WCF Security

Posted on 2011-10-13
Last Modified: 2012-05-12
I hate to post long messages on a disucssion forum but I dont think I have an option here.

I have a simple "Hello World" WCF service and a simple winform client. Everything is built using VS 2010 and .Net 4.0 and all applications run locally on my WinXP desktop.

My experiment is based on this link.

So I was trying to build this WCF service using custom authentication and self signed certificate.

The service app.config file reads.
        <messageLogging logEntireMessage="true" logMalformedMessages="false" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="false" maxMessagesToLog="3000" maxSizeOfMessageToLog="2000"/>
          <behavior name="CreditCardServiceBehavior">
            <serviceMetadata httpGetEnabled="true"/>
          <behavior name="CustomValidator">
              <serviceCertificate findValue="CIS525" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>
              <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="CreditcardValidationService.CIS525Authenticator, CreditcardValidationService"/>
            <service behaviorConfiguration="CustomValidator" name="CreditcardValidationService.ValidateCreditCardService">
                <endpoint address="base" binding="wsHttpBinding" bindingConfiguration=""
                    contract="CreditcardValidationService.ICreditcardValidationService" />
                <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
                        <add baseAddress="http://localhost:8080/CreditCardValidationService" />
          <binding name="httpWithMessageSecurity">
            <security mode="None" >
              <message clientCredentialType="UserName"/>

The client app.config reads:
            <messageLogging logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true"/>
                <binding name="wsHttpBinding_ICreditcardValidationService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
                     <security mode="Message" >
                    <message clientCredentialType="UserName"/>
          <endpoint address="http://localhost:8080/CreditCardValidationService/base" binding="wsHttpBinding" bindingConfiguration="wsHttpBinding_ICreditcardValidationService" contract="ValidateCreditCardServiceReference.ICreditcardValidationService" name="wsHttpBinding_ICreditcardValidationService">
              <dns value="CIS525"/>

I installed a self signed certificate in Trusted People store and also in trusted root certification authorities. Windows recognizes my certificate as valid when I open the certificate file.

My custom validator is like this.

namespace CreditcardValidationService
    public class CIS525Authenticator : UserNamePasswordValidator

    public override void Validate(string userName, string password)

        //check for null user name and password
        if (string.IsNullOrEmpty(userName) || string.IsNullOrEmpty(password))

            throw new SecurityTokenException("Username and password required");



When I call my service from the client application, I get this error:
Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint.

I dont know what I am doing wrong. Please help.

Question by:shekhar_shashi
    1 Comment
    LVL 3

    Accepted Solution

    There were a couple of issues with the configuration and after fixing those, the code runs fine.

    1. I did not have access to the certificate's private key and so the certification could not be used. I granted acesss to myself on the keys by using winhttpcertcfg tool.
    2. Service's behavior configuration was blank.


    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    While working on Silverlight and WCF application, I faced one issue where fault exception occurred at WCF operation contract is not getting propagated to Silverlight client. So after searching net I came to know that it was behavior by default for s…
    Here I am going to explain creating proxies at runtime for WCF Service. So basically we use to generate proxies using Add Service Reference and then giving the Url of the WCF service then generate proxy files at client side. Ok, what if something ge…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    This video discusses moving either the default database or any database to a new volume.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now