<system.serviceModel>
		<behaviors>
			<endpointBehaviors>
				<behavior name="CertificateBehavior" >
					<clientCredentials>
						<clientCertificate findValue="ProkofievVS_Client" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/>
						--><!--<clientCertificate findValue="WcfClient" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>--><!--
						<serviceCertificate>
							<authentication certificateValidationMode="PeerTrust" trustedStoreLocation="CurrentUser"/>
						</serviceCertificate>
					</clientCredentials>
				</behavior>
			</endpointBehaviors>
		</behaviors>

		<bindings>
			<netTcpBinding>
				<binding name="NetTcpBinding_IGsService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10" maxReceivedMessageSize="65536">
					<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
					<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="true"/>
					<security mode="TransportWithMessageCredential">
						<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/>
						<message clientCredentialType="Certificate" algorithmSuite="Default"/>
					</security>
				</binding>
	
			</netTcpBinding>
		</bindings>
		
		<client>
			<endpoint address="net.tcp://castle/Barrabas.WcfService.Head/WcfServiceGs.svc" 
					  binding="netTcpBinding" 
					  bindingConfiguration="NetTcpBinding_IGsService" 
					  contract="IGsService" 
					  name="NetTcpBinding_IGsService"
					  behaviorConfiguration="CertificateBehavior" >
				
				<identity>
					<dns value="WMSvc-CASTLE"/>
				</identity>
			</endpoint>
		</client>
		
	</system.serviceModel>

            Binding binding = new NetTcpBinding(SecurityMode.TransportWithMessageCredential, true);
            EndpointAddress endPoint = new EndpointAddress(
                new Uri("net.tcp://castle/Barrabas.WcfService.Head/WcfServiceGs.svc"),
                EndpointIdentity.CreateDnsIdentity("WMSvc-CASTLE"));
            
            _client = new GsServiceClient(binding, endPoint);
             
            _client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode =
                System.ServiceModel.Security.X509CertificateValidationMode.PeerTrust;

            _client.ClientCredentials.ClientCertificate.SetCertificate(
                System.Security.Cryptography.X509Certificates.StoreLocation.CurrentUser,
                System.Security.Cryptography.X509Certificates.StoreName.My,
                System.Security.Cryptography.X509Certificates.X509FindType.FindBySubjectName,
                "ProkofievVS_Client");

            string test = _client.Test();

Secure channel cannot be opened because security negotiation with the remote endpoint has failed. 
This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to
create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress
correctly identifies the remote endpoint.

            NetTcpBinding binding = new NetTcpBinding(SecurityMode.TransportWithMessageCredential, true);
            binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;