none
Issue with Message Security RRS feed

  • Question

  • I'm a newby in WCF I try to implements service with Message security and client credential type UserName

    but i receive an exception on the client side :

    MessagSecurityExcepiton

    "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail."

    Inner Exception :

    "{"An error occurred when verifying security for the message."}"

    I can't understand what i'm doing wrong, below is the configuration in the app.configs of the service / client

    service app.config:

      <system.serviceModel>
        
       <!--BEHAVIORS-->
        <behaviors>
          <serviceBehaviors>
            <behavior name="MyserviceBehavior">
              <serviceMetadata httpGetEnabled="true"/>
              <serviceDebug includeExceptionDetailInFaults="true"/>
    
              <serviceCredentials>
                <userNameAuthentication userNamePasswordValidationMode="Custom"
                                         customUserNamePasswordValidatorType="CustomMessageValidator.MessageValidator, CustomMessageValidator"/>
    
                <serviceCertificate
                   findValue="User-PC"
                   storeLocation="LocalMachine"
                   storeName="My"
                   x509FindType="FindBySubjectName"/>
    
                <clientCertificate>
                  <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/>
                </clientCertificate>
              </serviceCredentials>
    
            </behavior>
          </serviceBehaviors>
        </behaviors>
    
    
        <!--SERVICE-->
        <services>
          <service name="Calculator.Service.CalculatorService" behaviorConfiguration="MyserviceBehavior">
    
            <endpoint
              address="http://localhost:9090/Calculator"
              binding="wsHttpBinding"
              contract="Calculator.Contracts.ICalculatorService"
              bindingConfiguration="WSHttpBindingConfiguration"/>
    
            <endpoint
              address="mex"
              binding="mexHttpBinding"
              contract="IMetadataExchange" />
    
            <host>
              <baseAddresses>
                <add baseAddress="http://localhost:8080/"/>
              </baseAddresses>
            </host>
    
          </service>
        </services>
    
        <!--BINDINGS-->
        <bindings>
          <wsHttpBinding>
            <binding name="WSHttpBindingConfiguration">
              <security mode="Message">
                <message clientCredentialType="UserName"/>
              </security>
            </binding>
          </wsHttpBinding>
        </bindings>
    
      </system.serviceModel>

    client app.config:

      <system.serviceModel>
    
        <!--BEHAVIORS / ENDPOINT BEHAVOIRS-->
          
        <behaviors>
          <endpointBehaviors>
            <behavior name="endPointAuthBehavior">
              <clientCredentials>
                <serviceCertificate>
                  <authentication
                    certificateValidationMode="PeerOrChainTrust"
                    revocationMode="NoCheck"
                    trustedStoreLocation="LocalMachine"/>
                </serviceCertificate>
              </clientCredentials>
            </behavior>
          </endpointBehaviors>
        </behaviors>
        
        
        
          <!--BINDINGS-->
        <bindings>
          <wsHttpBinding>
            <binding name="WSHttpBindingOfICalculatorService">
              <security mode="Message">
                <message clientCredentialType="UserName" />
              </security>
            </binding>
          </wsHttpBinding>
        </bindings>
        
        <!--CLIENT-->
        <client>
          <endpoint address="http://User-PC:9090/Calculator" binding="wsHttpBinding"
            bindingConfiguration="WSHttpBindingOfICalculatorService" contract="CalculatorMessageSecurityServiceReference.ICalculatorService"
            name="WSHttpBinding_ICalculatorService" behaviorConfiguration="endPointAuthBehavior" />
        </client>
        
      </system.serviceModel>

    or in the client app.config i tried also auto generated app.config with VS 2013 ServiceReference:

        <system.serviceModel>
    
          <behaviors>
            <endpointBehaviors>
              <behavior name="MyEndpointBehavior">
                <clientCredentials>
                  <serviceCertificate>
                    <authentication
                      certificateValidationMode="PeerOrChainTrust"
                      revocationMode="NoCheck"
                      trustedStoreLocation="LocalMachine"/>
                  </serviceCertificate>
                </clientCredentials>
              </behavior>
            </endpointBehaviors>
          </behaviors>
    
