The caller was not authenticated by the service RRS feed

  • Question

  • WCF is throwing a strange error. I have a server and I created a website for my WCF services. When I set the IP address to be the IP address of the server, everything works well. However, I have to use another IP address so that I can have multiple websites with port 80 on the same server.

    So I configured the IP address, port number (80), and host name for my WCF website and used the browser to see if the service is running. Everything seems to be working well. But once I try to connect to the WCF service from my windows application, I get the following error:


    "Service cannot be started. System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed."


    What is causing the problem? Is there something specific I need to do if I configure the IP address or the host name?

    Tuesday, May 29, 2007 7:29 PM


  • Haven't read the whole post, but thought I'd give my $0.02. I get this error if I make changes on my Certificate Authority and forget to restart my host application. Apparently you have to get things running in the right order. Smile
    Wednesday, May 30, 2007 12:12 AM

All replies

  • quickly show us your configs, perhaps its your <identity> on the client config that is wrong now, did you update your proxy/client config after you made the changes.


    Tuesday, May 29, 2007 7:52 PM
  • I changed the endpoint address and that's about it. I tried to create a proxy via svcutil; while I didn't have any problem with creating a proxy for the basicHttpBinding, I was getting an error when I tried with wsHttpBinding.

    Here's my config:







    <binding name="WSHttpBinding_IPersistentSubscriptionService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="Infinite" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">

    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />

    <reliableSession ordered="true" inactivityTimeout="Infinite" enabled="true" />

    <security mode="Message">

    <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />

    <message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" />





    <binding name="BasicHttpBinding_Logging" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="Infinite" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">

    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />

    <security mode="None">

    <transport clientCredentialType="None" proxyCredentialType="None" realm="" />

    <message clientCredentialType="UserName" algorithmSuite="Default" />






    <endpoint address=http://wcf.testserver.com/PersistentSubscriptionService.svc binding="wsHttpBinding"





    <endpoint address=http://wcf.testserver.com/LoggingImpl.svc binding="basicHttpBinding"



    name="BasicHttpBinding_Logging" />








    <serviceHostingEnvironment aspNetCompatibilityEnabled="false" />



    <binding name="ReliableWSHttpBinding" receiveTimeout="infinite">

    <reliableSession enabled="true" inactivityTimeout="infinite"/>





    <service behaviorConfiguration="PersistentSubscriptionService_Behavior"


    <endpoint binding="wsHttpBinding" bindingNamespace=http://WCFService.ServiceContracts/

    contract="IPersistentSubscriptionService" bindingConfiguration="ReliableWSHttpBinding" />

    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />


    <service behaviorConfiguration="LoggingImpl_Behavior"


    <endpoint binding="basicHttpBinding" bindingNamespace=http://WCFService.ServiceContracts/

    contract="Logging" />

    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />





    <behavior name="PersistentSubscriptionService_Behavior">

    <serviceDebug includeExceptionDetailInFaults="false" />

    <serviceMetadata httpGetEnabled="true" />

    <serviceThrottling maxConcurrentCalls="50" maxConcurrentSessions="50" />


    <behavior name="LoggingImpl_Behavior">

    <serviceDebug includeExceptionDetailInFaults="false" />

    <serviceMetadata httpGetEnabled="true" />







    I removed a lot of namespacing for the purpose of this forum so if some of the namespaces don't match between Web.config and App.config, that's not the reason why I'm getting an error.




    Tuesday, May 29, 2007 8:17 PM
  • well what error do you get when generating the proxy ?



    changing endpoint address is a "breaking change" for any client and for what I know it could result in a different servicePrincipal!.

    I assume your client are connecting to the endpoint using "WSHttpBinding_IPersistentSubscriptionService"

    Tuesday, May 29, 2007 8:58 PM
  • Hi Allan,


    This is the error I got in the output block after running svcutil:


    Attempting to download metadata from 'http://wcf.testserver.com/PersistentSubscriptionService.svc?wsdl' using WS-Metadata Exchange or DISCO.


