Is it possible to use X509 certificates for two factor authentication? We need to use two DIFFERENT certificates for both transport and message level authentication. We can do it when only one (the same) certificate is used but not two different ones. The problem seems to be on the client side where we do not see how to specify which certificate should be used for transport and which for message level security. Is it possible in WCF at all?
Have you read this article?
It seems to describe what you're after.
If not - I apologise!
Not exactly. In my case I need my client application to "submit" two credentials one over transport and another over message. Both of them HAS to be X509 certificates but we need to use different certificates for that. The following configuration inforces that scenario:
<security authenticationMode="CertificateOverTransport" requireSignatureConfirmation="false" requireDerivedKeys="false">
<httpsTransport keepAliveEnabled="false" requireClientCertificate="true"/>
"CertificateOverTransport" requires client to use X509 for message level security and requireClientCertificate="true" requires client to submit X509 client cert at the transport level. The problem is that we cannot find a way to provide two different certicates. If we specify cert in as a behaviour like this then the same cert is used for both transport and message level security.
<clientCertificate storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="MyClientCertSubject"/>