while accessing wcf service test client, getting following exception:
system.servicemodel.security.messagesecurityexception: unsecured or incorrectly secured fault received other party. see inner faultexception fault code , detail. ---> system.servicemodel.faultexception: error occurred when verifying security message. --- end of inner exception stack trace --- i searched on internet root cause of problem. found caused due client-server time difference. unable find correct solution it. following server side configuration:
<system.servicemodel> <bindings> <wshttpbinding> <binding name="requestusername"> <security mode="message"> <message clientcredentialtype="windows" negotiateservicecredential="true" establishsecuritycontext="true" /> </security> </binding> </wshttpbinding> </bindings> <services> <service name="wcfservice.service1" behaviorconfiguration="wcfservice.service1behavior"> <!-- service endpoints --> <endpoint address="http://subdomain.domain.com/service1.svc" binding="wshttpbinding" contract="wcfservice.iservice1" bindingname="requestusername"> </endpoint> <endpoint address="mex" binding="mexhttpbinding" contract="imetadataexchange" /> </service> </services> <behaviors> <servicebehaviors> <behavior name="wcfservice.service1behavior"> <!-- avoid disclosing metadata information, set value below false before deployment --> <servicemetadata httpgetenabled="false" /> <!-- receive exception details in faults debugging purposes, set value below true. set false before deployment avoid disclosing exception information --> <servicedebug includeexceptiondetailinfaults="false" /> </behavior> </servicebehaviors> </behaviors> <servicehostingenvironment> <baseaddressprefixfilters> <add prefix="http://subdomain.domain.com/"/> </baseaddressprefixfilters> </servicehostingenvironment> and client side configuration:
<?xml version="1.0" encoding="utf-8" ?> <configuration> <system.servicemodel> <bindings> <wshttpbinding> <binding name="requestusername_iservice1" /> </wshttpbinding> </bindings> <client> <endpoint address="http://subdomain.domain.com/service1.svc" binding="wshttpbinding" bindingconfiguration="requestusername_iservice1" contract="servicereference1.iservice1" name="requestusername_iservice1"> <identity> <userprincipalname value="domain\subdomaincom_web" /> </identity> </endpoint> </client> </system.servicemodel> </configuration> anyone please me find solution problem.
update: when traced exception, inner exception showing the security timestamp stale because expiration time ('2013-08-21t11:17:39.482z') in past. current time '2013-08-21t12:31:31.897z' , allowed clock skew '00:05:00'.
my server uses utc format , client general purpose application can downloaded country.
update 2: config after answer:
<system.servicemodel> <bindings> <custombinding> <binding name="wrabind"> <transactionflow /> <security authenticationmode="secureconversation" messagesecurityversion="wssecurity11wstrustfebruary2005wssecureconversationfebruary2005wssecuritypolicy11basicsecurityprofile10"> <localclientsettings maxclockskew="00:07:00" /> <localservicesettings maxclockskew="00:07:00" /> <secureconversationbootstrap messagesecurityversion="wssecurity11wstrustfebruary2005wssecureconversationfebruary2005wssecuritypolicy11basicsecurityprofile10" /> <localclientsettings maxclockskew="00:30:00" /> <localservicesettings maxclockskew="00:30:00" /> </security> <textmessageencoding /> <httptransport /> </binding> </custombinding> </bindings> <!-- change --> <services> <service name="wcfservice.service1" behaviorconfiguration="wcfservice.service1behavior"> <!-- service endpoints --> <endpoint address="http://subdomain.domain.com/service1.svc" binding="custombinding" contract="wcfservice.iservice1" bindingname="wrabind"> <!-- upon deployment, following identity element should removed or replaced reflect identity under deployed service runs. if removed, wcf infer appropriate identity automatically. --> </endpoint> <endpoint address="mex" binding="mexhttpbinding" contract="imetadataexchange" /> </service> </services> <behaviors> <servicebehaviors> <behavior name="wcfservice.service1behavior"> <!-- avoid disclosing metadata information, set value below false before deployment --> <servicemetadata httpgetenabled="false" /> <!-- change --> <!--<servicecredentials> <usernameauthentication usernamepasswordvalidationmode="custom" customusernamepasswordvalidatortype="wcfservice.authentication.distributorvalidator, wranglecoreservice"/> <servicecertificate findvalue="wcfservice" storelocation="localmachine" storename="trustedpeople" x509findtype="findbysubjectname"/> </servicecredentials>--> <!-- change --> <!-- receive exception details in faults debugging purposes, set value below true. set false before deployment avoid disclosing exception information --> <servicedebug includeexceptiondetailinfaults="false" /> </behavior> </servicebehaviors> </behaviors> <servicehostingenvironment> <baseaddressprefixfilters> <add prefix="http://subdomain.domain.com/"/> </baseaddressprefixfilters> </servicehostingenvironment> <!--<standardendpoints> <webhttpendpoint> <standardendpoint name="" helpenabled="true" automaticformatselectionenabled="true"/> </webhttpendpoint> </standardendpoints>--> </system.servicemodel>
there can multiple reasons error, common 1 related server not authenticating client variosu reasons (maybe not on same domain). determine exact reasons turn on wcf trace , see errors shows in red. you're looking inenr exception little hidden in trace ui, in right side in middle down tree.
here how set clock skew:
<security authenticationmode="..."> <localclientsettings maxclockskew="00:07:00" /> <localservicesettings maxclockskew="00:07:00" /> <secureconversationbootstrap> <localclientsettings maxclockskew="00:30:00" /> <localservicesettings maxclockskew="00:30:00" /> </secureconversationbootstrap> </security> note skew can defined on custom binding. since use wshttpbinding need convert custom binding can done online via wcf binding converter.
