I have a workflow WCF service (ServiceDMZ) that is installed on a server across the firewall. This service is running under a Windows account on that server. Account name: DMZDomain\DMZUserName.
I have another workflow WCF service that is running on my development machine (ServiceDev). This is a self hosted service running under my Windows account: DevDomain\DevUserName.
ServiceDev communicates with ServiceDMZ using wsHttpContextBinding and context correlation in the Send and Recieve activities. ServiceDMZ uses a callback address to communicate back to ServiceDev when it is done completing a task.
I get this error in the Send activity of ServiceDev:
System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed. at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target) at System.ServiceModel.Security.IssuanceTokenProviderBase`1.ThrowIfFault(Message message, EndpointAddress target) at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState) --- End of inner exception stack trace --- at System.ServiceModel.Activities.InternalSendMessage.OnSendFailure(NativeActivityFaultContext context, Exception propagatedException, ActivityInstance propagatedFrom) at System.Activities.Runtime.FaultCallbackWrapper.Invoke(NativeActivityFaultContext faultContext, Exception propagatedException, ActivityInstance propagatedFrom) at System.Activities.Runtime.FaultCallbackWrapper.FaultWorkItem.Execute(ActivityExecutor executor, BookmarkManager bookmarkManager)
What should the settings be in the app.config file for ServiceDev and ServiceDMZ?
Thanks!
Hello, thanks for the comments. Here are the configuration files.
ServiceDev
<system.serviceModel>
<services>
<service name="ServiceDev" behaviorConfiguration="ServiceDevBehavior">
<host>
<baseAddresses>
<add baseAddress="http://10.204.78.16:9101/"/>
</baseAddresses>
</host>
<endpoint address="http://10.204.78.16:9101/ServiceDev" binding="wsHttpBinding" contract="IServiceDev" bindingConfiguration="ServiceDevBinding"></endpoint>
<endpoint address="http://10.204.78.16:9101/ServiceDev/mex" binding="mexHttpBinding" contract="IMetadataExchange"></endpoint>
<endpoint address="http://10.204.78.16:9101/ServiceDevCallback" binding="wsHttpContextBinding" contract="IServiceDevCallback" bindingConfiguration="ClientServiceDMZBinding"></endpoint>
</service>
</services>
<client>
<endpoint address="http://10.169.24.14:9100/ServiceDMZ" binding="wsHttpContextBinding" contract="IServiceDMZ" name="ClientServiceDMZ" bindingConfiguration="ClientServiceDMZBinding">
<identity>
<userPrincipalName value="DMZUserName#dmzsvr1.mysite.com"/>
</identity>
</endpoint>
</client>
<bindings>
<wsHttpBinding>
<binding name="ServiceDevBinding" maxReceivedMessageSize="8388608">
<security>
<transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>
<message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="TripleDesRsa15" establishSecurityContext="true"/>
</security>
</binding>
</wsHttpBinding>
<wsHttpContextBinding>
<binding name="ClientServiceDMZBinding" clientCallbackAddress="http://10.204.78.16:9101/ServiceDevCallback">
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
<security>
<message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default"/>
<transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>
</security>
</binding>
</wsHttpContextBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceDevBehavior">
<serviceDebug includeExceptionDetailInFaults="true" httpHelpPageEnabled="true"/>
<serviceMetadata httpGetEnabled="true"/>
<sqlWorkflowInstanceStore connectionStringName="MySite.Deployment.Data.Providers.WorkflowInstanceStoreProvider" instanceCompletionAction="DeleteNothing" instanceLockedExceptionAction="BasicRetry" instanceEncodingOption="GZip" hostLockRenewalPeriod="00:01:00"/>
</behavior>
</serviceBehaviors>
</behaviors>
<standardEndpoints>
<dynamicEndpoint>
<standardEndpoint name="ClientServiceDMZDynamicEndpointConfiguration">
<discoveryClientSettings>
<endpoint kind="udpDiscoveryEndpoint" endpointConfiguration="ServiceDMZUDPDiscoveryEndpoint"></endpoint>
</discoveryClientSettings>
</standardEndpoint>
</dynamicEndpoint>
<udpDiscoveryEndpoint>
<standardEndpoint name="ServiceDMZUDPDiscoveryEndpoint" discoveryVersion="WSDiscovery11">
</standardEndpoint>
</udpDiscoveryEndpoint>
</standardEndpoints>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
<diagnostics performanceCounters="All">
<messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" maxMessagesToLog="30000" maxSizeOfMessageToLog="2000000">
</messageLogging>
</diagnostics>
ServiceDMZ
<system.serviceModel>
<services>
<service name="ServiceDMZ" behaviorConfiguration="ServiceDMZBehavior">
<host>
<baseAddresses>
<add baseAddress="http://10.169.24.14:9100/"/>
</baseAddresses>
</host>
