Not Solved - still looking for a solution.
I am making a WCF call passing in a SAML Token:
Using SAML token with Web Service (wsdl)
private static string serviceEndpoint = "https service endpoint";
public static void CallProviderService(SecurityToken token)
{
var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey;
var channelFactory = new ChannelFactory<ISomeProviderService>(binding, new EndpointAddress(new Uri(serviceEndpoint)));
string thumb = "mycertthumbprint";
channelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, thumb);
channelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;
channelFactory.ConfigureChannelFactory();
channelFactory.Credentials.SupportInteractive = false;
var elements = service.Endpoint.Binding.CreateBindingElements();
elements.Find<SecurityBindingElement>().EnableUnsecuredResponse = true;
service.Endpoint.Binding = new CustomBinding(elements);
var channel = channelFactory.CreateChannelWithIssuedToken<ISomeProviderService>(token);
try
{
var response = channel.MyServiceMethod(somedataobject);
}
catch (Exception ex)
{
//log message
}
}
When I had fiddler running the call worked find and returned me data.
With fiddler off, I get 400 Bad Request error in my catch block.
My doubt is the certificate isn't being passed when Fiddler is off.
Any idea?
Note: I have a .wsdl which I used to create proxy classes using Visual Studio ->Add Service Reference.
Question: How can I check if my installed certificate is used while making this https service call?
Updated: Here are the Req/Response from Fiddler:
Tunnel Request: 
Tunnel Response: 
Protocol Exception details:
From Client after Server Certificate Request:
Update 12/8/2014: I think I have got one time success using the binding in this link: WCF custom binding that will support HTTPS, a signed certificate and a signed username token
I will update more as I don't know what that is doing much.
Checking the cert.
There are potentially two client certificates. The one used on the TLS session and the one used in the SAML Token/SOAP message. Typically they are the same cert. But added by different parts of the code.
Fiddler only knows about the TLS cert. If you had to add the TLS client cert to fiddler, then it could be this indeed. Test is simple, remove it from the Fiddler directory. If it stops working......
If you want to see the TLS client cert then you could make a trace with your favorite Network trace tool (NetMon, MessageAnalyser, WireShark, whatever). Put it on the outgoing network adapter and take a look at the difference in the TLS messages. You probably have to give the private key to the trace tool. Because the client certificate is exchanged when it is already encrypted.....
Another option is to use the Schannel built in trace, but I haven't had time to figure out how that one works, because the network trace was always possible in my test environments.