none
WCF Service consumed by asmx client with custom authentication RRS feed

  • Question

  • Hello,

    We have a wcf service hosted in IIS. We used basicHttpBinding and implemented a UserNamePasswordValidator for the custom authentication.

    However, we have issues when the WCF is consumed with a asmx client.

    An error occurred when verifying security for the message.

    (because asmx client can only work basicHttpBinding with transport security. basic authentication is disabled.)

    Here is my security config

                        <security mode="TransportWithMessageCredential">
                            <transport clientCredentialType="None" proxyCredentialType="None"
                                realm="" />
                            <message clientCredentialType="UserName" algorithmSuite="Default" />
                        </security>

    what are the solutions? We thought of using a simple Message Header for the authentication, however we don't want to pass the credentials in the parameters of the method call

    var s = new service.TaskService();
    s.GetSomething(credential, TaskNumber); //not nice...




    • Edited by okdreamy Tuesday, June 4, 2013 7:58 AM
    Tuesday, June 4, 2013 7:55 AM

Answers

  • Maybe the following links can help you to sort out what the problem is: http://stackoverflow.com/questions/3765212/an-error-occurred-when-verifying-security-for-the-message

    http://blogs.microsoft.co.il/blogs/urig/archive/2011/01/23/wcf-quot-an-error-occurred-when-verifying-security-for-the-message-quot-and-service-security-audit.aspx

    Like I wrote before, you should be able to use a UserNamePasswordValidator with basicHttpBinding by using the Message security mode with a certificate or the TransportWithMessageCredential security mode with SSL.

    Tuesday, June 4, 2013 2:21 PM
  • Thank you Magnus.

    I know I was able to use UserNamePasswordValidator. It worked fine while consuming from a WCF Service but got this exception when consuming with an asmx client.

    I found this and it seems that it is not possible with UserNamePasswordValidator right?

    http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/79c96324-62eb-4ecb-a36a-2b2999643000/

    Wednesday, June 5, 2013 6:21 AM

All replies

  • You can use UserNamePasswordValidator with basicHttpBinding by using the Message security mode with a certificate or the TransportWithMessageCredential security mode with SSL.
    Tuesday, June 4, 2013 8:15 AM
  • I am using the TransportWithMessageCredential security mode with SSL, it works fine with a wcf client, not an asmx client.

    it returns this exception:

    An error occurred when verifying security for the message.

    Tuesday, June 4, 2013 8:50 AM
  • Try to use transport security to pass the credentials in the HTTP header rather than the SOAP header:

    <security mode="Transport">
      <transport clientCredentialType="Basic" />
    </security>

    Also, did you enable anonymous and basic authentication in IIS?

    Tuesday, June 4, 2013 10:00 AM
  • Thanks for you email, but basic authentication is disabled. Anonymous is enabled.
    Tuesday, June 4, 2013 10:31 AM
  • Enable basic authentication and try using transport security as above then.
    Tuesday, June 4, 2013 11:08 AM
  • Yes but with this config:

    <security mode="Transport">
      <transport clientCredentialType="Basic" />
    </security>

    They will have to have a proper credential (we need to create a new account/password). We would like to use a custom authentication with some user/pass, something like with UserNamePasswordValidator

    Tuesday, June 4, 2013 11:50 AM
  • Maybe the following links can help you to sort out what the problem is: http://stackoverflow.com/questions/3765212/an-error-occurred-when-verifying-security-for-the-message

    http://blogs.microsoft.co.il/blogs/urig/archive/2011/01/23/wcf-quot-an-error-occurred-when-verifying-security-for-the-message-quot-and-service-security-audit.aspx

    Like I wrote before, you should be able to use a UserNamePasswordValidator with basicHttpBinding by using the Message security mode with a certificate or the TransportWithMessageCredential security mode with SSL.

    Tuesday, June 4, 2013 2:21 PM
  • Thank you Magnus.

    I know I was able to use UserNamePasswordValidator. It worked fine while consuming from a WCF Service but got this exception when consuming with an asmx client.

    I found this and it seems that it is not possible with UserNamePasswordValidator right?

    http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/79c96324-62eb-4ecb-a36a-2b2999643000/

    Wednesday, June 5, 2013 6:21 AM
  • Hi, I think so, as Ido said, "Web services (asmx) does not support any type of security other than the security mechanisms offered by IIS".
    Friday, June 7, 2013 9:35 AM