The below is a common error with Wcf clients in security interoperability scenarios:
What does it mean?
When a signed response comes back from the server it has two ways to reference the signing certificate.
Option A (key identifier):
Option B (direct reference):
The above error means that the response has key identifier but the client is configured to require a direct reference.
How to fix it?
On your client, configure allowSerializedSigningTokenOnReply to true:
An alternative can be to build a custom message encoder which changes the response from option B to A. This is possible since we know what is the certificate (using the reference) so we can create the binary token. Of course this alternative is much harder and in the general case the former should be preferred.