Getting a token from ACS using client certificate credentials over WCF is a well supported scenario.
There is an ACS sample that does WCF client certificate auth available here, look for Acs2CertificateBindingSample. Points of interest are how to create the binding that obtains a token from ACS:
public static Binding CreateServiceBinding(string acsCertificateEndpoint)
{
return new IssuedTokenWSTrustBinding(CreateAcsCertificateBinding(), new EndpointAddress(acsCertificateEndpoint));
}
public static Binding CreateAcsCertificateBinding()
{
return new CertificateWSTrustBinding(SecurityMode.TransportWithMessageCredential);
}
And how to create the channel factory using this binding, and how to specify your client certificate credential:
ChannelFactory<IStringService> stringServiceFactory = new ChannelFactory<IStringService>(Bindings.CreateServiceBinding(acsCertificateEndpoint), serviceEndpointAddress);
// Set the service credentials and disable certificate validation to work with sample certificates
stringServiceFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
stringServiceFactory.Credentials.ServiceCertificate.DefaultCertificate = GetServiceCertificate();
// Set the client credentials.
stringServiceFactory.Credentials.ClientCertificate.Certificate = GetClientCertificateWithPrivateKey();
The sample is not using service bus, just a simple "IStringService" interface, but if you incorporateyour NetTcpRelayBinding into the binding composition, the same mechanisms should be applicable to your scenario.
