.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

Defining both transport and message security on a wsHttpBinding client

Posted By:      Posted Date: April 14, 2011    Points: 0   Category :SharePoint


My customers requirement was to find a way of performing mutual authentication with ISA 2006 using WCF 3.5 and client certificates. I achieved this easily enough using a security mode of transport and defining a client certificate in the endpointbehavior. I had to jump through some hoops on the ISA as well.

The customer also has a requirement for message security at the service which is behind the ISA server.

I therefore need my service to only require message security but for the client to navigate both transport (for ISA) and message (for the service) security.

After a little reading I am not sure this is possible using out of the box bindings, particularly wsHttpBinding. Could someone confirm this?

Additionally, I have read that IF both transport and message security are defined using certificates, that it must be the same certificate. My question here would be, what bindings are there that allow both transport and message security and why must the same certificate be used for both?

Many thanks for any help you can give.


View Complete Post

More Related Resource Links

Is BasicHttpBinding/WSHttpBinding + Windows Authentication + Message Security possible without serve


Hi Folks,

I need to deploy a WCF service hosted in IIS 7.5 which has the following constrains:

1) Using Windows Authentication
2) No server or client certificate is needed
3) Using either BasicHttpBinding or WSHttpBinding
4) Using Message Security, so that it is not possible to monitor the communication maliciously. (I think Transport Security is not possible without server certificate)

Is it possible to fullfil the above requirements simultaneously? Thanks for the reply in advance. I'll appreciate it:)


wsHttpBinding with Windows Authentication and Message Security



I want to accomplish wsHttpBinding with Windows Authentication and Message Security. I've created a test service and deployed on Windows Server 2008 and IIS 7.5.

The virtual directory has been assigned a application pool running under custom account domain\username. Only
Windows Authentication is enabled on the virtual directory ( i DONT want anonymous access enabled).

I keep getting this error "Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service."

Below is my server config file. I've followed  instructions at http://msdn.microsoft.com/en-us/library/ff650619.aspx

        <binding name="NewBinding0">
          <security mode="Message">
            <transport clientCredentialType="Windows"></transport>

How to setup WCF with wsHttpBinding, Transport Security with x509 certificate behind a load balancer


I'm having a difficult time setting up this WCF Service with wsHttpBinding, Transport Security, x509 and, the key part, the Load Balancer (F5). This all works without a problem in our Dev environment but as soon as I put it behind the F5 it fails giving me this message:

System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'servicechannelcert'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Is there any additional setup I need to do in IIS or the Load Balancer to handle these requests?

configuration files:

<binding name="wsHttpTransport">
 <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647"
  maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
 <security mode="Transport&

Problem with Implementing Transport Message Security with WCF 4.0 and VS 2010



I'm working on a tree tier project in this solution I have tree project ,

the Service layer,the ServiceContract Layer and presentation layer

At first I implemented it without security and it worked  properly,

But when I tried to add Transport Message security with SSL I faced some problem here is some of my code :

web.config in service layer:



Error message "Could not locate the security token referenced by key info" with WCF custom client (V



I’m trying to develop a custom client, a console application, to connect it with a Web Service (Java Web Service) and call publics web methods with Visual Studio 2008 (.Net Framework 3.5) and WCF, but I’m getting an error message (“Could not locate the security token referenced by key info”).

I’m employing two certificates, a server certificate and a client certificate, because I have to sign and encrypt the message that I send to the Web Service. Both certificates are correctly installed in my certificate repository. In my client Web Service generated with “svcutil” tool, I’m added this line to sing and encrypt the message:


Transport Level Security Vs Message Level Security in WCF

*Transport Level Security
It secures the actual transport (i.e. the pipe) over which the message passes through from client to a service. For
example it uses SSL (Secure Socket Layer) to ensure point-to-point protection.

*Message Level Security
It secures the message itself that is being transported from client to a service and vice versa.

Secure It: WS-Security and Remoting Channel Sinks Give Message-Level Security to Your SOAP Packets


As more organizations adopt XML-based Web Services, the need for message-level security has become evident. WS-Security, now supported in the Microsoft .NET Framework, addresses this need. Using the WS-Security framework, developers can implement channel sinks to intercept Remoting messages as they pass through the .NET Remoting infrastructure. The sink can read the message, change it, and pass it along. During this process, the message can be signed for added security. This article explains how to implement a Remoting channel sink that will modify the Remoting message by including a UserName token in the header, then sign the body using the token.

Neeraj Srivastava

MSDN Magazine November 2003

Return of the Rich Client: Code Access Security and Distribution Features in .NET Enhance Client-Sid


Rich clients employ many of the features and conveniences of the operating system they run on, and the list of these features has been growing since the dawn of the PC. But as apps have migrated to the Web, the trend towards increasing client-side functionality has ground to a virtual halt. There are several reasons for this; chief among them are security and deployment problems. But that's all about to change. With the .NET Framework, you can participate in building the distributable rich client of the future. In this article, the author enumerates the pertinent features of .NET that will allow you to build safe, easily deployable controls. The features discussed include managed code, code access security, versioning control, Windows Forms classes, and isolation.

