WCF client with SmartCard certification works on Win7, but not on XP

Question

Here is the brief summary: I have a WCF client (.NET 4.0) that behaves well on windows 7 (64 bit), but fails on XP (32 bit). Since I have a lot of XP customers, this is a huge problem.

• client is generated from the wsdl file supplied by a service provider.
• service is SOAP 1.2 over SSL, with MTOM
• client certificates are on Smart Card (ActivIdentity)

Here is the code:

        ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
        //System.Net.ServicePointManager.SecurityProtocol =System.Net.SecurityProtocolType.Tls;//.Ssl3;

        EndpointAddress addr = new EndpointAddress(g2bservice);
        B2GServiceClient client = new B2GServiceClient(NCTSBinding.Create(), addr);

        client.ClientCredentials.ClientCertificate.Certificate = ccer;  // one that is on SmartCard
        client.Endpoint.Behaviors.Add(new MyCustomBehavior());

        echo e = new echo();
        e.Msg = "Hello, World!";

        echoResponse r = client.echo(e);

and this binding is created like this:

        BindingElement[] be = new BindingElement[2];
        be[0] = new NCTSMessageEncodingBindingElement();
        HttpsTransportBindingElement hbe = new HttpsTransportBindingElement();
        hbe.RequireClientCertificate = true;
        be[1] = hbe;
        CustomBinding _b = new CustomBinding(be);
        return _b;

where NCTSMessageEncodingBinding is more-less the same as MtomMessageEncodingBinding with overriden IsContentTypeSupported(...).

So, this code works on Win7, with dialog asking for PIN to get "private parts" from smart card. On XP, dialog for entering PIN is never issued, there is an error message instead:

"An error occurred while making the HTTP request to https://cistest.apis-it.hr:8446/g2bservis. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server."

Any clues, please? What are the differences in the supporting infrastructure between XP and Win7?

Little update: please note bolded lines that differ in working and non working trace log. For some reason, on the windows 7 machine initial message contains service name (cistest.apis-it.hr) in the message, whilst on XP this info is missing. After this message, socket on XP is closed...

Windows 7, working example (same code):
System.Net Information: 0 : [3748] SecureChannel#23960260 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [3748] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [3748] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = cistest.apis-it.hr, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [3748] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=122, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [3748] Socket#46340781::Send()
System.Net.Sockets Verbose: 0 : [3748] Data from Socket#46340781::Send
System.Net.Sockets Verbose: 0 : [3748] 00000000 : 16 03 01 00 75 01 00 00-71 03 01 4E 67 4E 6A 26 : ....u...q..NgNj&
System.Net.Sockets Verbose: 0 : [3748] 00000010 : C6 C9 65 17 D7 EC C1 A1-15 72 E1 56 80 F4 5A BB : ..e......r.V..Z.
System.Net.Sockets Verbose: 0 : [3748] 00000020 : A8 4C 50 54 84 D4 3E 86-29 68 CA 00 00 18 00 2F : .LPT..>.)h...../
System.Net.Sockets Verbose: 0 : [3748] 00000030 : 00 35 00 05 00 0A C0 13-C0 14 C0 09 C0 0A 00 32 : .5.............2
System.Net.Sockets Verbose: 0 : [3748] 00000040 : 00 38 00 13 00 04 01 00-00 30 FF 01 00 01 00 00 : .8.......0......
System.Net.Sockets Verbose: 0 : [3748] 00000050 : 00 00 17 00 15 00 00 12-63 69 73 74 65 73 74 2E : ........cistest.
System.Net.Sockets Verbose: 0 : [3748] 00000060 : 61 70 69 73 2D 69 74 2E-68 72 00 0A 00 06 00 04 : apis-it.hr......
System.Net.Sockets Verbose: 0 : [3748] 00000070 : 00 17 00 18 00 0B 00 02-01 00                   : ..........
System.Net.Sockets Verbose: 0 : [3748] Exiting Socket#46340781::Send()  -> 122#122

XP, not working example (same code):
System.Net Information: 0 : [2272] SecureChannel#7307181 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [2272] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [2272] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = cistest.apis-it.hr, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [2272] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=77, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [2272] Socket#32308990::Send()
System.Net.Sockets Verbose: 0 : [2272] Data from Socket#32308990::Send
System.Net.Sockets Verbose: 0 : [2272] 00000000 : 16 03 01 00 48 01 00 00-44 03 01 4E 67 4E 1E C1 : ....H...D..NgN..
System.Net.Sockets Verbose: 0 : [2272] 00000010 : 32 BD E0 57 87 A8 68 8B-32 77 00 18 DE 3F 69 3D : 2..W..h.2w...?i=
System.Net.Sockets Verbose: 0 : [2272] 00000020 : D7 B1 7B 76 AD 26 A6 63-6B BB 49 00 00 16 00 04 : ..{v.&.ck.I.....
System.Net.Sockets Verbose: 0 : [2272] 00000030 : 00 05 00 0A 00 09 00 64-00 62 00 03 00 06 00 13 : .......d.b......
System.Net.Sockets Verbose: 0 : [2272] 00000040 : 00 12 00 63 01 00 00 05-FF 01 00 01 00          : ...c.........
System.Net.Sockets Verbose: 0 : [2272] Exiting Socket#32308990::Send()  -> 77#77
System.Net.Sockets Verbose: 0 : [2272] Socket#32308990::Receive()
System.Net.Sockets Verbose: 0 : [2272] Data from Socket#32308990::Receive
System.Net.Sockets Verbose: 0 : [2272] 00000000 : 15 03 01 00 02                                  : .....
...
System.Net.Sockets Verbose: 0 : [2272] Exiting Socket#32308990::Receive()   -> 5#5
System.Net.Sockets Verbose: 0 : [2272] Socket#32308990::Receive()
System.Net.Sockets Verbose: 0 : [2272] Data from Socket#32308990::Receive
System.Net.Sockets Verbose: 0 : [2272] 00000005 : 02 28                                           : .(
System.Net.Sockets Verbose: 0 : [2272] Exiting Socket#32308990::Receive()   -> 2#2
System.Net.Sockets Verbose: 0 : [2272] Socket#32308990::Receive()
System.Net.Sockets Verbose: 0 : [2272] Data from Socket#32308990::Receive
System.Net.Sockets Verbose: 0 : [2272] 00000007 :                                                 : 
System.Net.Sockets Verbose: 0 : [2272] Exiting Socket#32308990::Receive()   -> 0#0
System.Net.Sockets Verbose: 0 : [2272] Socket#32308990::Dispose()

Answer 1

Well, after a month or so trying to solve this issue, the conclusion is that THIS ISSUE CANNOT BE SOLVED. At least it cannot be solved with native .NET and OS support. Windows XP is apparently too old for the Microsoft to support AES 256 bit encryption, SHA 256 bit signing with RSA for key exchange. There are 40% of users in the world still using XP, so this decision is really strange.

Such support is added into Windows server 2003 (I've tried to add schannel.dll and rsaenh.dll from 2003 to XP, some progress but far from ideal).

Official premium tech support answer was: "Currently the situation looks not promising, there was in the past a request from another customer to have an XP version of KB article 948963, however this request was rejected by our Product group. These security features were introduced in Vista and the 6-7 years difference between the two platforms make it hard to make that change to XP."

So, for the SOAP and WebServices, I would NOT recommend .NET, at least not for enterprise services where you don't control both sides.

Sigh!