.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

Trouble with client's SOAP security header

Posted By:      Posted Date: May 22, 2011    Points: 0   Category :ADO.Net

Out client has a web service I need to call to get some order details.  It's a SOAP service and I'm calling it over SSL.  The message has to include a username/password as well as a SSL certificate.  I have the SSL cert on my system and I sent them a copy of the public key to install on their web server.

I was unable to get it working in 2008 with WCF so I am now trying WSE in 2005.  I'm now generating a username and password but I cannot get my SSL cert included in the header.  When I try to add the cert through the WSE 3.0 setting I get an error saying the cert can't be used for encryption.  This is fine because the cert is only supposed to be used for identification. 

Here is an example SOAP header the client sent me:

    <wsa:Action wsu:Id="Id-d02f4053-1c85-41ad-a7a8-dbf6be15ddca">http://www.test.com/Order</wsa:Action>
    <wsa:MessageID wsu:Id="Id-3aadc603-4235-4ca3-a09e-6ff39b65ad8a">uuid:3024666c-d0f2-48a3-b9a7-ab10eaaeee63</wsa:MessageID>
    <wsa:ReplyTo wsu:Id="Id-b4508af4-5e71-42cf-a249-890b89e1334">

View Complete Post

More Related Resource Links

SOAP Security Header: EncryptedData



I am configuring WCF to talk to non-.NET SOAP Framework.

The SOAP message will be encrypted with public-key, with Timestamp and UsernameToken in the Security Header.

I am starting off with CreateAnonymousForCertificateBindingElement(), and adding UserNameSecurityTokenParameters() to EndpointSupportingTokenParameters.Signed collection.

Difficulty is: In the SOAP Security Header I get ONE EncryptedData element that is giving the 3rd party service trouble... If I use a tool to submit altered SOAP Envelope without EncryptedData element (which seems to be not needed) the 3rd party service takes the request successfuly.

1) What may be generating this EncryptedData element?
2) How could EncryptedData be turned off OR removed from the Security Header?


Thank you


How to control SOAP address header and/or "mustUnderstand"-attribute in WCF client

Hello all,

using the following configuration, I'm trying to build a WCF-client for a non-WCF service that requires a SecurityContextToken for authentication.

<?xml version="1.0" encoding="utf-8"?>


        <binding name="TicketServiceBinding">



Modify SOAP header Mustunderstand attribute in WCF client

 I am writing a WCF client for a service (not WCF). Getting an error that Unprocessed 'mustUnderstand' header element: {http://www.w3.org/2005/08/addressing}Action, because request SOAP contains header with mustunderstand='true'. I have to either set it false or remove the whole header. can you show the way to do that?

How can add, modify, delete security elements in SOAP header. Catch localhost comunication.


Hi. I have a problem with configuring security in bindings for SOAP message security (WS-Security). When I use wsHttpBinding in configuration file without any modification of binding and service behaviour and i use [ServiceContract(ProtectionLevel = ProtectionLevel.None)] for my service the result soap request from wcf test client utility is:


<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope">

Secure It: WS-Security and Remoting Channel Sinks Give Message-Level Security to Your SOAP Packets


As more organizations adopt XML-based Web Services, the need for message-level security has become evident. WS-Security, now supported in the Microsoft .NET Framework, addresses this need. Using the WS-Security framework, developers can implement channel sinks to intercept Remoting messages as they pass through the .NET Remoting infrastructure. The sink can read the message, change it, and pass it along. During this process, the message can be signed for added security. This article explains how to implement a Remoting channel sink that will modify the Remoting message by including a UserName token in the header, then sign the body using the token.

Neeraj Srivastava

MSDN Magazine November 2003

Return of the Rich Client: Code Access Security and Distribution Features in .NET Enhance Client-Sid


Rich clients employ many of the features and conveniences of the operating system they run on, and the list of these features has been growing since the dawn of the PC. But as apps have migrated to the Web, the trend towards increasing client-side functionality has ground to a virtual halt. There are several reasons for this; chief among them are security and deployment problems. But that's all about to change. With the .NET Framework, you can participate in building the distributable rich client of the future. In this article, the author enumerates the pertinent features of .NET that will allow you to build safe, easily deployable controls. The features discussed include managed code, code access security, versioning control, Windows Forms classes, and isolation.

