.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
david stephan
Gaurav Pal
Post New Web Links

WCF Message Security using Certificates

Posted By:      Posted Date: September 07, 2010    Points: 0   Category :WCF
I am new to wfc programming and trying to understand security aspects ('message' using certificates). I am using windows 7 and visual studio 2010. I have a few questions about how I have implemented wfc. I have a win forms app that will talk over the web to a wfc service. I need to make sure the message is encrypted enroute. This is an admin application and will be used only by me. I created certificates on my Dev machine and edited the web.config and app.config. This works. The problem is when I right click the service reference and select update service refernce, the app.config is overwritten. The identity element is removed and behior ref is removed  and now the app will not connect to the service any more. I am including my web.config and app.config (before and after updating svc ref) below. Please advice me on what I am doing wrong. Also please let me know if this is the right way to do it. While creating the certificates I wasnt prompted for any passwords, not sure why. Can I use this type of certificate eventually when I go live ? what are the risk if this is not advisable ? Thanks in advance for you help. certificate creation and installation //server makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=TradeService -sky exchange -pe certmgr.exe -add -r CurrentUser -s My -c -n TradeService -r CurrentUser -s TrustedPeople    //client makecert.exe -sr Cu

View Complete Post

More Related Resource Links

Secure It: WS-Security and Remoting Channel Sinks Give Message-Level Security to Your SOAP Packets


As more organizations adopt XML-based Web Services, the need for message-level security has become evident. WS-Security, now supported in the Microsoft .NET Framework, addresses this need. Using the WS-Security framework, developers can implement channel sinks to intercept Remoting messages as they pass through the .NET Remoting infrastructure. The sink can read the message, change it, and pass it along. During this process, the message can be signed for added security. This article explains how to implement a Remoting channel sink that will modify the Remoting message by including a UserName token in the header, then sign the body using the token.

Neeraj Srivastava

MSDN Magazine November 2003

Weird security configuration error message


Recently something has gone wrong with our website so that whenever you try to access an aspx file, it shows the following error:


Server Error in '/RALSWeb' Application.

Configuration Error

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Access is denied: 'RalsWeb'.

Source Error:

Line 256:                <add assembly="System.EnterpriseServices, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
Line 257:                <add assembly="System.Web.Mobile, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
Line 258:                <add assembly="*"/>
Line 259:            </assemblies>

How to sign a message using 2 client's X509 certificates?

Hi,   We have a requirement to sign each WCF message using two X509 certficiates: - company certificate - user certificate I have found out that I could achieve this using Supporting Credentials, but I am not sure how to set the certificates on the client's side. All examples that I found were using different types of credentials and were using these properties: - proxy.ClientCredentials.ClientCertificate - proxy.ClientCredentials.UserName.UserName   Any insight would be greatly appreciated.

WCF Exception "Message security verification failed" only with header!

Hi, I've got a WCF service doing Username authentication. I authenticate with AD and authorize using AzMan on AD. I'm hosting the service in IIS 6 and its running in an app pool that runs in a domain account that has read rights on the AD. I have a custom header that goes both ways. Everything works well until I assign the custom header to return. If I never assign the custom header to return everything is ok but if I do assign the custom header to return I get the error:- Message security verification failed.Duplicate attribute found. Both 'u:Id' and 'u:Id' are from the namespace 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'. Line 1, position 520. I've got service level message tracing and I can see the secure conversation stuff happening and the messages going across the interface.   If anyone has any ideas I'd be most appreciative.   Thanks,   Andy

Is BasicHttpBinding/WSHttpBinding + Windows Authentication + Message Security possible without serve


Hi Folks,

I need to deploy a WCF service hosted in IIS 7.5 which has the following constrains:

1) Using Windows Authentication
2) No server or client certificate is needed
3) Using either BasicHttpBinding or WSHttpBinding
4) Using Message Security, so that it is not possible to monitor the communication maliciously. (I think Transport Security is not possible without server certificate)

Is it possible to fullfil the above requirements simultaneously? Thanks for the reply in advance. I'll appreciate it:)


Security processor was unable to find a security header in the message



Recently on one of my machines, my client (WCF client) is having problem talking to WCF server. Both server and client are running on the same machine. The machine is Windows7 64 bit machine. It used to work fine until recently. The same software is working fine on all other machines with exactly same configuration. I am really confused here. Could someone please let me know what could be the problem?

Exception Type:

System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089


Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security.

