none
Message security verification failed. RRS feed

  • Question

  • I am trying to implement a custom UserNamePasswordValidator as described here: http://msdn.microsoft.com/en-us/library/aa702565.aspx

    I'm hosting this service In IIS and I understand that IIS intercepts the http-basic authentication, so I am using TransportWithMessageCredential.  I'm currently using a self signed certificate. However, <security mode="Transport"><transport clientCredentialType="None" /> works fine so I don't think this has anything to do with the cert.

    The client receives the following error:

    System.ServiceModel.Security.MessageSecurityException : An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.
      ----> System.ServiceModel.FaultException : At least one security token in the message could not be validated.
     

    In my WCF server trace I'm seeing the following error:

    <ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
    <Message>Message security verification failed.</Message>
    <StackTrace>
    at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout) ....

    I've seen this error relate to time sync issues but both the client and the service are on the same box.  Anybody have any idea why this same error seems to have multiple unrelated reasons?  I understand why it's not spit out to the client but I'd expect DETAIL in a server side trace.

    When I attach to aspnet_wp (debugging on an xp maching), the custom UserNamePasswordValidator.Validate method is never hit.

    My config is as follows:


    <?xml version="1.0"?>
    <configuration>
      <configSections>
        <sectionGroup name="MyCompany.Services">
          <section name="General" type="MyCompany.Services.ConfigurationSections.GeneralConfigurationSection, MyCompany.Services" allowLocation="true" allowDefinition="Everywhere"/>
        </sectionGroup>
      </configSections>
      <MyCompany.Services>
        <General configSource="Web.Env.config"/>
      </MyCompany.Services>
      <system.web>
        <compilation debug="true" targetFramework="4.0" />
      </system.web>
      <system.serviceModel>
        <bindings>
          <wsHttpBinding>
            <binding name="CustomAuthentication">
              <security mode="TransportWithMessageCredential">
                <message clientCredentialType="UserName"/>
                <!--<transport clientCredentialType="None" />-->
              </security>
            </binding>
          </wsHttpBinding>
        </bindings>
        <services>
          <service name="MyCompany.Services.Item">
            <endpoint address="Item" binding="wsHttpBinding" bindingConfiguration="CustomAuthentication"
              contract="MyCompany.Services.IItemService" />
          </service>
        </services>
        <behaviors>
          <serviceBehaviors>
            <behavior>
              <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
              <serviceMetadata httpGetEnabled="true"/>
              <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
              <serviceDebug includeExceptionDetailInFaults="true"/>
            </behavior>
            <behavior name="CustomAuthenticationBehavior">
              <serviceCredentials>
                <issuedTokenAuthentication allowUntrustedRsaIssuers="true"/>
                <userNameAuthentication 
                  userNamePasswordValidationMode="Custom"
                  customUserNamePasswordValidatorType="MyCompany.Services.CustomAuthenticator, MyCompany.Services"
                  />
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
      </system.serviceModel>
     <system.webServer>
        <modules runAllManagedModulesForAllRequests="true"/>
      </system.webServer>
      <system.diagnostics>
        <sources>
          <source name="System.ServiceModel"
                  switchValue="All"
                  propagateActivity="true">
            <listeners>
              <add name="traceListener"
                  type="System.Diagnostics.XmlWriterTraceListener"
                  initializeData= "c:\temp\WCFTraces.svclog" />
            </listeners>
          </source>
        </sources>
      </system.diagnostics>

    </configuration>

    Thursday, August 5, 2010 8:33 PM

Answers

All replies

  • You need to get a more detailed error message. The server trace log contains it. Look in the UI for an inner exception (it is hidden under the first exception full name in the right side).
    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    Thursday, August 5, 2010 11:21 PM
  • test

    Friday, August 6, 2010 2:28 PM
  • Uggg, I didn't realize the traceviewer didn't display all of the exceptions.  The inner exception is:

    <ExceptionType>System.IdentityModel.Tokens.SecurityTokenValidationException, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>

    <Message>LogonUser failed for the 'test1' user. Ensure that the user has a valid Windows account.</Message>

    Why is this trying to authenticate against windows?  Did I miss something in my config?

