WCF wsHttpBinding Certificate Security Negotiation Exception

Question

So after having combed through MSDN, countless articles and even SO - I still have nothing to show for days of struggle.

So I have this: WCF service needs to be consumed by a client and I just keep hitting a SecurityNegotiationException

Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint.

I've seen this error all over the net and noone seems to have my exact scenario (with a feasible answer atleast).

My setup is local and not hosted by IIS (for time being) but hosted via Visual Studios 2010. My GenericIntegration (WCF service) makes use of wsHttpBinding (Message Mode) authenticated by certificates (I have a very custom username/password authentication + authorization class passed as a parameter by design) and there is no backing out of the security measures.

Host's Config

<system.serviceModel>
<bindings>
  <wsHttpBinding>
    <binding name="wsHttpEndpintBinding">
      <security mode ="Message">
        <message clientCredentialType="Certificate" establishSecurityContext="false" negotiateServiceCredential="false"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<services>
  <service behaviorConfiguration="wsHttpBehaviour" name="GenericIntegration.GenericService">
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
    <endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpintBinding" 
      name="wsHttpEndpoint" contract="GenericIntegration.GenInterface" />
    <host>
      <baseAddresses>
        <!--<add baseAddress="http://localhost:59082/GenericService.svc" />-->
      </baseAddresses>
    </host>
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="wsHttpBehaviour">
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials>
        <clientCertificate>
          <certificate findValue="GenIntegrationClient" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
          <authentication certificateValidationMode="PeerTrust" />
        </clientCertificate>

        <serviceCertificate findValue="GenIntegrationClient" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
      </serviceCredentials>
    </behavior>
    <behavior name="metadataBehavior">
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
    </behavior>
  </serviceBehaviors>
</behaviors>    

<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

And the Client's config

<system.serviceModel>
    <behaviors>
        <endpointBehaviors>
            <behavior name="endpointBehaviour">
                <clientCredentials>
                    <clientCertificate findValue="GenIntegrationClient" storeLocation="LocalMachine" storeName="My"
                        x509FindType="FindBySubjectName" />
                  <serviceCertificate>
                    <authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck"/>
                  </serviceCertificate>
                </clientCredentials>
            </behavior>
        </endpointBehaviors>
    </behaviors>
    <bindings>
        <wsHttpBinding>
            <binding name="wsHttpEndpoint" maxBufferPoolSize="20000000" maxReceivedMessageSize="20000000">
                <security mode="Message">
                    <message clientCredentialType="Certificate" />
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://localhost:59082/GenericService.svc"
            binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint" behaviorConfiguration="endpointBehaviour"
            contract="GenService.GenInterface" name="wsHttpEndpoint">
            <identity>
                <certificate encodedValue="AwAAAAEAAAAUAAAAKdyUELIKMtdh2MFsYQ09ja+vyeEgAAAAAQAAACICAAAwggIeMIIBi6ADAgECAhCFBfF1EXQZhkPKaBpQCl84MAkGBSsOAwIdBQAwJDEiMCAGA1UEAxMZNE1PU1RHZW5JbnRlZ3JhdGlvblNlcnZlcjAeFw0xNjA3MjgxNDQ5MjVaFw0zOTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGTRNT1NUR2VuSW50ZWdyYXRpb25DbGllbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIwsIlz5nZ3HxeYofTpYKr6RcfQMe/jZxPuHcljT+8pBOZ6KmYcyxeRTO074yP6yF8b1IqFskII+qqmCT8nDsb8xdo5Ee0oqL1LKR+xeTgg2ZXXoocxqR1AdxWFVdlMxMSjKIEGE+MnSDdB6vgXahhpUbAS7cdrNoAFKNIz+vrt1AgMBAAGjWTBXMFUGA1UdAQROMEyAEB4cu6OjBqQHct6przmowGyhJjAkMSIwIAYDVQQDExk0TU9TVEdlbkludGVncmF0aW9uU2VydmVyghD75YH5y52zsU5wcmZLJzPiMAkGBSsOAwIdBQADgYEA2BinUmEfgZKcb1qFD1T5ajc2OWHGLjDLpDi8Y7amM4P3rFGvelx7NmCNUH88iGS9LcbDsmY59HcZwUavtPOr4LMRDhl+5YuGht1fIYEk8QSDIhjevijgDOIVBBAeNIA8tva1faMNtYnFXsj0VxMvlrZ4exeKFVFjv2sib5YNFxY=" />
            </identity>
        </endpoint>
    </client>
</system.serviceModel>

Now about the certificates (and yes this is for testing only): GenIntegrationServer.cer has been created as a selfsigned CA root certificate with a private key to sign client certificates with. Both GenIntegrationServer and GenIntegrationClient certificates were generated with makecert . The client certificate is linked to the private key and is correctly installed in the personal store.

I am still quite new to certificates, private keys and secure comms - I simply cannot reason where I make my mistake. I didn't find too many posts about specifically using certificates in this manner.

Can anyone assist before I lose more hair or sleep over this?

UPDATE

As per request, I added the logging. But the most they reveal is:

<s:Body>
    <s:Fault>
        <s:Code>
            <s:Value>s:Sender</s:Value>
            <s:Subcode>
                <s:Value>a:InvalidSecurity</s:Value>
            </s:Subcode>
       </s:Code>
       <s:Reason>
           <s:Text xml:lang="en-ZA">An error occurred when verifying security for the message.</s:Text>
       </s:Reason>
    </s:Fault>
</s:Body>

Sadly, I still do not understand why security validation is failing. Any Ideas?

Answer 1

Turns out I needed to add the certificates to different stores.

In addition to already having the certificates set in the personal stores (as indicated by the config), I had to install the the server's certificate on the client and vice versa. I also had to make sure that the client contained the client certificate's personal key and the same with the server.

This does not sound too complete but I'll post a full article on how I did this.