WCF error: Cannot find a token authenticator

Question

i need to consume WCF service over SSL while the request needs to be sign with one certificate and the response needs to be validated with another certificate.

i get this error while executing the code:

Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.

according to WCF tracing it fails while trying to validate the response signature, because i can see the response from the server.

here's my WCF service settings:

<system.serviceModel>
  <diagnostics>
    <messageLogging logEntireMessage="true" logKnownPii="true" logMalformedMessages="true"
      logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" />
    <endToEndTracing propagateActivity="true" activityTracing="true"
      messageFlowTracing="true" />

  </diagnostics>
  <behaviors>
    <endpointBehaviors>
      <behavior name="CHClientCertificateBehavior">
        <clientCredentials supportInteractive="true">
          <clientCertificate findValue="clientcert" storeLocation="LocalMachine"
            storeName="My" x509FindType="FindBySubjectName" />
          <serviceCertificate>
            <defaultCertificate findValue="servercert" storeLocation="LocalMachine"
              storeName="My" x509FindType="FindBySubjectName" />
            <authentication certificateValidationMode="None" />
          </serviceCertificate>
        </clientCredentials>
      </behavior>
    </endpointBehaviors>
  </behaviors>

  <bindings>
    <basicHttpBinding>
      <binding name="DPBasicHttpBindingWithSSL" closeTimeout="00:01:00"
        openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:02:00"
        allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
        maxBufferPoolSize="2097152" maxBufferSize="524288" maxReceivedMessageSize="524288"
        textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"
        messageEncoding="Text">
        <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
          maxBytesPerRead="4096" maxNameTableCharCount="16384" />
        <security mode="TransportWithMessageCredential">
          <transport clientCredentialType="None" proxyCredentialType="None"
            realm="" />
          <message clientCredentialType="Certificate" algorithmSuite="Default" />
        </security>
      </binding>
      </basicHttpBinding>
    <customBinding>
      <binding name="DPCustomHttpBindingWithSSL">
        <security authenticationMode="CertificateOverTransport" allowSerializedSigningTokenOnReply="true"                       messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" 
                  requireDerivedKeys="false" 
                  securityHeaderLayout="Lax" />
        <textMessageEncoding messageVersion="Soap11" />
        <httpsTransport maxBufferPoolSize="2097152" maxBufferSize="524288" maxReceivedMessageSize="524288" />
      </binding>

    </customBinding>
  </bindings>
    <client>
        <endpoint address="https://myserver/service.asmx"
            behaviorConfiguration="CHClientCertificateBehavior" binding="customBinding"
            bindingConfiguration="DPCustomHttpBindingWithSSL" contract="ServiceRef.smssoap"
            name="smsEndpoint">
            <identity>
                <certificateReference storeName="My" storeLocation="LocalMachine"
                    x509FindType="FindBySubjectName" findValue="myserver" />
            </identity>
        </endpoint>

    </client>
</system.serviceModel>

as you can see, i tried both basicHttpBinding and customBinding (converted with the online tool http://webservices20.cloudapp.net/default.aspx), i tried to set different variations of settings combinations but still get this error.

any idea? canceling response certificate signing validation is also an option, but how do i set it??

where are you calling this service from? win forms application? — Tanner, Feb 24 '14 at 11:57
"canceling response certificate signing validation is also an option"... Don't let Dominick Baier hear that! — mclark1129, Feb 24 '14 at 15:37
yes mike :) i don't like this solution also, but how do i do it? i tried but i keep getting the same error... — Guy Bertental, Feb 24 '14 at 15:38
I also have to ask, did you create your settings by copying and pasting them out of the WCF test client? — mclark1129, Feb 24 '14 at 18:21
no Mike, i wrote it my self using WCF configuration editor, IBM DataPower doesn't provide WSDL with endpoint security policy, it just returning me the original WSDL which the internal hosting server provides. — Guy Bertental, Feb 25 '14 at 07:03

score 3 · Answer 1 · answered Feb 24 '14 at 12:16

3

Try using the custom binding with the following configuration:

<security allowSerializedSigningTokenOnReply="true" />

answered Feb 24 '14 at 12:16

Eli Arbel

22,391
3
45
71

1

i saw this in another post, tried it but it didn't help... :( – Guy Bertental Feb 24 '14 at 15:37

score 1 · Answer 2 · edited May 23 '17 at 12:34

1

I had the same problem and posted a solution to it here (for those coming here looking for an answer):

WCF - Cannot find a token authenticator for X509SecurityToken

Based on the question, it appears to be the same solution:

Change authenticationMode="CertificateOverTransport" to authenticationMode="MutualCertificate"
Use MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
In the generated client, add ProtectionLevel = ProtectionLevel.Sign to the ServiceContractAttribute. This avoids having the body encrypted.

edited May 23 '17 at 12:34

Community

1
1

answered Jul 19 '16 at 12:59

Troels Larsen

4,462
2
34
54

@CodeCaster: This question is older than the linked one.. Should it still be marked as a duplicate? I can copy/paste the solution over, but that doesn't seem to make sense. – Troels Larsen Jul 19 '16 at 13:10
The other one seems to have better answers than this one. I'll close this one. – CodeCaster Jul 19 '16 at 13:11

score -3 · Accepted Answer · answered Mar 10 '14 at 08:56

SOLVED!

<system.serviceModel>

  <behaviors>
    <endpointBehaviors>

      <behavior name="DPSSLXDIG">
        <clientCredentials supportInteractive="false">
          <clientCertificate findValue="clientcert" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
          <serviceCertificate>
            <defaultCertificate findValue="servercert" storeName="TrustedPeople" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
            <authentication certificateValidationMode="None" revocationMode="NoCheck" />
          </serviceCertificate>
          <windows allowNtlm="false" allowedImpersonationLevel="None" />
          <httpDigest impersonationLevel="None" />
          <peer>
            <peerAuthentication revocationMode="NoCheck" />
          </peer>
        </clientCredentials>
      </behavior>

    </endpointBehaviors>
  </behaviors>

  <bindings>

    <customBinding>

      <binding name="DPSSLXDIG">
        <textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
        <security allowSerializedSigningTokenOnReply="true" authenticationMode="MutualCertificateDuplex"
            requireDerivedKeys="false" securityHeaderLayout="Lax" messageProtectionOrder="SignBeforeEncrypt"
            messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
            requireSecurityContextCancellation="false">
          <secureConversationBootstrap />
        </security>
        <httpsTransport authenticationScheme="Anonymous" requireClientCertificate="true" />
      </binding>

    </customBinding>

  </bindings>
    <client>

      <endpoint address="https://myserver/webservice.asmx"
           behaviorConfiguration="DPSSLXDIG" binding="customBinding"
           bindingConfiguration="DPSSLXDIG" contract="serviceRef.smssoap"
           name="smsEndpoint">
        <identity>
          <dns value="servercert" />
        </identity>

      </endpoint>

    </client>
</system.serviceModel>

Exactly, what solved it?! – Travis Spencer Nov 20 '14 at 14:56 — Travis Spencer, Nov 20 '14 at 14:56
just use this configuration – Guy Bertental Dec 29 '14 at 11:41 — Guy Bertental, Dec 29 '14 at 11:41

WCF error: Cannot find a token authenticator

here's my WCF service settings:

3 Answers3

Linked