Jason Clark

MSDN Magazine June 2002

Web Security: Part 2: Introducing the Web Application Manager, Client Authentication Options, and Pr


This article, the second of two parts, continues coverage of Web security for Windows. It introduces the Web Application Manager in IIS that allows Web processes to be isolated, decreasing the security risk associated with running in a logon session. The article then picks up where Part One left off-it discusses authentication methods such as basic authentication, digest authentication, integrated Windows authentication, and anonymous logons, and the benefits and drawbacks of each.

Keith Brown

MSDN Magazine July 2000

Weird security configuration error message


Recently something has gone wrong with our website so that whenever you try to access an aspx file, it shows the following error:


Server Error in '/RALSWeb' Application.

Configuration Error

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Access is denied: 'RalsWeb'.

Source Error:

Line 256:                <add assembly="System.EnterpriseServices, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
Line 257:                <add assembly="System.Web.Mobile, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
Line 258:                <add assembly="*"/>
Line 259:            </assemblies>

WCF Message Security using Certificates

I am new to wfc programming and trying to understand security aspects ('message' using certificates). I am using windows 7 and visual studio 2010. I have a few questions about how I have implemented wfc. I have a win forms app that will talk over the web to a wfc service. I need to make sure the message is encrypted enroute. This is an admin application and will be used only by me. I created certificates on my Dev machine and edited the web.config and app.config. This works. The problem is when I right click the service reference and select update service refernce, the app.config is overwritten. The identity element is removed and behior ref is removed  and now the app will not connect to the service any more. I am including my web.config and app.config (before and after updating svc ref) below. Please advice me on what I am doing wrong. Also please let me know if this is the right way to do it. While creating the certificates I wasnt prompted for any passwords, not sure why. Can I use this type of certificate eventually when I go live ? what are the risk if this is not advisable ? Thanks in advance for you help. certificate creation and installation //server makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=TradeService -sky exchange -pe certmgr.exe -add -r CurrentUser -s My -c -n TradeService -r CurrentUser -s TrustedPeople    //client makecert.exe -sr Cu

Transport level security with netTcpBinding

Does service and client need to be part of domain with netTcpBinding endpoint configured to used Transport security mode with Certificate based client credential type and protect level set to EncryptAndSign <bindings> <netTcpBinding> <binding name="CertificateWithTransport" maxBufferPoolSize="100000000" maxBufferSize="100000000" maxReceivedMessageSize="100000000" portSharingEnabled="true"> <readerQuotas maxDepth="100000000" maxStringContentLength="100000000" maxArrayLength="100000000" maxBytesPerRead="100000000" maxNameTableCharCount="100000000" /> <security mode="Transport"> <transport clientCredentialType="Certificate" protectionLevel="EncryptAndSign"/> </security> </binding> </netTcpBinding> </bindings> Thanks      -= JL =-

WCF client WS-Security Username + X.509 + https

Hi all, I need help to build a wcf client. The client has to send a ws-security message wiht BinarySecurityToken tag and UsernameToken tag. The transport is https. The UserNameToken is composed only by the Username field without the Password. I have set in configuration file the security mode="TransportWithMessageCredential" but  I cannot set in the <message clientCredentialType="">  "Username" and "Certificate" both active at the same time. I have to send in the soap header two Reference with two digest, one for the body, one for the UsernameToken. Can someone  help me ? By and Thanks

How to sign a message using 2 client's X509 certificates?

Hi,   We have a requirement to sign each WCF message using two X509 certficiates: - company certificate - user certificate I have found out that I could achieve this using Supporting Credentials, but I am not sure how to set the certificates on the client's side. All examples that I found were using different types of credentials and were using these properties: - proxy.ClientCredentials.ClientCertificate - proxy.ClientCredentials.UserName.UserName   Any insight would be greatly appreciated.

WCF Exception "Message security verification failed" only with header!

Hi, I've got a WCF service doing Username authentication. I authenticate with AD and authorize using AzMan on AD. I'm hosting the service in IIS 6 and its running in an app pool that runs in a domain account that has read rights on the AD. I have a custom header that goes both ways. Everything works well until I assign the custom header to return. If I never assign the custom header to return everything is ok but if I do assign the custom header to return I get the error:- Message security verification failed.Duplicate attribute found. Both 'u:Id' and 'u:Id' are from the namespace 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'. Line 1, position 520. I've got service level message tracing and I can see the secure conversation stuff happening and the messages going across the interface.   If anyone has any ideas I'd be most appreciative.   Thanks,   Andy

ASP.net UPS void wsdl error message 'exception has been raised as a result of client data'


exception has been raised as a result of client data. at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol

Void shipment erro message; I can't determine how to resolve error.  at ***

The following is the code for ups void shipment wsdl...

protected void wsdlRate()


RateWSs.RateRequest rateReq = new RateRequest();RateWSs.UPSSecurity rateSecurity = new RateWSs.UPSSecurity(); RateWSs.UPSSecurityServiceAccessToken rateToken = new RateWSs.UPSSecurityServiceAccessToken

Event receiver validation client message


Is thera a way to display a client message if validation sets. (java script or inline validation error message)

properties.Status = SPEventReceiverStatus.CancelWithError;

properties.Cancel =



properties.ErrorMessage =


ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend