I finally could make some progress in the interop tests with the Active STS. I used the following configuration,
1. Trader client application (Metro) 2. Passive STS (Metro) 3. Active STS (.NET) 4. Business Service (Metro) Unfortunately, I found a blocking issue that I think it is hard to fix. The namespace used by metro for the ActAs element is different from the namespace used by WCF (WCF is using the correct namespace, which is WS-Trust 1.4). Metro, <wst:ActAs xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> .NET (WCF) <tr:ActAs xmlns:tr="http://docs.oasis-open.org/ws-sx/ws-trust/200802"> Besides that issue with the WS-Trust message, these are my findings for this scenario, 1. The active STS in metro is using an username token for authenticating the client application (trader web client). .NET is using a client certificate for that purpose (BSL.Com), and I think it is the correct mechanism. I basically changed the .NET Active STS and trader client implementation to use username tokens. 2. The wsit-client.xml for the trader client application in metro looks as follow, <tc:PreconfiguredSTS xmlns:tc="http://schemas.sun.com/ws/2006/05/trust/client" endpoint=http://localhost:9001/tradeactivests (.NET) wsdlLocation=http://apps.stonehenge.com:1316/active_sts/ActiveSTS?wsdl (WSDL in METRO) serviceName="SecurityTokenService" portName="ISecurityTokenService_Port" namespace="http://tempuri.org/" shareToken="true"> </tc:PreconfiguredSTS> I could not make it work against the .NET Active STS Wsdl. For some reasons, all the requests with that WSDL are not protected with WS-Security. I updated all the bindings and ports in the .NET to use ISecurityTokenService and http://tempuri.org as namespace, but that does not work. 3. Metro was using derived keys and basic 128 as algorithm suite. WCF was throwing a weird parsing error exceptions for the derived keys (this option was enabled in the WCF bindings too), so I disable that feature in metro and .NET. "Cannot read the token from the 'DerivedKeyToken' element with the 'http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512' namespace for BinarySecretSecurityToken, with a '' ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified." Regards, Pablo.