Jason Clark

MSDN Magazine June 2002

SOAP: Using ATL Server to Build an Asynchronous SOAP Client in Unmanaged C++


SOAP opens up a new world of Web Services, letting you make function calls across a network or the Internet. But this flexibility creates new problems when your app needs to wait for calls to return from halfway around the world. What you need is an asynchronous SOAP client that takes advantage of threading to continue execution while waiting for calls over the wire. This article covers the basics of building such a client with ATL.

Pranish Kumar and Bogdan Crivat

MSDN Magazine April 2002

Web Security: Part 2: Introducing the Web Application Manager, Client Authentication Options, and Pr


This article, the second of two parts, continues coverage of Web security for Windows. It introduces the Web Application Manager in IIS that allows Web processes to be isolated, decreasing the security risk associated with running in a logon session. The article then picks up where Part One left off-it discusses authentication methods such as basic authentication, digest authentication, integrated Windows authentication, and anonymous logons, and the benefits and drawbacks of each.

Keith Brown

MSDN Magazine July 2000

WSE 3.0 - Security , How do you set the mustUnderstand="0"?

Hi,I have some client code that uses wse 3.0.  The XML generated  <wsse:Security soap:mustUnderstand="1">     <wsu:Timestamp wsu:Id="Timestamp-e5dc384a-9e79-46e7-9e4d-0caf339bd7a6">       <wsu:Created>2008-09-29T20:31:18Z</wsu:Created>       <wsu:Expires>2008-09-29T20:36:18Z</wsu:Expires>     </wsu:Timestamp>     <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-f3807851-2042-442c-be07-99e36bdc337d">         <wsse:Username>andrew</wsse:Username>         <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">andrew</wsse:Password>         <wsse:Nonce>szwJdqOs2RsUGP32KT49+A==</wsse:Nonce>         <wsu:Created>2008-09-29T20:31:18Z</wsu:Created>     </wsse:UsernameToken> </wsse:Security>How do you change the header so that it reads soap:mustUnderstand="0" ?I read you have to implement a soap filter and manually change the attribute, is this true?  Is there an easier way?Thanks in Advance,Andrew

Why does WCF add two Signature elements in the SOAP header when using a TransportSecurityBindingEle

I try to call a web service that implements the following standards from a WCF client:   WS-I Basic Security Profile Version 1.0 Web Services Security X.509 Certificate Token Profile, OASIS Standard X.509 used for digitally signing digests of uploaded files and web service requests SOAP 1.1/1.2. HTTPS 1.1 I use the a CustomBinding created in the following maner: HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement(); httpsTransport.ProxyAddress = new Uri("http://myproxy:8080"); httpsTransport.UseDefaultWebProxy = false; // the message security binding element will be configured to require // a client certificate used to sign the message TransportSecurityBindingElement messageSecurity = SecurityBindingElement.CreateCertificateOverTransportBindingElement(); // Create supporting token parameters for the client X509 certificate. X509SecurityTokenParameters clientX509SupportingTokenParameters = new X509SecurityTokenParameters(); // Specify that the supporting token is passed in message send by the client to the service clientX509SupportingTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient; // Turn off derived keys clientX509SupportingTokenParameters.RequireDerivedKeys = false; // Augment the binding element to require the client's X509 certificate as an endorsing token i

Soap Extensions loading on host only, none on client

I have soap extensions enabled in my web config, but they only intercept the soap messages at the host (AfterSerialize, BeforeDeserialize).  How can I get the client (BeforeSerialize, AfterDeserialize) extensions to kick off?  I have the client and host in the same project.  My web config is as follows: <webServices>       <soapExtensionTypes>         <add type="SoapDisplayExtension.SoapDisplayExtension, SoapDisplayExtension" priority="1" group="High"/>       </soapExtensionTypes>       <protocols>         <remove name="HttpGet" />         <remove name="HttpPost" />         <remove name="Documentation" />       </protocols>     </webServices>

