Recently I had to consume a web service that uses WS-Security. The web service is written in Java and I was using a .NET client (WCF). The service configuration uses not only username/password token but also X509 certificates on both the client and the server. Messages are signed and encrypted using asymmetric mechanisms.
None of the existing WCF bindings with message security (WsHttpBinding and Ws2007HttpBinding) supports this scenario by default, mostly because they use hybrid mechanisms, with symmetric “session” keys.
I had to dig on custom bindings, binding elements, initiator and recipient tokens, message protection order and so on. Confused? So was I. This rather old MSDN post helped me a lot! I’ll try to detail the scenario and the solution on another post.