none
Clock Skew Exception Detection RRS feed

  • Question

  • Hi, I have a WCF client/service that has a clock skew problem.  I can fix it by extending the clock skew, but I'd rather just have it show a nice error message.


    When my clock skew is off by 5-10 minutes, my client seems to be the one rejecting the connection and gives a nice error that I can output on the screen.

    "The security timestamp is invalid because its creation time ('2013-02-13T18:45:41.327Z') is in the future. Current time is '2013-02-13T18:40:40.742Z' and allowed clock skew is '00:05:00"

    However if the skew is off by more than 10 minutes, it seems like the service is rejecting the connection and I get a generic error that I can't use (since I can't be 100% sure it's clock skew that caused it)

    "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail."
    inner: "An error occurred when verifying security for the message."

    What exactly is going on?  Both my service/client are using default clock skews, so I don't know why 5-10 vs 10+ minutes gives different errors.

    If the second exception is indeed because the service rejects the connection, can I "catch" the error somewhere in my service and return a nice exception to the client?

    Wednesday, February 20, 2013 3:30 PM

Answers

All replies

  • Hi,

    What do you mean with "my clock skew is off by 5-10 minutes"?

    >>"An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail."

    This error is always because the server time skew, the remote server and the client's system time must be within typically 5 minutes(by default) of each other. If they are not, security validation will fail.

    >> I can fix it by extending the clock skew, but I'd rather just have it show a nice error message.

    Do you mean you have tried set the skew in the config with a custom a binding? If not, refer document below. And you may set clocks on the client and server such that they are more in sync.

    #How to: Set a Max Clock Skew

    http://msdn.microsoft.com/en-us/library/aa738468.aspx

    #Changing the default Clock Skew in WCF

    http://www.danrigsby.com/blog/index.php/2008/08/26/changing-the-default-clock-skew-in-wcf/

    Hope this helps.

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, February 21, 2013 3:25 AM
    Moderator
  • Hello,

    >>What do you mean with "my clock skew is off by 5-10 minutes"?

    What I meant was I changed my local time to be 5-10 minutes earlier than the server's time, and I would get one error message (because my client rejected it) and if I changed it to be more than 10 minutes I would get the generic message (because my server rejected it)

    >>Do you mean you have tried set the skew in the config with a custom a binding? If not, refer document below. And you may set clocks on the client and server such that they are more in sync.

    Yes, I have fixed the error by changing the skew in the config (server) and code (client).  However I don't want to increase the skew, I just want to show an error message that tells the client that there's a clock skew problem.  However the server returns a generic message, so I want to know if I can "catch" the skew exception on the server, and return my own custom message.

    Thursday, February 21, 2013 6:42 PM
  • Hi,

    To achieve the goal, you can try with FaultContract to return a custom error messages, catch TimeStampHasCreationTimeInFuture exception and return a custom fault that being sent to the client.

    Refer a Fault Contract sample:

    http://msdn.microsoft.com/en-us/library/ms752208.aspx

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, February 22, 2013 2:29 AM
    Moderator
  • Hi Haixia,

    If i understood your solution correctly, we can throw the FaultException from the contract function call (looking at the example you provided). But when the time skew exception occurs, it has not reached the function we are trying to call. If that function can't be reached, the custom FaultException is not thrown, and the client will still receive the same message as we get before. 

    Is this what you suggested or I misunderstood what you meant?

    Thanks,

    Thursday, February 28, 2013 6:49 PM
  • Hi,

    >>But when the time skew exception occurs, it has not reached the function we are trying to call. If that function can't be reached, the custom FaultException is not thrown, and the client will still receive the same message as we get before.

    Yes.

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, March 1, 2013 1:48 AM
    Moderator