WCF: The incoming message was signed with a token which was different from what used to encrypt the body. This was not expected

Question

I'm getting the following error:

The incoming message was signed with a token which was different from what used to encrypt the body. This was not expected.

I know this question has been asked before I have tried everything they asked. Not sure what else I need to do.

I'm thinking it has to do something with my app.config file:

<system.serviceModel>

        <diagnostics>
          <messageLogging
               logEntireMessage="true"
               logMalformedMessages="false"
               logMessagesAtServiceLevel="true"
               logMessagesAtTransportLevel="false"
               maxMessagesToLog="3000"
               maxSizeOfMessageToLog="2000"/>
        </diagnostics>
        <client>
          <endpoint address="https://xxxxxx/ESARWS/CORETransactionService"
            behaviorConfiguration="endpointCredentialBehavior" binding="customBinding"
            bindingConfiguration="esar" contract="ESAR.CORETransaction"
            name="CoreSoapPort">
            <identity>
              <dns value="xxxxx" />
            </identity>
          </endpoint>
        </client>
       <behaviors>
         <endpointBehaviors>  
            <behavior name="endpointCredentialBehavior">

              <clientCredentials>  
                <clientCertificate findValue="xxxxx"
                                   storeLocation="CurrentUser"
                                   storeName="My"
                                   x509FindType="FindBySubjectName"/>

               <serviceCertificate>
                 <authentication certificateValidationMode="ChainTrust"/>
                  <defaultCertificate findValue="xxxxxxxxx"
                                   storeLocation="CurrentUser"
                                   storeName="AddressBook"
                                   x509FindType="FindBySubjectName" />   
               </serviceCertificate>
              </clientCredentials>  
            </behavior>  
         </endpointBehaviors>  
      </behaviors>
        <bindings>


          <customBinding>
            <binding name="esar" closeTimeout="00:01:00" openTimeout="00:01:00"
        receiveTimeout="00:10:00" sendTimeout="00:10:00">

              <security 
                  defaultAlgorithmSuite="Basic128" 
                  authenticationMode="MutualCertificate" 

                   requireSecurityContextCancellation="false" 
                  allowSerializedSigningTokenOnReply="true" 
                  enableUnsecuredResponse="true" 
                  allowInsecureTransport="false"
                  requireDerivedKeys="false" 
                  includeTimestamp="false" 
                  securityHeaderLayout="Strict"
                   messageProtectionOrder="SignBeforeEncrypt"
                  messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
                <secureConversationBootstrap />
                <localClientSettings detectReplays="false"/>
              </security>

              <!--<mtomMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" 
                messageVersion="Soap12" writeEncoding="utf-8" maxBufferSize="2147483647">
               <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                  maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              </mtomMessageEncoding>-->

              <!--<mixedMessageEncoding  messageVersion="Soap12"/>-->

              <swaMessageEncoding innerMessageEncoding="textMessageEncoding" />
              <httpsTransport />
            </binding>
          </customBinding>
        </bindings>

       <extensions>
         <bindingElementExtensions>
            <!--<add name="mixedMessageEncoding" type="CustomEncoderProject.MyNewEncodingBindingExtensionElement, CustomEncoderProject"/>-->
         <add name="swaMessageEncoding"
                 type="Microsoft.Austria.WcfHelpers.SoapWithAttachments.SwaMessageEncodingElement, Microsoft.Austria.WcfHelpers.SoapWithAttachments" />
          </bindingElementExtensions>
       </extensions>

    </system.serviceModel> 

Answer 1

You can try using a custom token authenticator. If you check the response, maybe you will be a cert in the BinarySecurityToken (#Base64Binary format). This isn't the ssl cert. It's the sign cert. Then, you can use it as your service certificate on credentials.

So, follow this: https://learn.microsoft.com/en-us/dotnet/framework/wcf/extending/how-to-create-a-custom-security-token-authenticator and then customize this so:

Public Overrides Function CreateSecurityTokenProvider(ByVal p_oRequirement As SecurityTokenRequirement) As SecurityTokenProvider

Dim oRes As SecurityTokenProvider = Nothing
If p_oRequirement.TokenType = SecurityTokenTypes.X509Certificate Then
    Dim direction = p_oRequirement.GetProperty(Of MessageDirection)(ServiceModelSecurityTokenRequirement.MessageDirectionProperty)
    If direction = MessageDirection.Output Then
        If p_oRequirement.KeyUsage = SecurityKeyUsage.Signature Then
            oRes = New X509SecurityTokenProvider(Me._oCredenciales.ClientCertificate.Certificate)
        Else
            oRes = New X509SecurityTokenProvider(Me._oCredenciales.ServiceCertificate.DefaultCertificate())
        End If
    End If
Else
    oRes = MyBase.CreateSecurityTokenProvider(p_oRequirement)
End If

Return oRes 

End Function

I think this will help you.

Answer 2

If server side developed in java, there are difference about implementation for C#.

I prefer try service with SAOP UI and check success request / response. Then log C# traffic with tool (for example fiddler) and check differences. Generally C# send certificate in different format then java.