ID3242: The security token could not be authenticated or authorized

I'm getting the following error in my web application when it tries to authenticate to my service which uses IssuedTokenForCertificate authentication:

"ID3242: The security token could not be authenticated or authorized"


Here's the service configuration which specifies my Geneva STS as the token issuer:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.serviceModel>
      <services>
        <service name="MathService.MathService"
                 behaviorConfiguration="ServiceBehavior">
          <host>
            <baseAddresses>
              <add baseAddress="net.tcp://localhost:50000"/>
            </baseAddresses>
          </host>
          <endpoint name="MathService"
                    address="MathService.svc"
                    binding="customBinding"
                    bindingConfiguration="FederationTcpIssuedTokenForCertificateBinding"
                    contract="MathService.IMathService"/>

          <endpoint address="net.tcp://localhost:50001/mex"
             binding="mexTcpBinding"
             contract="IMetadataExchange"/>
        </service>
      </services>
      <extensions>
        <behaviorExtensions>
          <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
        </behaviorExtensions>
      </extensions>
      <behaviors>
        <serviceBehaviors>
            <behavior name="ServiceBehavior">
              <serviceCredentials>
                <serviceCertificate findValue="CN={...}"
                                    storeLocation="LocalMachine"
                                    storeName="My"/>
              </serviceCredentials>
              <serviceMetadata/>
              <serviceDebug includeExceptionDetailInFaults="True"/>
           </behavior>
        </serviceBehaviors>
      </behaviors>
      <bindings>
        <customBinding>
          <binding name="FederationTcpIssuedTokenForCertificateBinding">
            <security authenticationMode="SecureConversation"
                      requireSecurityContextCancellation="true">
              <secureConversationBootstrap authenticationMode="IssuedTokenForCertificate"
                      messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
              <issuedTokenParameters keyType="SymmetricKey"
                                     tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
                <issuer address="http://{...}/Trust/13/Certificate"
                        binding="ws2007HttpBinding"
                        bindingConfiguration="STS">
                  <identity>
                    <certificateReference findValue="CN={...}"
                                    storeLocation="LocalMachine"
                                    storeName="My"/>
                  </identity>
                </issuer>
                <claimTypeRequirements>
                  <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
                  <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
                </claimTypeRequirements>
                <issuerMetadata address="{...}"/>
              </issuedTokenParameters>
              </secureConversationBootstrap>
            </security>
            <binaryMessageEncoding/>
            <tcpTransport />
          </binding>
        </customBinding>
      </bindings>
    </system.serviceModel>
</configuration>

Here's the web client config:

<system.serviceModel>
  <bindings>
   <customBinding>
    <binding name="MathService">
     <security defaultAlgorithmSuite="Default" authenticationMode="SecureConversation"
      requireDerivedKeys="true" securityHeaderLayout="Strict" includeTimestamp="true"
      keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
      messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
      requireSecurityContextCancellation="true" requireSignatureConfirmation="false">
      <localClientSettings cacheCookies="true" detectReplays="true"
       replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
       replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
       sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
       timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
      <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
       maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
       negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
       sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
       reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000"
       timestampValidityDuration="00:05:00" />
      <secureConversationBootstrap defaultAlgorithmSuite="Default"
       authenticationMode="IssuedTokenForCertificate" requireDerivedKeys="true"
       securityHeaderLayout="Strict" includeTimestamp="true" keyEntropyMode="CombinedEntropy"
       messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
       messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
       requireSignatureConfirmation="true">
       <issuedTokenParameters keyType="SymmetricKey" tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
        <additionalRequestParameters>
         <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
          <trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
          <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
          <trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
           xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
           <wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
            Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity">
           </wsid:ClaimType>
           <wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
            Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity">
           </wsid:ClaimType>
          </trust:Claims>
         </trust:SecondaryParameters>
        </additionalRequestParameters>
         <issuer address="http://{...}/Trust/13/Certificate"
                 binding="ws2007HttpBinding"
                 bindingConfiguration="STS">
           <identity>
             <certificate encodedValue="{...}"/>
           </identity>
         </issuer>
        <issuerMetadata address="https://{...}/Trust/Mex" />
       </issuedTokenParameters>
       <localClientSettings cacheCookies="true" detectReplays="true"
        replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
        replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
        sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
        timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
       <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
        maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
        negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
        sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
        reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000"
        timestampValidityDuration="00:05:00" />
      </secureConversationBootstrap>
     </security>
     <binaryMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
      maxSessionSize="2048">
      <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
       maxBytesPerRead="4096" maxNameTableCharCount="16384" />
     </binaryMessageEncoding>
     <tcpTransport manualAddressing="false" maxBufferPoolSize="524288"
      maxReceivedMessageSize="65536" connectionBufferSize="8192" hostNameComparisonMode="StrongWildcard"
      channelInitializationTimeout="00:00:05" maxBufferSize="65536"
      maxPendingConnections="10" maxOutputDelay="00:00:00.2000000"
      maxPendingAccepts="1" transferMode="Buffered" listenBacklog="10"
      portSharingEnabled="false" teredoEnabled="false">
      <connectionPoolSettings groupName="default" leaseTimeout="00:05:00"
       idleTimeout="00:02:00" maxOutboundConnectionsPerEndpoint="10" />
     </tcpTransport>
    </binding>
   </customBinding>
    <ws2007HttpBinding>
      <binding name="STS" closeTimeout="00:01:00"
           openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
           bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
           maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
           messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
           allowCookies="false">
        <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
        <reliableSession ordered="true" inactivityTimeout="00:10:00"
            enabled="false" />
        <security mode="Message">
          <message clientCredentialType="Certificate"
                   negotiateServiceCredential="false"
                   algorithmSuite="Default"
                   establishSecurityContext="false"/>
        </security>
      </binding>
    </ws2007HttpBinding>
  </bindings>
  <client>
   <endpoint address="net.tcp://localhost:50000/MathService.svc"
             binding="customBinding"
             bindingConfiguration="MathService"
             contract="MathService.IMathService"
             name="MathService">
    <identity>
      <certificate encodedValue="{...}"/>
    </identity>
   </endpoint>
  </client>
 </system.serviceModel>

Here's the web client code to setup the service proxy:

serviceProxy.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint,

 

"{...}");
serviceProxy.ClientCredentials.ServiceCertificate.SetDefaultCertificate("CN={...}", StoreLocation.LocalMachine, StoreName.My);
serviceProxy.ClientCredentials.ServiceCertificate.SetScopedCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "{...}", new Uri("http://{...}/Trust/13/Certificate"));

 

The web client is passing a certificate credential that has been mapped to a domain user in AD. 

Please let me know if anyone has an idea of how to determine why authentication is failing.  I have Geneva STS tracing on verbose, but it's not giving me any messages about why the certificate isn't being authenticated.  Also, the AD PDC's windows security log doesn't show any audit failures.

Thanks in advance.