Stack Trace: System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message& message, TimeSpan timeout) System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout) System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) System.ServiceModel.Channels.SecurityChannelListener

wsHttpBinding with Windows Authentication and Message Security



I want to accomplish wsHttpBinding with Windows Authentication and Message Security. I've created a test service and deployed on Windows Server 2008 and IIS 7.5.

The virtual directory has been assigned a application pool running under custom account domain\username. Only
Windows Authentication is enabled on the virtual directory ( i DONT want anonymous access enabled).

I keep getting this error "Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service."

Below is my server config file. I've followed  instructions at http://msdn.microsoft.com/en-us/library/ff650619.aspx

        <binding name="NewBinding0">
          <security mode="Message">
            <transport clientCredentialType="Windows"></transport>

Sharepoint 2007 publishing site home page displays unknown file type security message


I am using sharepoint 2007 sp2, it has been workig fine for the past 8 months but since one of the developers installed .net 4.0 framework, every time we create a new sharepoit publishng site or extend and existing application the home url displays an "Unknown File Type" security warning message and asks users to download the file.  If i manually tupe in the full url http://www.mysite.com/pages/default.aspx it is displayed correctly. I have uninstalled .net 4 from the server but i still have the same  error. I have tried to replicate this error on a development server but sharepoitn works fine on that even with .net 4.0 installed.

Has anyone had the same issue ? I would appreciate  any suggestios or help with troubleshootig this issue.


Problem with Implementing Transport Message Security with WCF 4.0 and VS 2010



I'm working on a tree tier project in this solution I have tree project ,

the Service layer,the ServiceContract Layer and presentation layer

At first I implemented it without security and it worked  properly,

But when I tried to add Transport Message security with SSL I faced some problem here is some of my code :

web.config in service layer:



Error message "Could not locate the security token referenced by key info" with WCF custom client (V



I’m trying to develop a custom client, a console application, to connect it with a Web Service (Java Web Service) and call publics web methods with Visual Studio 2008 (.Net Framework 3.5) and WCF, but I’m getting an error message (“Could not locate the security token referenced by key info”).

I’m employing two certificates, a server certificate and a client certificate, because I have to sign and encrypt the message that I send to the Web Service. Both certificates are correctly installed in my certificate repository. In my client Web Service generated with “svcutil” tool, I’m added this line to sing and encrypt the message:


Defining both transport and message security on a wsHttpBinding client



My customers requirement was to find a way of performing mutual authentication with ISA 2006 using WCF 3.5 and client certificates. I achieved this easily enough using a security mode of transport and defining a client certificate in the endpointbehavior. I had to jump through some hoops on the ISA as well.

The customer also has a requirement for message security at the service which is behind the ISA server.

I therefore need my service to only require message security but for the client to navigate both transport (for ISA) and message (for the service) security.

After a little reading I am not sure this is possible using out of the box bindings, particularly wsHttpBinding. Could someone confirm this?

Additionally, I have read that IF both transport and message security are defined using certificates, that it must be the same certificate. My question here would be, what bindings are there that allow both transport and message security and why must the same certificate be used for both?

Many thanks for any help you can give.


Transport Level Security Vs Message Level Security in WCF

*Transport Level Security
It secures the actual transport (i.e. the pipe) over which the message passes through from client to a service. For
example it uses SSL (Secure Socket Layer) to ensure point-to-point protection.

*Message Level Security
It secures the message itself that is being transported from client to a service and vice versa.

Gmail internal chat like message box

This article provides you with the multi-functional message box window through which the usability of the web-site or any web application increases.

.Configurable MessageBox window with AJAX Support
.can set maximum number of message boxes to be visible
.can define the auto reload time, for single message, for all messages or no reload
.can create messages through a single function call
.can define auto hide time for each messages

SharePoint Tutorial - Security

Security in SharePoint is comprised of users, groups and roles.

Users, Groups and Roles

A user account comes from the authentication system. For example, if Active Directory is used to authenticate then the user accounts will come from it.

There are two types of groups SharePoint uses: domain groups and SharePoint groups.

Asp.net web site security database


Hello all, I'm new to asp.net and I'm currently practising some few stuffs. I'm creating a hotel reservation system using ASP.net Web site in visual studio 2008 and I currently don't have an App_Data in my solution explorer unlike visual web developer.

1. I have planned to make users of the website login before making their reservations.

2. I have also planned to develop the website such that I will be able to know all reservations made by each user.

First and formost, I will like to know how I can access/View the security database?

Secondly, how do I link my custom made reservation database and the security database in order to achieve my second plan above.?

Someone help me.

Thank you.



hello i have the following problem

i have upload my content to hosting server but i get the following error

Security Exception

Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SecurityException: Request for the permission of typ
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend