Two factor authentication



    Is it possible to use X509 certificates for two factor authentication? We need to use two DIFFERENT certificates for both transport and message level authentication. We can do it when only one (the same) certificate is used but not two different ones. The problem seems to be on the client side where we do not see how to specify which certificate should be used for transport and which for message level security. Is it possible in WCF at all?



    Friday, March 07, 2008 10:32 PM

All replies

  • Have you read this article?



    It seems to describe what you're after.


    If not - I apologise!




    Monday, March 10, 2008 4:06 PM
  • Not exactly. In my case I need my client application to "submit" two credentials one over transport and another over message. Both of them HAS to be X509 certificates but we need to use different certificates for that. The following configuration inforces that scenario:


    <binding name="x509">

    <security authenticationMode="CertificateOverTransport" requireSignatureConfirmation="false" requireDerivedKeys="false">


    <textMessageEncoding messageVersion="Soap11"/>

    <httpsTransport keepAliveEnabled="false" requireClientCertificate="true"/>



    "CertificateOverTransport" requires client to use X509 for message level security and requireClientCertificate="true" requires client to submit X509 client cert at the transport level. The problem is that we cannot find a way to provide two different certicates. If we specify cert in as a behaviour like this then the same cert is used for both transport and message level security.


    behavior name="echoServiceBehavior">


    <clientCertificate storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="MyClientCertSubject"/>


    Monday, March 10, 2008 4:51 PM