    Error: Cannot import wsdl:binding

    Detail: An exception was thrown in a call to a policy import extension.

    Extension: System.ServiceModel.Channels.ReliableSessionBindingElementImporter

    Error: The wsrm:InactivityTimeout assertion's Milliseconds attribute does not fall within the range this binding uses. The ReliableSessionBindingElement could not be created.

    XPath to Error Source: //wsdlBig Smileefinitions[@targetNamespace='http://WCFService.ServiceContracts/']/wsdl:binding[@name='WSHttpBinding_IPersistentSubscriptionService']

    Error: Cannot import wsdlStick out tongueort

    Detail: There was an error importing a wsdl:binding that the wsdlStick out tongueort is dependent on.

    XPath to wsdl:binding: //wsdlBig Smileefinitions[@targetNamespace='http://WCFService.ServiceContracts/']/wsdl:binding[@name='WSHttpBinding_IPersistentSubscriptionService']

    XPath to Error Source: //wsdlBig Smileefinitions[@targetNamespace='http://tempuri.org/']/wsdlTongue Tiedervice[@name='PersistentSubscriptionService']/wsdlStick out tongueort[@name='WSHttpBinding_IPersistentSubscriptionService']

    Generating files...


    When I change the IP address (actual server's ip address) and do not put anything in the host header, this error message goes away and the proxy is generated without any problem. Really dumb-founded.


    BTW, you're correct - my client is connecting to the endpoint using WSHttpBinding_IpersistentSubscriptionService.





    Tuesday, May 29, 2007 9:09 PM
  • in your web.config try setting



    <binding name="ReliableWSHttpBinding" receiveTimeout="24.20:31:23.6470000">

    <reliableSession inactivityTimeout="24.20:31:23.6470000" enabled="true" />



    for starters.
    Tuesday, May 29, 2007 9:27 PM
  • No luck. I was able to generate the proxy when I changed the receiveTimeout and inactivityTimeout but once I tried to connect to the WCF Service, I still got the "caller was not authenticated by the service" error. I wonder if it's a security issue since I'm not using the server ip? I'm not using SSL so no certificates.
    Tuesday, May 29, 2007 9:53 PM
  • could we see the configs now after the correct update of your proxy
    Tuesday, May 29, 2007 10:58 PM
  • Haven't read the whole post, but thought I'd give my $0.02. I get this error if I make changes on my Certificate Authority and forget to restart my host application. Apparently you have to get things running in the right order. Smile
    Wednesday, May 30, 2007 12:12 AM



    I am getting the error "The caller was not authenticated by the service".


    I have a WCF service hosted in a windows service. I am using message security and x.509 certificates for server / client authentication.


    Now when a new client is issued a new certificate from the CA (standalone CA running on the same domain and network where the WCF service is running and trusted by the WCF service), the client get the "The caller was not authenticated by the service" error when trying to connect to the WCF service. Note that the certificate is issued after the service is started up.


    Then all I have to do is simply restart the windows service in which my WCF service is hosted, and then when the client tries to reconnect it (the client's certificate) is authenticated by the service.


    Now the obvious problem is that my other existing clients currently connected to the WCF service is interrupted when the WCF service is restarted in order for the new client's certifcate to be authenticated.


    Does anyone know how I can get my WCF service to see the newly issued client certificate without having to restart the windows service hosting the WCF service?


    Thanks a lot for reading and responding to this.


    PS: Couple of environmental parameters

    > WCF service hosted in windows service on Windows Server 2008 Standard Edition x64

    > CA (Certificate Authority) is standalone CA hosted on Windows Server 2008 Standard Edition x64

    > WCF clients connect from various operating systems, including Windows XP and Vista

    > WCF service and CA in same domain on same physical network (Windows 2008 domain) and even client also on same network.

    Monday, August 25, 2008 6:10 PM
  • Hi Ben,

    did you ever find a solution for the problem that you have to restart the service if the client got a new certificate. We have about 30 people connected to the service....


    Best regards


    Thursday, November 25, 2010 10:05 AM