Custom Text Message Encoder & Client Certificate in header RRS feed

  • Question

  • Hello,

    I have a unique requirement on WCF client I'm coding. Primarily the client authenticates itself by X509 Certificate. Our WCF client can connect to various services and I have a requirement that the client should be flexible and should provide the certificate on Transport and Message (SOAP) levels and let Service choose which one to pick up (as per the set up at their end) either - Message level OR Transport level.

    I have been successful so far with passing Certificate token over both transport and message levels, but i have a problem in a scenario where the service is configured to accept only Transport level client certificate, it fails with message -

     The header 'Security' from the namespace '' was not understood by the recipient of this message, causing the message to not be processed.  This error typically indicates that the sender of this message has enabled a communication protocol that the receiver cannot process.  Please ensure that the configuration of the client's binding is consistent with the service's binding.

    Now, when i inspected the request soap envelop i see "mustUnderstand=1" in security header, I tried to remove mustunderstand attribute using Custom Text Message Encoder (as suggested at here). 

    My client gets through with client certificate expected on Transport, but on client certificate at Soap level, I get following exception - 

    MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.

    Switching on the test service trace, I see "The signature verification failed" (which is obvious).

    Can someone please help me with removing mustunderstand (or setting it to "0") where security header has X509 token in it?

    My binding code looks like - 

    TransportSecurityBindingElement security = SecurityBindingElement.CreateCertificateOverTransportBindingElement();

                        CustomTextMessageBindingElement encoding = new CustomTextMessageBindingElement("utf-8", "text/xml", MessageVersion.Soap11);

                        HttpsTransportBindingElement transport = new HttpsTransportBindingElement()
                            RequireClientCertificate = true

                        CustomBinding binding = new CustomBinding(security, encoding, transport);

                        var endpointAddress = new EndpointAddress(address);                   

                        using (var client = new ProxyClient(binding, endpointAddress))


    client.ChannelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, <subject name>);

    ---------- and call to the method-----------


    Many thanks and Regards,


    Friday, May 9, 2014 4:36 PM

All replies