ChainTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="https://test7/TestCaseService/TestCaseService.svc"
binding="basicHttpBinding"
bindingConfiguration="BasicHttpBinding_ITestCaseService"
contract="TestCaseService.ITestCaseService"
name="BasicHttpBinding_ITestCaseService"
behaviorConfiguration="SecureClientBehavior"/>
</client>
</system.serviceModel>
Once again, this will work just fine until I set IIS Client Certs to either Accept or Require.
Also, there is a 413 error in the IIS log...
2011-08-18 15:00:06 W3SVC1 10.39.8.111 POST /TestCaseService/TestCaseService.svc - 443 - 10.75.13.81 - - - test7 413 0 0
I've already designed an authentication service on top of my file upload service to work around the issues; but I'd really like to know if what I'm trying to do is 'do-able' or not.
Thanks a ton - Patrick
If you want to turn on client certificates in IIS you must do the same for your service (and client):
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
Your client must provide certificate to the proxy:
yourProxy.ClientCredentials.ClientCertificate.SetCertificate(...);
Also your server must trust these certificates so client certificates must be either issued by certification authority trusted by the server or they must be installed to LocalMachine\Trusted people store directly on the server.
WCF endpoints don't support "Accept client certificates" - you must either use client certificates or not.
I've been struggling with the configuration for this blasted WCF service for the past week, and I'm slowing beginning to suspect that what I'm trying to do is just not possible, despite the documentation.
Quite simply, I want to have a WCF service require a client certificate (which the server will have in its cert store), and then access that identity with System.ServiceModel.ServiceSecurityContext. Additionally, this needs to use transport security.
Here's my server config:
<system.serviceModel>
<services>
<service behaviorConfiguration="requireCertificate" name="Server.CXPClient">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" name="wsHttpEndpoint" contract="PartnerComm.ContentXpert.Server.ICXPClient" />
<endpoint address="mex" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" name="mexEndpoint" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="https://localhost:8371/Design_Time_Addresses/Server/CXPClient/" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="requireCertificate">
<serviceMetadata httpsGetEnabled="true" />
<serviceCredentials>
<serviceCertificate findValue="CyberdyneIndustries" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" trustedStoreLocation="LocalMachine" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding" maxBufferPoolSize="5242880" maxReceivedMessageSize="5242880">
<readerQuotas maxDepth="32" maxStringContentLength="5242880" maxArrayLength="1073741824" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
Here's my client config:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpoint" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost:8371/Design_Time_Addresses/Server/CXPClient/"
binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint" behaviorConfiguration="ClientCertificateBehavior"
contract="ContentXPertServer.ICXPClient" name="wsHttpEndpoint" />
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ClientCertificateBehavior">
<clientCredentials>
<clientCertificate x509FindType="FindBySubjectName" findValue="CyberdyneIndustries" storeLocation="LocalMachine" storeName="TrustedPeople" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
The code all works perfectly when security mode='None' over http, but of course, there's no authentication, and nothing in System.ServiceModel.ServiceSecurityContext. I've tried dozens of variations on all of these elements, and it all ends up inevitably with the request throwing an exception "An existing connection was forcibly closed by the remote host".
I'm using a self-signed cert "CyberdyneIndustries", whose CA cert I've added to the trusted CA store. The cert checks out when I view it. I've gone through the hell of http namespace management, and solved those problems as well. It simply looks like WCF doesn't really support this...please tell me I'm wrong.
TIA.
Ultimately, I decided to try message security, to see if that would shed some light on the situation - it did, and I'm going to cut my losses and go with that. So, there's no definitive answer to this.
Implementing message security did, however, expose a BIG problem, and this may have been the root of the transport security problem. There is a piece of poison documentation from MSDN:
http://msdn.microsoft.com/en-us/library/ff650751.aspx
On this page, the command to create the self-signed cert is as follows:
makecert -sk MyKeyName -iv
RootCaClientTest.pvk -n
"CN=tempClientcert" -ic
RootCaClientTest.cer -sr currentuser
-ss my -sky signature -pe
The argument "signature" should instead be "exchange". Once I regenerated all my certs, message security started working. One big takeaway from all of this is that if you're wanting to implement transport security, get message security working first, because the error messages you get from the system are much more descriptive.
Does the SSL handshake succeed? Enable SChannel logging to troubleshoot the SSL layer. See this old KB article: How to enable Schannel event logging in IIS. Although is an KB for W2K and XP, the steps to enable SChannel logging are the same and still valid on newer systems. With the logging enabled you'll be able to determine why is SSL rejecting the certificate.
I know this is 3 years old, but for those who might still be interested...
I'm in the process of learning WCF (security among other things) and was able to get things working properly with netTcpBinding (presumably, this will work for WsHttpBindings as well) using Transport security mode with a clientCredentialType="Certificate" (and, protectionLevel="EncryptAndSign", though that wasn't germane to the issue).
I did encounter the force connection close error from the server-side too, but discovered I was missing one piece of configuration. It's all working now.
Here's my server-side config:
<configuration>
<system.serviceModel>
<services>
<service name="MyNamespace.MyService" behaviorConfiguration="MyServiceBehavior">
<endpoint address="net.tcp://localhost:9002/MyServer" binding="netTcpBinding" bindingConfiguration="TcpCertSecurity" contract="MyNamespace.IMyService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceBehavior">
<serviceCredentials>
<serviceCertificate findValue="MyServiceCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<clientCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="TcpCertSecurity">
<security mode="Transport">
<transport clientCredentialType="Certificate" protectionLevel="EncryptAndSign" />
</security>
</binding>
</netTcpBinding>
</bindings>
</system.serviceModel>
</configuration>
And my client-side configuration:
<configuration>
<system.serviceModel>
<client>
<endpoint address="net.tcp://localhost:9002/MyServer" binding="netTcpBinding"
bindingConfiguration="TcpCertSecurity" contract="MyNamespace.IMyService"
behaviorConfiguration="MyServiceBehavior">
<identity>
<dns value="MyServiceCert" />
</identity>
</endpoint>
</client>
<bindings>
<netTcpBinding>
<binding name="TcpCertSecurity">
<security mode="Transport">
<transport clientCredentialType="Certificate" protectionLevel="EncryptAndSign" />
</security>
</binding>
</netTcpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="MyServiceBehavior">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" />
</serviceCertificate>
<clientCertificate findValue="MyServiceCert" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
I created a certificate chain for the server (self-signed Trusted Root certificate + a certificate built using that root) using the technique described here and stored both the Root cert and child cert in the certificate store of my server host machine. And, finally, I imported that server certificate + public key into the cert store on my client host machine (in LocalMachine/TrustedPeople).
WsHttpBinding DOES support certificate authentication for transport security.
There can be a few things wrong:
Did you add both certificates to your store? CyberdyneIndustries as well a CA that you used to sign it? CA should be in "Trusted Root Certification Authorities"
Also, i've done this self-hosted, never in Visual Studio Dev server. Try to host your service in IIS at least. I am not sure if VS Dev server supports certificates.
Try to turn off service authentication. So the client doesn't have to authenticate the service. I don't know if you want this in your app or not but just for testing so we can rule that out
<behavior name="ClientCertificateBehavior">
<clientCredentials>
<clientCertificate x509FindType="FindBySubjectName" findValue="CyberdyneIndustries" storeLocation="LocalMachine" storeName="TrustedPeople" />
<serviceCertificate>
<authentication certificateValidationMode="None"/>
</serviceCertificate>
</clientCredentials>