4

I'm trying to consume an IBM DataPower 3.7.1.x web service in WCF getting the following error message:

Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.

The HTTP response is coming back as 200 and I can see the correct SOAP response while debugging it in Fiddler.

However, the WCF clients doesn't seem to know how to process the BinarySecurityToken element in the SOAP response.

Here is my WCF config:

  <bindings>
    <basicHttpBinding>
      <binding name="TestBinding">
        <security mode="TransportWithMessageCredential">
          <message clientCredentialType="Certificate" />
        </security>
      </binding>
    </basicHttpBinding>
  </bindings>

  <behaviors>
    <endpointBehaviors>
      <behavior name="TestBehavior">
        <callbackDebug includeExceptionDetailInFaults="true" />
        <clientCredentials>
          <clientCertificate storeLocation="LocalMachine" 
                             storeName="My" 
                             x509FindType="FindBySubjectName" 
                             findValue="test-cert"  />
          <serviceCertificate>
            <authentication certificateValidationMode ="PeerOrChainTrust" />
          </serviceCertificate>
        </clientCredentials>
      </behavior>
    </endpointBehaviors>
  </behaviors>

  <client>
     <endpoint  address="https://serviceURL"
                binding="basicHttpBinding"
                bindingConfiguration="TestBinding"
                behaviorConfiguration="TestBehavior"
                contract="ContraceGoesHere"
                name="ContraceNameGoesHere" />
  </client>

I've seen other people reporting similar problems both to Microsoft and IBM and there are some StackOverflow questions about it, however I haven't found a single solution that works.

Any help would be appreciated.

DdW
  • 890
  • 1
  • 18
  • 30
YONDERBOI
  • 103
  • 1
  • 5
  • After a lot of back and forth with Yaron Naveh I have finally made it work. In case someone is experiencing the same problem - contact Yaron or myself and we can guide you through the solution. – YONDERBOI Apr 01 '11 at 00:51

2 Answers2

3

please publish the soap that you send, the one which comes back and your config.

also try to add this attribute:

<security allowSerializedSigningTokenOnReply="true" />

(as described here)

Richard Ev
  • 52,939
  • 59
  • 191
  • 278
Yaron Naveh
  • 23,560
  • 32
  • 103
  • 158
  • Thanks for a quick reply. You rock! I have sent my config files and the snippets of the SOAP request/response to you by email. Trying to figure out how to transform the basicHttpBinding into a customBinding to set the allowSerializedSigningTokenOnReply based on your blog post. – YONDERBOI Mar 31 '11 at 19:00
2

How to convert from Binding to Custom Binding:

http://webservices20.cloudapp.net/default.aspx

Gonzalo Gallotti
  • 2,413
  • 3
  • 23
  • 28