WCF error calling WS-Security web service: Cannot find a token authenticator for the X509SecurityToken

Question

I'm trying to connect with an external Java Web service with WS-Security enabled over https with a WCF client. The service use UserNameToken authentication.

When the client call the service, I get this exception:
Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.

I use a custom binding with this configuration:

The endpoint:

<endpoint address="https://des-afirma.redsara.es/afirmaws/services/ValidarFirma"
          binding="customBinding" bindingConfiguration="ValidarFirmaBinding"
          contract="AFirma.Firma" name="ValidarFirma" />
</endpoint>

The binding:

<binding name="ValidarFirmaBinding">
    <textMessageEncoding messageVersion="Soap11" />
    <security  
        allowSerializedSigningTokenOnReply="true" 
        authenticationMode="UserNameOverTransport">
        <secureConversationBootstrap />
    </security>
    <httpsTransport>
        <extendedProtectionPolicy policyEnforcement="Never" />
    </httpsTransport>
</binding>

I read this link http://webservices20.blogspot.co.uk/2010/10/wcf-cannot-find-token-authenticator.html and I configured the allowSerializedSigningTokenOnReply value, but it failed.

This is the message generated by WCF:

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <soap:Header>
      <wsa:Action />
      <wsa:MessageID>urn:uuid:5b36bb8b-4a59-4c5f-9c67-065543db51d5</wsa:MessageID>
      <wsa:ReplyTo>
         <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
      </wsa:ReplyTo>
      <wsa:To>http://des-afirma.redsara.es/afirmaws/services/ValidarFirma</wsa:To>
      <wsse:Security soap:mustUnderstand="1">
         <wsu:Timestamp wsu:Id="Timestamp-cef53b94-4432-4ede-89ea-7a42b7a686d2">
            <wsu:Created>2012-11-13T13:49:32Z</wsu:Created>
            <wsu:Expires>2012-11-13T13:54:32Z</wsu:Expires>
         </wsu:Timestamp>
         <wsse:UsernameToken wsu:Id="SecurityToken-40deaa3d-fe02-4462-963e-7705e4648b24">
            <wsse:Username>UserName</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">[Password]</wsse:Password>
            <wsse:Nonce>G5CU1R6lKSTpBQ0FAF01rA==</wsse:Nonce>
            <wsu:Created>2012-11-13T13:49:32Z</wsu:Created>
         </wsse:UsernameToken>
      </wsse:Security>
   </soap:Header>
   <soap:Body>
      <ValidarFirma xmlns="http://afirmaws/services/ValidarFirma">
         <paramIn xmlns="">[Param value (XML String)]</paramIn>
      </ValidarFirma>
   </soap:Body>
</soap:Envelope>

And this is the response:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <soapenv:Header>
    <wsse:Security soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="0">
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="binaryToken">
        MIIG2TCCBcGgAwIBAgIISXHqSo0f+C0wDQYJKoZIhvcNAQEFBQAwUjERMA8GA1UEAxMIQUNDVi1D
        [...]
      </wsse:BinarySecurityToken>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Signature-BDFADICIJJIDI81">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
          <Reference URI="#SignedBody-BDFADICIJJIDI81">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>TFKLyv9zd1G7RXK4sJV+hG2WfqQ=</DigestValue>
          </Reference>
          <Reference URI="#keyInfo-BDFADICIJJIDI81">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>SWO3sIcC16EcT17pBREoGe3CVes=</DigestValue>
          </Reference>
          <Reference URI="#binaryToken">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>GT+8/UoUzQgUAhvc25bn+DL6T1E=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue Id="SignatureValue-BDFADICIJJIDI81">
          sTVgtvYlVuwhQ9XGcTfHh7lKdUcsf8vF6vyJ/5LVxuwarRDAjMzHcQlvFBlZTn8f
          [..]
        </SignatureValue>
        <KeyInfo Id="keyInfo-BDFADICIJJIDI81">
          <KeyValue>
            <RSAKeyValue>
              <Modulus>
                tCxb/yk9DgCJmdxshvm6RwQtRMHqTdI2nDzQ2C761KEGmAaz7jrv8PtVSoNMRVr9
                [...]
              </Modulus>
              <Exponent>AQAB</Exponent>
            </RSAKeyValue>
          </KeyValue>
          <X509Data>
            <X509Certificate>
              MIIG2TCCBcGgAwIBAgIISXHqSo0f+C0wDQYJKoZIhvcNAQEFBQAwUjERMA8GA1UE
              [...]
            </X509Certificate>
            <X509IssuerSerial>
              <X509IssuerName>Certificate name</X509IssuerName>
              <X509SerialNumber>Serial number</X509SerialNumber>
            </X509IssuerSerial>
          </X509Data>
          <wsse:SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <wsse:Reference URI="#binaryToken" />
          </wsse:SecurityTokenReference>
        </KeyInfo>
      </Signature>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body wsu:Id="SignedBody-BDFADICIJJIDI81">
    <ValidarFirmaResponse xmlns="http://afirmaws/services/ValidarFirma">
      <ValidarFirmaReturn xmlns="" xsi:type="c0bxsd:string">
          [return value (XML String)]
      </ValidarFirmaReturn>
    </ValidarFirmaResponse>
  </soapenv:Body>
</soapenv:Envelope>

I tried the web service with WSE 3.0 and it works, but I can't install the package in the server because it is Windows Server 2008 and the installation failed.

Answer 1

Try to play with MessageSecurityVersion (for example WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11) and security tag. And look at soap envelop.