Need help in reading Soap request and response on invoking WCF client assembly

Hi All,   I'm new to WCF and i'm using .Net 3.5. I have created a library from the proxy class generated through svcutil. I'm able to succesfully invoke service methods. I was wondering how to capture the request and response soap xmls so that i could render it on browser. If you have any code piece for this kind of problem please share it with me. Regards, Rahul

Seeing the SOAP request sent from a Web Service Client/Consumer

Hello, I am building a web service consumer in C# in VS2010.  Using the provided WSDL, I need to build appropriate headers and use certificates, SSL (user name & pass), & WS security.  I am getting an error from the webservice side, specifically processing the <wsse:Security> header. Is it possible for me to see the exact request I am sending to the Webservice? I'd like to see the values of the pieces of the header that get put in and such. Is it possible to have human readable serialization of what's being passed in right before the error? Thank You

php soap client DeserializationFailed error

have write following script  to call method using webservice $client = new SoapClient('',             array(               'soap_version' => SOAP_1_1,               'trace'      => true,               'exceptions' => true,                // disable exceptions               'features' => SOAP_SINGLE_ELEMENT_ARRAYS,               'encoding' => 'UTF-8',               'cache_wsdl' => false)                // disable any caching on the wsdl, encase you alter the wsdl server           );         $obj= array('employeeID' => '1099','employeeName' => 'Mangesh','address' => 'Pune');   &

WCF client WS-Security Username + X.509 + https

Hi all, I need help to build a wcf client. The client has to send a ws-security message wiht BinarySecurityToken tag and UsernameToken tag. The transport is https. The UserNameToken is composed only by the Username field without the Password. I have set in configuration file the security mode="TransportWithMessageCredential" but  I cannot set in the <message clientCredentialType="">  "Username" and "Certificate" both active at the same time. I have to send in the soap header two Reference with two digest, one for the body, one for the UsernameToken. Can someone  help me ? By and Thanks

consuming wcf Data service in different format in client - SOAP (including a WDSL), XML, JSON, etc.

Hi I have implemented wcf data service with entity framework with the following steps, i want to know i can we consume this WCF Data service in different format like (SOAP, JSON, XML, PLIST). it will be helpfull if some one help on this. - Created web application with VS2010 and added edmx file and selected tables,views and SPs that i want to use - imported SP with complex type by using function import. - Created WcfDataservice (.svc File). - in SVC File i have added [webget] method as follows.         [WebGet]        public List<GetSearchResultWithComplextype_Result> GetSearchResultComplextype(string email, string Title, string Color)        {            Entities db = new Entities();            var query = db.GetSearchResultWithComplextype(email, Title, Color);            List<GetSearchResultWithComplextype_Result> caseList = query.ToList<GetSearchResultWithComplextype_Result>();            return caseList;        } - created one more client application and added service reference. here i want to cons

How do I do not encrypt the soap header using WCF ?

  Hello Yaron, After reading your post at http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/e1288179-63aa-41d7-ad5b-72363d4cc7d8 I decided ask for your help. If you can give some head light about my problem I'll really apretiate it. I'm trying to consume a java webservice that requires that the request message be signed with a certificate. For testing purponses I created a x509 certificate using de makecert.exe on my localmachine and thogth the certmgr.msc I genereated the public key (a .cer file) and passed to the java webservices team that developed that webservice to install it on the server...) Now I'm trying to create a simple client that consumes that java webservice but I'm percepting that the request message is going to the server, encrypted, what I do not want. The java Team told me that the webservice expects a message just signed but not encrypted. They told me that the request message should be something like this:   ID: 26 Address: http://localhost:9000/SubjectService Encoding: UTF-8 Content-Type: multipart/related; type="application/xop+xml"; boundary="uuid:8a0433e7-4756-47e3-a611-a38163a9e50c"; start="<root.message@cxf.apache.org>"; start-info="text/xml" Headers: {SOAPAction=[""], Accept=[*/*]} Payload: --uuid:8a0433e7-4756-47e3-a611-a38163a9e50c Content-Type: application/xop
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend