An error occurred when verifying security for the message

Question

When I try to call a WCF service I am getting the following message "An error occurred when verifying security for the message."

When I remove the custom authenication the service works no problem. I can't figure out though what I have misconfigured in my web.config. Any insight would be appreciated.

  <system.serviceModel>
     <services>
        <service behaviorConfiguration="NAThriveExtensions.nableAPIBehavior"
          name="NAThriveExtensions.nableAPI">
           <endpoint 
             address="" 
             binding="basicHttpBinding" 
             bindingConfiguration="basicHttpBinding_Secure"
             contract="NAThriveExtensions.InableAPI">
           </endpoint>
           <endpoint 
             address="mex" 
             binding="mexHttpsBinding" 
             contract="IMetadataExchange" />
        </service>
     </services>
     <behaviors>
        <serviceBehaviors>
          <behavior name="NAThriveExtensions.nableAPIBehavior">
            <serviceMetadata httpsGetEnabled="true" />
            <serviceDebug includeExceptionDetailInFaults="false" />
            <serviceCredentials>
              <userNameAuthentication 
                userNamePasswordValidationMode="Custom" 
              customUserNamePasswordValidatorType= "NAThriveExtensions.Authentication, NAThriveExtensions" />
            </serviceCredentials>
          </behavior>
        </serviceBehaviors>
     </behaviors>
     <bindings>
       <basicHttpBinding>
         <binding name="basicHttpBinding_Secure">
           <security mode="TransportWithMessageCredential">
             <message clientCredentialType="UserName"/>
           </security>
         </binding>
       </basicHttpBinding>
     </bindings>
  </system.serviceModel>

Answer 1

I was getting this same error message and it turned out to be due to a time difference between my workstation machine and the server hosting the WCF service. The server was about 10 minutes behind my machine and WCF security doesn't seem to like that very much.

To find the root problem I turned on serviceSecurityAuditing in the server's config file. Add the following to the configuration/system.serviceModel/behaviors/serviceBehaviors/behavior section for your service:

<serviceSecurityAudit 
    auditLogLocation="Application" 
    serviceAuthorizationAuditLevel="Failure" 
    messageAuthenticationAuditLevel="Failure" 
    suppressAuditFailure="true"/>

The following site was helpful in figuring this out:

http://blogs.microsoft.co.il/blogs/urig/archive/2011/01/23/wcf-quot-an-error-occurred-when-verifying-security-for-the-message-quot-and-service-security-audit.aspx

Answer 2

Another cause of this message is when some of your machines are not synchronized in time. WCF, by default, allows a five-minute gap; beyond this, it throws an error if things are out of synch.

The solution is to synch all your machines. time.windows.com is notorious for not working, so I suggest using something else. (If you're in a corporate environment, a local domain controller may be the correct choice here.)

Answer 3

This ended up being an problem on the consuming side, not with the service itself. Software AG's webMethods 8 was consuming this server but there was no Security Handler added to the service so the credentials were not being added to the header thus resulting the in the aforementioned error.

Answer 4

I had a similar issue. I was building my datetime formatted strings using my local time, but my service/server was expecting GMT.

I needed to get the GMT time (JAVA):

final Date currentTime = new Date();    
final SimpleDateFormat sdf = 
new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'.000Z'");
sdf.setTimeZone(TimeZone.getTimeZone("GMT"));
System.out.println(sdf.format(currentTime));

Answer 5

I was getting the same error on my IIS 7.5 server. I forgot to add Read permission on the certificate's private key to the app pool virtual account (e.g. IIS AppPool\ASP.NET v4.0).

For info, whilst testing various combinations of accounts and permissions, I noticed that the app pool needed to be recycled to lose access to the key, once it had been retrieved once.

(0x80131501 - An error occurred when verifying security for the message.)

Answer 6

I was getting the same error and none of the above help for me.

I finally tracked it down to connectionStrings in a parent web.config (my service was deployed to a child application to an admin site).

Yes sounds ridiculous, but as soon as I wrapped the connection strings in the parent web.config with a location element all started working.

For clarity, in parent web.config, I changed this

<connectionStrings>
    <add name="..." />
</connectionStrings>

to this

<location path="." inheritInChildApplications="false">
    <connectionStrings>
        <add name="..." />
    </connectionStrings>
</location>

Note this error also resulted in this very unhelpful serviceSecurityAudit log message:

Message authentication failed.
Service: ...
Action: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
ClientIdentity:
ActivityId:
ArgumentNullException: Value cannot be null.
Parameter name: manager

Answer 7

I was getting the same error. I forgot to add Read permission on the membership database aspnetdb to the (IIS APPPOOL\DefaultAppPool).

Message authentication failed. Service:....

Action: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT

ClientIdentity:

ActivityId:

SqlException: Cannot open database "aspnetdb" requested by the login. The login failed.

Login failed for user 'IIS APPPOOL\DefaultAppPool'.

Answer 8

The username and password is the server you connection,not your system login username and password.