Strictly message security, no certificate involved RRS feed

  • Question

  • I'd like to know if this sort of configuration is possible. I'd like to use a CustomUserNamePasswordValidator to validate the username/password sent in by the client, but I don't want WCF to force me to have a certificate on the server (this is for scenarios such as when there's an SSL accelerator in the loop, or maybe it's over a VPN that is already doing encryption.

    my behavior configuration currently has:
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyCredentialsValidator,MyAssembly" />

    and my binding looks like:
    <binding name="message_mode_username_binding">
        <security mode="Message">
            <message clientCredentialType="UserName" />

    ... and I get the various errors that everyone's seen, such as:
    System.InvalidOperationException: BasicHttp binding requires that BasicHttpBinding.Security.Message.ClientCredentialType be equivalent to the BasicHttpMessageCredentialType.Certificate credential type for secure messages. Select Transport or TransportWithMessageCredential security for UserName credentials.

    System.InvalidOperationException: The service certificate is not provided. Specify a service certificate in Serv

    Thursday, September 27, 2007 5:17 PM

All replies

  • Username token cannot be used to secure a message, that is it cannot be used to sign or encrypt a message. It is sent as a supporting token. So, there should be some other means of securing the message. One of the ways is to use a service certificate for signing and encrypting. If you dont want to use a certificate, the other way is to use a secure transport, like https.


    So, change the security mode to "TransportWithMessageCredential" and use ssl.

    Thursday, September 27, 2007 5:51 PM
  • No, see, you missed the point. The requirement here is that there -is- no SSL involved. No encryption, no signing. All that will be taken care of by other systems (for example, SSL accelerators, or VPNs). What I do want is to have authentication -without- transport security. I just want to pass a username/password pair with the call without requiring a secured transport.
    Thursday, September 27, 2007 6:11 PM

    OK, I guess the following will work for you. No certificate and transport security. But username token in the message is signed.


    You can disable signing and encrypting the message body using ProtectionLevel attribute on OperationContract or ServiceContract.


    Code Block

    SymmetricSecurityBindingElement ssbe = SecurityBindingElement.CreateSspiNegotiationBindingElement();

    ssbe.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());

    BindingElementCollection bec = new BindingElementCollection();


    bec.Add(new HttpTransportBindingElement());



    Thursday, September 27, 2007 7:25 PM
  • Does this now require SSPI, or do I still get to use my custom username/password validator?
    Thursday, September 27, 2007 8:26 PM
  • I've discovered another post on this exact topic from late last year, but his solution didn't work for me (and didn't seem to work for him either):

    I'm wondering if anyone else has come across this problem and has a workable solution?

    Thursday, September 27, 2007 9:33 PM