    
    
          <bindings>
                <wsHttpBinding>
                    <binding name="WSHttpBinding_ICalculatorService">
                        <security>
                            <message clientCredentialType="UserName" />
                        </security>
                    </binding>
                </wsHttpBinding>
            </bindings>
            <client>
                <endpoint address="http://User-PC:9090/Calculator" binding="wsHttpBinding"
                    bindingConfiguration="WSHttpBinding_ICalculatorService" contract="CalculatorMessageSecurityServiceReference.ICalculatorService"
                    name="WSHttpBinding_ICalculatorService" behaviorConfiguration="MyEndpointBehavior">
                    <identity>
                        <certificate encodedValue="AwAAAAEAAAAUAAAAwMbomW8vTqjt1dWW527f97JO7/8gAAAAAQAAAPcCAAAEAxMKS29uUnVkQ2VydDAeFw0xNDA1MDIxNjQyMTNaFw0zOTEyMzEyMzU5NTlaMBIxEDAOBgNVBAMTB1VzZXItUEMwggEiMA0GCSqGSIb3DM0g=" />
                    </identity>
                </endpoint>
            </client>
        </system.serviceModel>

    It doesn't work , i can't understand what i'm doing wrong,

    i searched in google but i did not found any acceptable solution for my problem , i.e. according to the sites / forums that i found i'm doing great , but it still doesn't work.

    Any suggestions?

    Saturday, May 3, 2014 4:03 PM

Answers

All replies

  • Hi,

    Please try to set the security mode to none to see if it works.

    If it works then it means that you have done something wrong on the security configuration.

    Then please try to enable the wcf tracing to get more error information.

    The following configuration taken from MSDN can be applied to enable tracing on your WCF service:

    <configuration>
      <system.diagnostics>
        <sources>
          <source name="System.ServiceModel"
                  switchValue="Information, ActivityTracing"
                  propagateActivity="true" >
            <listeners>
                 <add name="xml"/>
            </listeners>
          </source>
          <source name="System.ServiceModel.MessageLogging">
            <listeners>
                <add name="xml"/>
            </listeners>
          </source>
          <source name="myUserTraceSource"
                  switchValue="Information, ActivityTracing">
            <listeners>
                <add name="xml"/>
            </listeners>
          </source>
        </sources>
        <sharedListeners>
            <add name="xml"
                 type="System.Diagnostics.XmlWriterTraceListener"
                 initializeData="Error.svclog" />
        </sharedListeners>
      </system.diagnostics>
    </configuration>

    Besides, please try to check the following article:
    #WCF Service with custom username password authentication:
    http://www.codeproject.com/Articles/96028/WCF-Service-with-custom-username-password-authenti .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, May 5, 2014 10:23 AM
    Moderator
  • Hi Amy , first of all thanks for your answer, i appreciate it ,  but it still doesn't work,

    now it gives me an exception like:

    "The X.509 certificate CN=User-PC chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate"

    I still don't understand what's the problem ?


    Monday, May 5, 2014 2:23 PM
  • Hi Konrud,

    I have provided a couple of links:

    http://msdn.microsoft.com/en-us/library/ms731049.aspx
    http://msdn.microsoft.com/en-us/library/aa354509.aspx 

    As for the error you are getting about the certificate chain building failing - it seems that the client side is not trusting the certificate from the server:

    1) How did you create the certificate? You should make sure that the root of the certificate is in the trusted certificate store of your client machine. If the client is cross machine then you will need to manually install the cert.

    2) You can also disable the cert check as you tried - you will need to make sure that this behavior is correctly tied to the endpoint on the client side.

    A useful post in this regard is this - http://webservices20.blogspot.com/2008/10/cryptic-wcf-error-messages-part-4-of-n.html.

    You are also verify the WCF Service is LISTENING in 9090 Port for any incoming request using following cmd

    netstat -a|find "9090"


    Monday, May 5, 2014 6:01 PM