<endpoint address="http://10.169.24.14:9100/ServiceDMZ" binding="wsHttpContextBinding" contract="IServiceDMZ" bindingConfiguration="ServiceDMZBinding" behaviorConfiguration="ServiceDMZEndpointBehavior" />
<endpoint address="http://10.169.24.14:9100/ServiceDMZ/mex" binding="mexHttpBinding" contract="IMetadataExchange"></endpoint>
<endpoint name="udpDiscovery" kind="udpDiscoveryEndpoint" />
</service>
</services>
<bindings>
<wsHttpContextBinding>
<binding name="ServiceDMZBinding" clientCallbackAddress="http://10.204.78.16:9101/ServiceDevCallback">
<security>
<message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default"/>
<transport clientCredentialType="Windows" realm="" proxyCredentialType="None"/>
</security>
</binding>
</wsHttpContextBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceDMZBehavior">
<serviceDebug includeExceptionDetailInFaults="true" httpHelpPageEnabled="true"/>
<serviceMetadata httpGetEnabled="true"/>
<serviceDiscovery>
<announcementEndpoints>
<endpoint kind="udpAnnouncementEndpoint" />
</announcementEndpoints>
</serviceDiscovery>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="ServiceDMZEndpointBehavior">
<endpointDiscovery>
<scopes>
</scopes>
</endpointDiscovery>
</behavior>
</endpointBehaviors>
</behaviors>
<standardEndpoints>
<udpDiscoveryEndpoint>
<standardEndpoint name="ServiceDMZUDPDiscoveryEndpoint" discoveryVersion="WSDiscovery11" maxResponseDelay="00:00:00.600"/>
</udpDiscoveryEndpoint>
</standardEndpoints>
<diagnostics performanceCounters="All">
<messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" maxMessagesToLog="30000" maxSizeOfMessageToLog="2000000">
</messageLogging>
</diagnostics>
This could be is a partial trust problem. Security is WCF requires full trust for full functionality, without this it only supports a subset of the functionality, see http://msdn.microsoft.com/en-us/library/bb412186.aspx
Also if you are using windows authentication it would require trust between the domains, assuming that your machines are in different domains.
Related
I'm having truble with configuration around my WCF service and WS-Seciurity.
I don't have access to the client side, so far I'm trying to use SoapUI as a client with WS-A adressing, userName, Password and WSS Password Type 'PasswordDigest' options.
I use IIS and https with a simple certificate, .NET 4.7.
I've tried many versions, but without success. I just want to find simplest, working solution to read 'Seciurity' header from SoapUI/client request with WS-Seciurity PasswordDigest options enabled.
The current error with the current config file 'InvalidSecurity' 'An error occurred when verifying security for the message'
<system.serviceModel>
<protocolMapping>
<add scheme="https" binding="wsHttpBinding"/>
</protocolMapping>
<services>
<service name="SoapService" behaviorConfiguration="SoapServiceConf">
<!--<endpoint address="SoapService" binding="wsHttpBinding" contract="MPA.SoapService.References.ServiceReference.SentSOAP" /> -->
<endpoint address="" binding="wsHttpBinding" contract="Interfaces.ISoap" bindingConfiguration="wsHttpBind"/>
<endpoint contract="IMetadataExchange" binding="mexHttpsBinding" address="mex" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding maxReceivedMessageSize="10485760" name="wsHttpBind">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Basic"/>
<message clientCredentialType="UserName" algorithmSuite="Default" establishSecurityContext="false" />
</security>
<reliableSession enabled="false" />
<readerQuotas maxArrayLength="10485760" maxDepth="1024" maxStringContentLength="10485760" />
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="SoapServiceConf">
<serviceCredentials>
<serviceCertificate findValue="soapservice"
storeName="My"
x509FindType="FindByIssuerName" />
</serviceCredentials>
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="False" />
</behavior>
<behavior name="MyServiceTypeBehaviors" >
<!-- Add the following element to your service behavior configuration. -->
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
Thanks.
After adding SSL to my WCF service, global.asax methods like Apllication_Start or Application_BeginRequest stopped being triggered. The service itself launches normally with no exception. New code added below (and ofc some configurations in IIS Manager:
<system.serviceModel>
<services>
<service name="SomeService.Service" behaviorConfiguration="secureBehavior">
<endpoint
address=""
binding="basicHttpBinding" bindingConfiguration="secureHttpBinding"
contract="SomeService.IService" />
<endpoint
address="mex" binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="secureBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
I'm trying to retrieve the logged in windows user in a WCF service.
