Password digest in WCF


  • I'm currently using a custom binding implementation to allow WCF to send Username tokens with clear text (ClearUsernameBinding in several services which use PasswordText for the Type. Everything works nicely. However there is a new service which requires PasswordDigest, and we can not use SSL or certificates at this point. The client is sending the hash (password), nonce and created elements in the usernametoken element in the soap headers, but the validation (from the class extending UserNamePasswordValidator) is not reached. The service is being hit anyways because I can set break points in the Application_BeginRequest and capture the hits in the logs.
    The request from the client is correct, but the service response returns : An error occurred when verifying security for the message. As I said, when the password type is PasswordText, the UserNamePasswordValidator validation is hit, and it works fine. The clients are all Java clients, so I can not use the out of the box options in WCF. Can you point me out where to look at ?
    Thursday, December 10, 2009 7:47 PM

All replies