     

    Here is the full error:

    <Exception>

    <ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>

    <Message>Message security verification failed.</Message>

    <StackTrace>

    at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout)

    at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)

    at System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationState)

    at System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext requestContext, TimeSpan timeout)

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveRequestAndVerifySecurityAsyncResult.ProcessInnerItem(RequestContext innerItem, TimeSpan timeout)

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone()

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.StartInnerReceive()

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.Start()

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveRequestAndVerifySecurityAsyncResult.ReceiveMessage(Object state)

    at System.Runtime.ActionItem.DefaultActionItem.Invoke()

    at System.Runtime.ActionItem.CallbackHelper.InvokeWithoutContext(Object state)

    at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)

    at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)

    at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)

    </StackTrace>

    <ExceptionString>System.ServiceModel.Security.MessageSecurityException: Message security verification failed. ---&gt; System.IdentityModel.Tokens.SecurityTokenValidationException: LogonUser failed for the 'test1' user. Ensure that the user has a valid Windows account. ---&gt; System.ComponentModel.Win32Exception: Logon failure: unknown user name or bad password

    --- End of inner exception stack trace ---

    at System.IdentityModel.Selectors.WindowsUserNameSecurityTokenAuthenticator.ValidateUserNamePasswordCore(String userName, String password)

    at System.IdentityModel.Selectors.UserNameSecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)

    at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)

    at System.ServiceModel.Security.StrictModeSecurityHeaderElementInferenceEngine.ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)

    at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)

    at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp; message, TimeSpan timeout)

    at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout)

    --- End of inner exception stack trace ---</ExceptionString>

    <InnerException>

    <ExceptionType>System.IdentityModel.Tokens.SecurityTokenValidationException, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>

    <Message>LogonUser failed for the 'test1' user. Ensure that the user has a valid Windows account.</Message>

    <StackTrace>

    at System.IdentityModel.Selectors.WindowsUserNameSecurityTokenAuthenticator.ValidateUserNamePasswordCore(String userName, String password)

    at System.IdentityModel.Selectors.UserNameSecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)

    at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)

    at System.ServiceModel.Security.StrictModeSecurityHeaderElementInferenceEngine.ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)

    at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)

    at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp; message, TimeSpan timeout)

    at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout)

    </StackTrace>

    <ExceptionString>System.IdentityModel.Tokens.SecurityTokenValidationException: LogonUser failed for the 'test1' user. Ensure that the user has a valid Windows account. ---&gt; System.ComponentModel.Win32Exception: Logon failure: unknown user name or bad password

    --- End of inner exception stack trace ---

    at System.IdentityModel.Selectors.WindowsUserNameSecurityTokenAuthenticator.ValidateUserNamePasswordCore(String userName, String password)

    at System.IdentityModel.Selectors.UserNameSecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)

    at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)

    at System.ServiceModel.Security.StrictModeSecurityHeaderElementInferenceEngine.ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)

    at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)

    at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp; message, TimeSpan timeout)

    at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout)</ExceptionString>

    <InnerException>

    <ExceptionType>System.ComponentModel.Win32Exception, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>

    <Message>Logon failure: unknown user name or bad password</Message>

    <StackTrace>

    at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout)

    at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)

    at System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationState)

    at System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext requestContext, TimeSpan timeout)

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveRequestAndVerifySecurityAsyncResult.ProcessInnerItem(RequestContext innerItem, TimeSpan timeout)

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone()

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.StartInnerReceive()

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.Start()

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveRequestAndVerifySecurityAsyncResult.ReceiveMessage(Object state)

    at System.Runtime.ActionItem.DefaultActionItem.Invoke()

    at System.Runtime.ActionItem.CallbackHelper.InvokeWithoutContext(Object state)

    at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)

    at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)

    at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)

    </StackTrace>

    <ExceptionString>System.ComponentModel.Win32Exception (0x80004005): Logon failure: unknown user name or bad password</ExceptionString>

    <NativeErrorCode>52E</NativeErrorCode>

    </InnerException>

    </InnerException>

    </Exception>

    Friday, August 6, 2010 2:30 PM
  • you did not link the behavior to the service:

     

    <service behaviorConfiguration="CustomAuthenticationBehavior" ...

    (the bold part is missing in your config)


    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    • Marked as answer by b_levitt Friday, August 6, 2010 7:27 PM
    Friday, August 6, 2010 6:47 PM
  • Thank you Yaron, behaviorConfiguration was the issue.
    Friday, August 6, 2010 7:27 PM
  • I had issue where the following section of the config had somehow disapeared, and was killing me.
    <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Namespace.MyValidator,AppName"/>
    </serviceCredentials>
    Friday, January 3, 2014 2:30 PM