I've tried using ServiceSecurityContext but Current is always null.
ServiceSecurityContext.Current.WindowsIdentity.Name
I've also tried using OperationContext. In this case ServiceSecurityContext returns as null.
OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name
Here's my web.config:
<bindings>
<basicHttpBinding>
<binding name="HttpWindowsBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
also
<authentication mode="Windows"/>
Can anyone see what I'm doing wrong?
UPDATE:
I abandoned trying to get ServiceSecurityContext to work. In the end, I found a solution by setting aspNetCompatibilityEnabled="true".
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true" />
I also added the following attribute to my service class:
[System.ServiceModel.Activation.AspNetCompatibilityRequirements(RequirementsMode = System.ServiceModel.Activation.AspNetCompatibilityRequirementsMode.Required)]
This allowed me to retrieve the windows user with:
HttpContext.Current.User.Identity.Name
I got the same error and managed to solved it, you need not to use basichttpBinding. bellow is my config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="MSADC">
<security mode ="Message">
<transport clientCredentialType="Windows" />
<message establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="WCFAuthentication.WCFAuthentication">
<endpoint bindingConfiguration="MSADC" address="" binding="wsHttpBinding" contract="WCFAuthentication.IWCFAuthentication">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost:8088" />
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>
<appSettings>
<add key="wcf:disableOperationContextAsyncFlow" value="false" />
</appSettings>
</configuration>
So I'm trying to consume a WCF service from a website and pass the IClaimsIdentity the site got from an STS through to the service.
When I try to invoke a service method through an ActAs channel, I get the following error on the client (looking at trace logs, it never gets to the service, and the STS sends through all tokens correctly):
The identity check failed for the outgoing message. The expected
identity is
'identity(http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint)' for
the 'http://localhost/MyWCFHost/MyService.svc' target endpoint.
I've got a custom IssuedTokenForCertificate binding and all the certificates are OK as far as I can see, it should work, but no dice. I'd appreciate another pair of eyes looking over my config and helping:
Consuming Web Site config:
<system.serviceModel>
<bindings>
<customBinding>
<binding name="CustomBinding_IMyService">
<security defaultAlgorithmSuite="Default" authenticationMode="IssuedTokenForCertificate"
requireDerivedKeys="true" includeTimestamp="true" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSignatureConfirmation="true">
<issuedTokenParameters tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<additionalRequestParameters>
<trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
</trust:SecondaryParameters>
</additionalRequestParameters>
<issuer address="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc"
binding="ws2007HttpBinding" bindingConfiguration="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc">
</issuer>
<issuerMetadata address="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc/mex" />
</issuedTokenParameters>
<localClientSettings detectReplays="true" />
<localServiceSettings detectReplays="true" />
</security>
<textMessageEncoding />
<httpTransport />
</binding>
</customBinding>
<ws2007HttpBinding>
<binding name="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc">
<security>
<message establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint address="http://localhost/MyWCFHost/MyService.svc" binding="customBinding"
bindingConfiguration="CustomBinding_IMyService" contract="MyService.IMyService"
name="CustomBinding_IMyService">
<identity>
<!--<certificate encodedValue="AwAAAAEAAAAUAAAAV2ILlfzl9NIHEiGv1rUCSitq8I0gAAAAAQAAAP8BAAAwggH7MIIBaKADAgECAhBTTBmG1HyUkEDVFmVUxfDLMAkGBSsOAwIdBQAwFTETMBEGA1UEAxMKRXRhbmEgUm9vdDAeFw0xMjA5MjExMjE2MDRaFw0zOTEyMzEyMzU5NTlaMB8xHTAbBgNVBAMTFEV0YW5hIFNUUyBFbmNyeXB0aW9uMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0lbzr1b1aNiXGhwKMTO58QbLbbKoUtTRkA4egMlmip1Vm46BnscWAMvXA5kyzuqK6Cw/5bel15i0pZXR4kjByKbSr65V0/ODGrkUHaYb5vT8RzCczYcgzJmPGWawMYYJT8PXLXHkFmZZGXFZhiUBzyNMWh8YH16I/wFtUgmaBAQIDAQABo0owSDBGBgNVHQEEPzA9gBAV68U+Vhoc0Nu9qPJXfJSRoRcwFTETMBEGA1UEAxMKRXRhbmEgUm9vdIIQgnOTDbZVCaJFTK8PPAGynTAJBgUrDgMCHQUAA4GBACHLr32oqkFjKGN/fqk2VnsNNIs9niHQ4Q6UbJ252YWf4wFIz9Ho/+ZdFxC4tSHxa/IMH0kzYpRL5p61Zd8/QeryWCStqvoNPwyapaY3g0Pkm6dy6NJ82kX5eJxLjdJp8MVadPJs4VA7Smf+e9lMMoONAGP07AvzAVhtiYK2yMmH" />-->
<certificateReference findValue="57620B95FCE5F4D2071221AFD6B5024A2B6AF08D" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</identity>
</endpoint>
</client>
</system.serviceModel>
WCF Service config:
<system.serviceModel>
