An error occurred when verifying security for the message

J

8

28

When I try to call a WCF service I am getting the following message "An error occurred when verifying security for the message."

When I remove the custom authenication the service works no problem. I can't figure out though what I have misconfigured in my web.config. Any insight would be appreciated.

  <system.serviceModel>
     <services>
        <service behaviorConfiguration="NAThriveExtensions.nableAPIBehavior"
          name="NAThriveExtensions.nableAPI">
           <endpoint 
             address="" 
             binding="basicHttpBinding" 
             bindingConfiguration="basicHttpBinding_Secure"
             contract="NAThriveExtensions.InableAPI">
           </endpoint>
           <endpoint 
             address="mex" 
             binding="mexHttpsBinding" 
             contract="IMetadataExchange" />
        </service>
     </services>
     <behaviors>
        <serviceBehaviors>
          <behavior name="NAThriveExtensions.nableAPIBehavior">
            <serviceMetadata httpsGetEnabled="true" />
            <serviceDebug includeExceptionDetailInFaults="false" />
            <serviceCredentials>
              <userNameAuthentication 
                userNamePasswordValidationMode="Custom" 
              customUserNamePasswordValidatorType= "NAThriveExtensions.Authentication, NAThriveExtensions" />
            </serviceCredentials>
          </behavior>
        </serviceBehaviors>
     </behaviors>
     <bindings>
       <basicHttpBinding>
         <binding name="basicHttpBinding_Secure">
           <security mode="TransportWithMessageCredential">
             <message clientCredentialType="UserName"/>
           </security>
         </binding>
       </basicHttpBinding>
     </bindings>
  </system.serviceModel>

Joannajoanne answered 21/9, 2010 at 23:26 Comment(0)

J

7

This ended up being an problem on the consuming side, not with the service itself. Software AG's webMethods 8 was consuming this server but there was no Security Handler added to the service so the credentials were not being added to the header thus resulting the in the aforementioned error.

Joannajoanne answered 8/10, 2010 at 16:24 Comment(2)

How could one find out if this is indeed the problem? – Adiel 4/1, 2013 at 14:50

@Maritim: Good question. Looking at the raw HTTP request is the best way I know - e.g. by logging it if it is not already being logged: the missing (elements of the) SOAP header should then be apparent. – Spectrum 1/8, 2014 at 23:12

J

41

I was getting this same error message and it turned out to be due to a time difference between my workstation machine and the server hosting the WCF service. The server was about 10 minutes behind my machine and WCF security doesn't seem to like that very much.

To find the root problem I turned on serviceSecurityAuditing in the server's config file. Add the following to the configuration/system.serviceModel/behaviors/serviceBehaviors/behavior section for your service:

<serviceSecurityAudit 
    auditLogLocation="Application" 
    serviceAuthorizationAuditLevel="Failure" 
    messageAuthenticationAuditLevel="Failure" 
    suppressAuditFailure="true"/>

The following site was helpful in figuring this out:

http://blogs.microsoft.co.il/blogs/urig/archive/2011/01/23/wcf-quot-an-error-occurred-when-verifying-security-for-the-message-quot-and-service-security-audit.aspx

Jointworm answered 7/3, 2013 at 23:10 Comment(3)

This is a great diagnostic tip! Thanks for sharing. – Sterilization 19/7, 2013 at 14:38

This really is a great tip. It appeared I was missing a DLL, like described here: #14033693 – Quern 29/3, 2017 at 9:20

I wish I could upvote this more than once! Half a day trying to get the real error message. – Zymosis 10/4, 2017 at 18:31

T

20

Another cause of this message is when some of your machines are not synchronized in time. WCF, by default, allows a five-minute gap; beyond this, it throws an error if things are out of synch.

The solution is to synch all your machines. time.windows.com is notorious for not working, so I suggest using something else. (If you're in a corporate environment, a local domain controller may be the correct choice here.)

Transpadane answered 31/1, 2014 at 16:30 Comment(3)

Thank you so much! I was pulling my hair out wondering what this issue was!! – Dyadic 12/9, 2014 at 21:46

Glad it's not just me @Stealth22 :) – Transpadane 12/9, 2014 at 21:49

My server and client were at the same clock. Client clock automatically configured but server clock was manually set. I activated "Set time automatically" on the server and problem solved. – Anthropomorphism 24/11, 2016 at 8:43

J

7

This ended up being an problem on the consuming side, not with the service itself. Software AG's webMethods 8 was consuming this server but there was no Security Handler added to the service so the credentials were not being added to the header thus resulting the in the aforementioned error.

Joannajoanne answered 8/10, 2010 at 16:24 Comment(2)

How could one find out if this is indeed the problem? – Adiel 4/1, 2013 at 14:50

@Maritim: Good question. Looking at the raw HTTP request is the best way I know - e.g. by logging it if it is not already being logged: the missing (elements of the) SOAP header should then be apparent. – Spectrum 1/8, 2014 at 23:12

A

1

I had a similar issue. I was building my datetime formatted strings using my local time, but my service/server was expecting GMT.

I needed to get the GMT time (JAVA):

final Date currentTime = new Date();    
final SimpleDateFormat sdf = 
new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'.000Z'");
sdf.setTimeZone(TimeZone.getTimeZone("GMT"));
System.out.println(sdf.format(currentTime));

Autobahn answered 17/3, 2019 at 20:42 Comment(0)

S

0

I was getting the same error on my IIS 7.5 server. I forgot to add Read permission on the certificate's private key to the app pool virtual account (e.g. IIS AppPool\ASP.NET v4.0).

For info, whilst testing various combinations of accounts and permissions, I noticed that the app pool needed to be recycled to lose access to the key, once it had been retrieved once.

(0x80131501 - An error occurred when verifying security for the message.)

Shalondashalt answered 8/4, 2013 at 5:57 Comment(0)

A

0

I was getting the same error and none of the above help for me.

I finally tracked it down to connectionStrings in a parent web.config (my service was deployed to a child application to an admin site).

Yes sounds ridiculous, but as soon as I wrapped the connection strings in the parent web.config with a location element all started working.

For clarity, in parent web.config, I changed this

<connectionStrings>
    <add name="..." />
</connectionStrings>

to this

<location path="." inheritInChildApplications="false">
    <connectionStrings>
        <add name="..." />
    </connectionStrings>
</location>

Note this error also resulted in this very unhelpful serviceSecurityAudit log message:

Message authentication failed.
Service: ...
Action: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
ClientIdentity:
ActivityId:
ArgumentNullException: Value cannot be null.
Parameter name: manager

Asclepiadean answered 6/9, 2016 at 12:30 Comment(0)

L

0

I was getting the same error. I forgot to add Read permission on the membership database aspnetdb to the (IIS APPPOOL\DefaultAppPool).

Message authentication failed. Service:....

Action: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT

ClientIdentity:

ActivityId:

SqlException: Cannot open database "aspnetdb" requested by the login. The login failed.

Login failed for user 'IIS APPPOOL\DefaultAppPool'.

Lusk answered 19/12, 2016 at 7:24 Comment(0)

A

-4

The username and password is the server you connection,not your system login username and password.

Appliance answered 23/12, 2015 at 9:5 Comment(0)

Recommended topics

Hot tags