WCF Security in a Windows Service

I have a WCF service which can run as Console App and a Windows Service. I have recently copied the console app up to a W2K3 server with the following security settings:

 <binding name="ServiceBinding_Security" transactionFlow="true" >
  <security mode="TransportWithMessageCredential" >
    <message clientCredentialType="UserName" />

 <userNameAuthentication  userNamePasswordValidationMode="Custom" 
  customUserNamePasswordValidatorType="Common.CustomUserNameValidator, Common" />

Security works fine with no problems. I have exactly the same code, but running in a windows service and I get the following error when I try to call any of the methods from a client:

System.ServiceModel.Security.MessageSecurityException was unhandled
Message="An unsecured or incorrectly secured fault was received from 
         the other party. See the inner FaultException for the fault code and detail."
    Server stack trace: 
       at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
    (lots of stacktrace info - not very useful)

  InnerException: System.ServiceModel.FaultException
       Message="An error occurred when verifying security for the message."

The exception tells me nothing. I'm assuming that it has something to do with acces to system resources from the Windows Service. I've tried running it under the same account as the console app, but no luck. Does anyone have any ideas?

13.10.2009 15:18:19
Ouch this gave me a sore head...
James 13.10.2009 15:20:26
Security info is : <wsHttpBinding> <binding name="ServiceBinding_Security" transactionFlow="true" > <security mode="TransportWithMessageCredential" > <message clientCredentialType="UserName"/> </security> </binding> </wsHttpBinding> <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType= "Common.CustomUserNameValidator, Common"/> </serviceCredentials>
Alphonso 13.10.2009 15:21:20

You're using a custom user/name validator - does the Windows service have access to that file(s) ?

What account are you running the NT Service under ?

Does it work with all security turned off?? (just to see)


13.10.2009 15:34:57
Diagnostic error message = The Security Protocol cannot verify the incoming message. Nothing else. I can confirm the service works without security. I've tried running the service under "Local System" and "Administrator" The Custom Name Validator is validating against a custom section in the app.config.
Alphonso 13.10.2009 16:33:55

This is an error that sometimes has nothing to do with security.

I would recomend that you try first to get it to work without security, then just with message security, then with transport and finally with TransportWithMessageCredential.

Also if you are running the console app and the windows service app on the same machine make sure to stop the console app before starting the windows service, in order to avoid a port conflict

13.10.2009 15:35:51

Enable diagnostics on the service. That should give you a pretty good idea of whether the service is even receiving the message and where the service is throwing an exception.

13.10.2009 15:37:01

Update - I changed the customUserNamePasswordValidatorType from Custom to Windows. This worked fine in both the Console and Windows Service. I can only assume that something in the Custom Validator was causing the problem.

The custom validator used a custom config section in the App.config to validate the userid and Password. I would have thought this would have worked from a windows service though.

Thanks to all those who posted a reply.

15.10.2009 10:12:57