Issues with consuming a 3rd Party WSDL file and authenticating with a 3rd party certificate and User Name Credentials RRS feed

  • Question

  • To anyone who can help,

    I'm having WCF .NET issues with using a combination of certificate and user name securities consuming a 3rd Party WSDL and credentials I was provided. The confusion is definitely with .NET WCF binding.

    Let me start off with that I used SOAPUI at first to test the WSDL file and the username and password with an empty SOAP message. To do this I pointed to the 3rd party WSDL file, and created the Outgoing WS-Security configurations with the username and password and Time Stamp.  I then created a New Request and added the WS-Configuration. I ran the Request in SOAPUI and everything is working fine and I am getting a response back.  Running Wireshark shows the Client and Server Hellos, the cert being passed back and forth, and the Application Data. All looks fine.

    I NOW need to replicate this communication in .NET!

    - I have installed the certificate in the both the Local System\Personal Store and the Local System\Trusted Root Stores.

    - I have granted access to the private keys to the certificate to my local domain account, Network Service, and IIS\app pool.

    - I added the Service Reference to the .Net Project

    - I then did the following:

    Dim store As New X509Store
        store = New X509Store(StoreName.Root, StoreLocation.LocalMachine)
        store.Open(OpenFlags.ReadOnly Or OpenFlags.OpenExistingOnly)

    Dim newCert As New X509Certificate2
        newCert = store.Certificates.Find(X509FindType.FindBySubjectName, "XXXXXXXXXX", False)(0)

    Dim identity = EndpointIdentity.CreateDnsIdentity("XXXXXXXX")
    Dim endpoint = New EndpointAddress(New Uri(https://), identity)
    Dim binding = New WSHttpBinding
        binding.Security.Mode = SecurityMode.TransportWithMessageCredential 'Transport --- NOT SURE WHICH ONE

        binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate
        binding.UseDefaultWebProxy = True
        binding.BypassProxyOnLocal = False
        binding.Security.Message.NegotiateServiceCredential = True 'False
        binding.Security.Message.EstablishSecurityContext = False
        binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName

        'Dim svc As New SvcClient(GetCustomBinding(), endpoint)
        'Dim svc As New SvcClient(GetCustomBinding2(), endpoint)
         Dim svc As New SvcClient(binding, endpoint)

        'svc.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.None
         svc.ClientCredentials.UserName.UserName = "XXXX"
         svc.ClientCredentials.UserName.Password = "XXXX"

         svc.ClientCredentials.ClientCertificate.Certificate = newCert
         svc.ClientCredentials.ServiceCertificate.DefaultCertificate = newCert
        'svc.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust
         svc.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None
         svc.ClientCredentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.Offline

    - Now I tried using WSHttpBinding and doing the TransportWithMessageCredential, but then I get a " Error:  Could not establish secure channel for SSL/TLS with authority" and WIRESHARK shows a SSL Handshake Failure.

      If I change the WSHttpBinding to use "Transport", then I don't get the WIRESHARK "SSL Handshake failure", the Certificate looks like it works with a "Encrypted Handshake Message" I see "Application Data" sends, but then I get "Internal Error (from server)" .NET Error System.ServiceModel.FaultException.

    - SO, I then I decided to try and use different Custom BindingMethods. 

    - First, I tried using Asymetric Binding and Symetric Binding with  X509SecurityTokenParameters and UserNameSecurityTokenParameters for the UserName and Password. When I did custom Binding this way, WIRESHARK still shows the certificate being sent, but I then get System.ServiceModel.FaultException in .NET error with the Inner Message of "Internal Error"

    -Lastly I tried using

    Dim messageSecurity As TransportSecurityBindingElement = SecurityBindingElement.CreateUserNameOverTransportBindingElement()

       'Create supporting token parameters for the client X509certificate.
            Dim clientX509SupportingTokenParameters As New X509SecurityTokenParameters()
        ' Specify that the supporting token is passed in message send by the client to the service
            clientX509SupportingTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient
        ' Turn off derived keys
            clientX509SupportingTokenParameters.RequireDerivedKeys = False
        ' Augment the binding element to require the client's X509certificate as an endorsing token in the message
            messageSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Default
            messageSecurity.IncludeTimestamp = True
            messageSecurity.SecurityHeaderLayout = SecurityHeaderLayout.LaxTimestampLast

    This last binding method still passed the Cert successfully but the .NET Error is System.ServiceModel.Security.MessageSecurityException with the Inner Exception of "An unsecured or incorrectly secured fault was received from the other party"

    With all these attempts, I am missing something and I am totally unsure what is going on anymore.

    WCF Logging appears to have the whole envelope as needed with the Custom Binding attempts above, but I am still at a loss.


    Tuesday, February 28, 2017 3:36 PM

All replies

  • Hi D,

    What is your SvcClient?

    Is this 3<sup>rd</sup> party service WCF Service or ASMX service?

    For consuming WCF Service, we usually generate the client code by VS. Details like Right Click project->Add Service Reference->Enter the WSDL address->Go->OK.

    If there is only WCF WSDL file, you could try ServiceModel Metadata Utility Tool (Svcutil.exe) to generate client code and app.config.

    You could refer the link below for accessing the service.

    # Accessing the Service

    Best Regards,


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact

    Wednesday, March 1, 2017 2:32 AM