I have a custom STS implemented with WIF. My WS-Trust services are using these configurations:
<behavior name="WSTrustServiceBehaviour">
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceMetadata httpGetEnabled="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust"
revocationMode="NoCheck"
trustedStoreLocation="LocalMachine"/>
</clientCertificate>
<serviceCertificate storeLocation="LocalMachine"
storeName="TrustedPeople"
x509FindType="FindByThumbprint"
findValue="5BF081CCC2E20094D0648F0A3F3C6A598155D606"/>
</serviceCredentials>
</behavior>
<ws2007HttpBinding>
<binding name="WSTrustHttpBinding">
<security>
<message clientCredentialType="Certificate"
negotiateServiceCredential="false"
establishSecurityContext="false"/>
</security>
</binding>
</ws2007HttpBinding>
<service name="System.ServiceModel.Security.WSTrustServiceContract"
behaviorConfiguration="WSTrustServiceBehaviour">
<endpoint name="WSTrust13HttpEndpoint"
address="http/v13"
binding="ws2007HttpBinding"
bindingConfiguration="WSTrustHttpBinding"
contract="System.ServiceModel.Security.IWSTrust13AsyncContract"/>
<endpoint name="WSTrustFeb05HttpEndpoint"
address="http/feb05"
binding="ws2007HttpBinding"
bindingConfiguration="WSTrustHttpBinding"
contract="System.ServiceModel.Security.IWSTrustFeb2005AsyncContract" />
<endpoint name="WSTrustMexHttpEndpoint"
binding="mexHttpBinding"
bindingConfiguration=""
address="http/mex"
contract="IMetadataExchange"/>
<host>
<baseAddresses>
<add baseAddress="http://services.example.com" />
</baseAddresses>
</host>
</service>
Now I have one Web application that needs to call a WCF service. Both the Web application and the WCF Service are both Relying Parties of my custom STS. In my Web application's web.config, I have the following:
<ws2007FederationHttpBinding>
<binding name="MyWCFServiceWS2007FederationHttpBinding"
useDefaultWebProxy="false"
messageEncoding="Mtom">
<security mode="Message">
<message>
<issuer address="http://sts.example.com/WSTrust.svc/http/feb05"
binding="ws2007HttpBinding"
bindingConfiguration="WSTrustHttpBinding"/>
<issuerMetadata address="http://sts.example.com/Bus/WSTrust.svc/http/mex"/>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<endpointBehaviors>
<behavior name="MyWCFServiceWS2007HttpEndpointBehavior">
<clientCredentials supportInteractive="false"
useIdentityConfiguration="true">
<serviceCertificate>
<authentication certificateValidationMode="ChainTrust"
revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
<client>
<endpoint name="MyWCFServiceWS2007FederationHttpEndpoint"
address="http://services.example.com/MyWCFService.svc/..."
binding="ws2007FederationHttpBinding"
bindingConfiguration="MyWCFServiceWS2007FederationHttpBinding"
contract="..."
behaviorConfiguration="IdentityWS2007HttpEndpointBehavior"/>
</client>
Now the problem is that when I try to invoke My WCF Service using the client endpoint, WCF will first contact the STS WS-Trust endpoint to get a token.
But the WS-Trust Service is expecting the client to present a certificate to authenticate himself. How can I specify these credentials in the web.config?
I think in code I would do something like:
var trustChannelFactory = new WSTrustChannelFactory(..., ...);
trustChannelFactory.TrustVersion = System.ServiceModel.Security.TrustVersion.WSTrust13;
trustChannelFactory.Credentials.SupportInteractive = false;
// Set the credentials here:
trustChannelFactory.Credentials ...
Any ideas?
Thanks.