<diagnostics>
<messageLogging logMalformedMessages="true" logMessagesAtTransportLevel="true" />
</diagnostics>
<services>
<service name="RPWCFApp.MyService" behaviorConfiguration="MyServiceBehaviour">
<endpoint address="" binding="customBinding" bindingConfiguration="CustomBindingConfiguration_IssuedTokenOverTransport" contract="RPWCFApp.IMyService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceBehaviour">
<federatedServiceHostConfiguration />
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<serviceCertificate findValue="81A5DB3796F48B00FAC37CE67D7D8CA43078B996" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<extensions>
<behaviorExtensions>
<add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</behaviorExtensions>
</extensions>
<bindings>
<customBinding>
<binding name="CustomBindingConfiguration_IssuedTokenOverTransport">
<security authenticationMode="IssuedTokenForCertificate" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
<issuedTokenParameters keyType="SymmetricKey" tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<issuer address="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc" binding="ws2007HttpBinding" bindingConfiguration="IssuedTokenBinding" />
<issuerMetadata address="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc/mex" />
</issuedTokenParameters>
</security>
<textMessageEncoding />
<httpTransport />
</binding>
</customBinding>
<ws2007HttpBinding>
<binding name="IssuedTokenBinding">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Windows" establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
</system.serviceModel>
Sorted out my problem by changing the binding in the service config to ws2007FederationHttpBinding instead of CustomBinding and update my client service reference.
<bindings>
<ws2007FederationHttpBinding>
<binding name="serviceBinding" receiveTimeout="05:00:00" sendTimeout="05:00:00">
<security mode="Message">
<message>
<issuerMetadata address="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc/mex"/>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
Then because I'm using self-signed certificates, I had to change the certificateValidationMode using the following endpoint behaviour in the client config:
<behaviors>
<endpointBehaviors>
<behavior name="MyServiceBehavior" >
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="PeerOrChainTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
And finally I just had to ensure my certificate was in the Trusted People store and finally I get the correct IClaimsIdentity when invoking the service :)
Hope this helps someone out there, because it drove me nuts for a while...
i am developing a duplex federated wcf service, my federation scenario is working fine but when i tried to make it duplex to an exception is thrown "The incoming policy could not be validated"
i think its issue with my configurations but am still not able to trace out the mistake,
Following are my configuration:
For my main service:
<bindings>
<customBinding>
<binding name='MyServiceBinding'>
<security authenticationMode='SecureConversation'>
<secureConversationBootstrap authenticationMode='IssuedTokenForCertificate'/>
<issuedTokenParameters>
<issuerMetadata address='http://localhost:62751/TokenIssuer.svc/mex'/>
</issuedTokenParameters>
</security>
<compositeDuplex/>
<oneWay/>
<httpTransport/>
</binding>
</customBinding>
</bindings>
<services>
<service name="MyService.MyService"
behaviorConfiguration='MyServiceBehavior'>
<endpoint address="Response"
binding="customBinding"
bindingConfiguration='MyServiceBinding'
contract="MyService.IMyService" />
<endpoint address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
STS Configurations
and 3. Client Configurations
<system.serviceModel>
<bindings>
<customBinding>
<binding name='MyServiceBinding'>
<security authenticationMode='SecureConversation'>
<secureConversationBootstrap authenticationMode='IssuedTokenForCertificate'/>
<issuedTokenParameters>
<issuer address='http://localhost:62751/TokenIssuer.svc' binding='wsHttpBinding' bindingConfiguration='MyTokenIssuer'/>
</issuedTokenParameters>
</security>
<compositeDuplex/>
<oneWay/>
<httpTransport/>
</binding>
</customBinding>
<wsHttpBinding>
<binding name="MyTokenIssuer">
<security mode="Message"/>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="GetResponseClientBehavior">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="PeerOrChainTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint name="WSFederationHttpBinding_IMyService" address="http://localhost:53121/MyService.svc/Response" binding="customBinding" bindingConfiguration="MyServiceBinding" behaviorConfiguration="GetResponseClientBehavior" contract="IMyService">
<identity>
<certificateReference storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" findValue="BookStoreService.com"/>
</identity>
</endpoint>
</client>
</system.serviceModel>