1

I am trying to create a WCF Service (hosted in a windows service) using message security mode with a custom username validator.

I have also created a self-signed certificate through IIS.

The problem is that i encounter the following error:

System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.

WCF Server Configuration:

// Create a WsHttpBinding.
// Set Message Security Mode and UserName Authorization
WSHttpBinding mywshttpbind = new WSHttpBinding();
mywshttpbind.Security.Mode = SecurityMode.Message;
mywshttpbind.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
// Negotiate the Credentials and establish a Security Token
mywshttpbind.Security.Message.NegotiateServiceCredential = true;
mywshttpbind.Security.Message.EstablishSecurityContext = false;
// Find the BindingElements and disable the TimeStamp
BindingElementCollection elements = mywshttpbind.CreateBindingElements();
elements.Find<SecurityBindingElement>().IncludeTimestamp = false;

CustomBinding myCustomBinding = new CustomBinding(mywshttpbind);

// A ServiceCertificate will be used - search it by serial number
obj.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySerialNumber, "....");
// The client will not check for the certificate
obj.Credentials.ClientCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
// A custom UsernamePassword Validator will be used
obj.Credentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom;
obj.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = new CustomUserPassValidator();
// Add Endpoint to Host with the custom binding
obj.AddServiceEndpoint(typeof(service.IService), myCustomBinding, "");


// Metadata Exchange
ServiceMetadataBehavior serviceBehavior = new ServiceMetadataBehavior();
serviceBehavior.HttpGetEnabled = true;
obj.Description.Behaviors.Add(serviceBehavior);

// Open the connection
obj.Open();

WCF Client:

// Create a WsHttpBinding.
// Set Message Security Mode and UserName Authorization
WSHttpBinding mywshttpbind = new WSHttpBinding();
mywshttpbind.Security.Mode = SecurityMode.Message;
mywshttpbind.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
// Negotiate the Credentials and establish a Security Token
mywshttpbind.Security.Message.NegotiateServiceCredential = true;
mywshttpbind.Security.Message.EstablishSecurityContext = false;
// Find the BindingElements and disable the TimeStamp
BindingElementCollection elements = mywshttpbind.CreateBindingElements();
elements.Find<SecurityBindingElement>().IncludeTimestamp = false;


CustomBinding myCustomBinding = new CustomBinding(mywshttpbind);


// Create a new factory channel
var newFactory = new ChannelFactory<ICMM_WCF_S>(myCustomBinding, add);

// Set the username and the password
newFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
newFactory.Credentials.UserName.UserName = "user1";
newFactory.Credentials.UserName.Password = "pass1";


var channel = newFactory.CreateChannel();
channel.get_data();

After i enabled the WCF Tracer i traced the following exception:

The security timestamp is invalid because its creation time ('2015-07-06T10:28:39.264Z') is in the future. Current time is '2015-07-06T10:20:44.570Z' and allowed clock skew is '00:05:00'.

Even i created a Custom Binding with the timestamp disabled the error persists.

magarisi
  • 757
  • 2
  • 10
  • 19
  • @stuartd: Concerning the possible duplicate: 1) I don't send different credentials - they are the same 2) The development is on the same pc, so there is no time difference. – magarisi Jul 03 '15 at 15:39
  • So are the timestamps in the request the current time? – stuartd Jul 03 '15 at 15:41
  • @stuartd: Sorry, i don't understand the question. Can you explain a little bit more? Thanks – magarisi Jul 03 '15 at 15:45
  • If there are timestamps like [this](https://gist.github.com/stuartd/0ee8a59d74ac8510b41e) in the request, then they must be within 5 minutes of the current time – stuartd Jul 03 '15 at 15:50
  • @stuartd : I haven't added any timestamps in the config files. However reading your comments i find another problem. The client will be placed in a pc where i will not have access, so i won't know the time difference. In that case the service will fail. So.. what is the fix in situations like these? Custom wshttpbinding configurations ? – magarisi Jul 03 '15 at 16:14
  • The [timestamp element is optional](http://stackoverflow.com/questions/19770795/why-is-the-wcf-wshttpbinding-timestamp-optional), but if present must be valid. However you can [change the MaxClockSkew allowed](https://social.msdn.microsoft.com/Forums/vstudio/en-US/0e8c30ab-e5a0-40b1-9722-c1b20a09c8ad/maxclockskew-on-wshttpbinding?forum=wcf) in a custom binding. – stuartd Jul 03 '15 at 16:23
  • @stuartd : You are right, the error is because of the timestamp, but i can't change it even with a custom binding. – magarisi Jul 06 '15 at 10:37
  • On the other way it worked fine when i changed the MaxClockSkew. SymmetricSecurityBindingElement security = myCustomBinding.Elements.Find(); security.LocalClientSettings.MaxClockSkew = TimeSpan.FromMinutes(30); security.LocalServiceSettings.MaxClockSkew = TimeSpan.FromMinutes(30); – magarisi Jul 06 '15 at 10:49

0 Answers0