I have a web service in .NET 1.1 and WSE 2.0 that uses WS-Security with x509 certificates for both signature and encryption. I'm trying to configure a WCF client to connect with this service, and it's proving more challenging that I had expected.
I've gotten past most of my versioning issues by using a custom binding, but I'm stuck on one last point. The web service includes two BinarySecurityToken elements in the response SOAP envelope -- one for the encrypting certificate, one for the signing certificate.
The problem seems to be that WCF is choking on the second token. This is the error message:
"Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings."
I found this conversation on MSDN which describes the exact problem I'm having; but unfortunately it doesn't provide a good resolution. Creating a message encoder to hack the envelope into something WCF can handle seems wrong to me. WSE 2.0 could handle inline security tokens fine -- there must be a way to force WCF to do the same.
While I do have the complete source for the original WSE 2.0 service, changing the way it handles security isn't an option at this point.
Here's the security binding element I'm currently using:
Dim lSBE As New System.ServiceModel.Channels.AsymmetricSecurityBindingElement()
Dim lInitiatorTokenParameters As New System.ServiceModel.Security.Tokens.X509SecurityTokenParameters
lInitiatorTokenParameters.InclusionMode = System.ServiceModel.Security.Tokens.SecurityTokenInclusionMode.AlwaysToRecipient
lInitiatorTokenParameters.X509ReferenceStyle = System.ServiceModel.Security.Tokens.X509KeyIdentifierClauseType.RawDataKeyIdentifier
lInitiatorTokenParameters.RequireDerivedKeys = False
lSBE.InitiatorTokenParameters = lInitiatorTokenParameters
Dim lRecipientTokenParameters As New System.ServiceModel.Security.Tokens.X509SecurityTokenParameters
lRecipientTokenParameters.InclusionMode = System.ServiceModel.Security.Tokens.SecurityTokenInclusionMode.AlwaysToRecipient
lRecipientTokenParameters.X509ReferenceStyle = System.ServiceModel.Security.Tokens.X509KeyIdentifierClauseType.RawDataKeyIdentifier
lRecipientTokenParameters.RequireDerivedKeys = False
lSBE.RecipientTokenParameters = lRecipientTokenParameters
lSBE.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
lSBE.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128Rsa15
lSBE.SetKeyDerivation(False)
lSBE.IncludeTimestamp = True
lSBE.AllowSerializedSigningTokenOnReply = True
lSBE.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt