.NET
Microsoft Technologies based on the .NET software framework.
3,372 questions
How to configure web.config to expose a WCF soap service given an example soap message that has security and addressing?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 0%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Claudia Murialdo
1
Reputation point
Hello, I have an example encrypted soap message (sent from a java web service) that should work with the service I m trying to expose in my server. I've tried many configurations but I don't get it the right one to handle the given soap message example.
This is the message that my services receives GivenEncryptedMessage.xml
For example I tried with the web.config configuration (*). When I send the GivenEncryptedMessage.xml via Postman I get the error response:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"><s:Body><s:Fault><s:Code><s:Value>s:Sender</s:Value><s:Subcode><s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</s:Value></s:Subcode></s:Code><s:Reason><s:Text xml:lang="en-US">An error occurred when verifying security for the message.</s:Text></s:Reason></s:Fault></s:Body></s:Envelope>
In Svclog the error is:
<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"><System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>458802</EventID><Type>3</Type><SubType Name="Warning">0</SubType><Level>4</Level><TimeCreated SystemTime="2023-03-23T21:33:57.8382652Z" /><Source Name="System.ServiceModel" /><Correlation ActivityID="{ccc9747d-d91e-419c-a2fb-aeda893d670e}" /><Execution ProcessName="w3wp" ProcessID="8680" ThreadID="213" /><Channel /><Computer>pc</Computer></System><ApplicationData><TraceData><DataItem><TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning"><TraceIdentifier>https://docs.microsoft.com/dotnet/framework/wcf/diagnostics/tracing/System-ServiceModel-Security-SecurityBindingVerifyIncomingMessageFailure</TraceIdentifier><Description>The security protocol cannot verify the incoming message.</Description><AppDomain>/LM/W3SVC/1/ROOT/Ltest-51-133240808376692505</AppDomain><ExtendedData xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/SecurityProtocolTraceRecord"><SecurityProtocol>System.ServiceModel.Security.AsymmetricSecurityProtocol</SecurityProtocol><Action>********</Action><To>https://pc/test/anotificartransaccion.svc</To></ExtendedData></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent>
Any ideas how to get the right configuration given that example soap message? (I already have installedthe right certificates).
(*)
<services>
<service name="Programs.anotificartransaccion_services" behaviorConfiguration="CustomServiceBehaviorConfig">
<endpoint address="" binding="customBinding" bindingConfiguration="WsSoapBinding " contract="Programs.anotificartransaccion_services" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
….
<serviceBehaviors>
<behavior name="CustomServiceBehaviorConfig">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceCredentials>
<serviceCertificate findValue="servicecertifica…." storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" ></serviceCertificate>
<clientCertificate>
<certificate findValue="clientcertificate…." x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"></certificate>
<authentication certificateValidationMode="None" revocationMode="NoCheck" />
</clientCertificate>
</serviceCredentials >
<serviceDebug includeExceptionDetailInFaults ="true"></serviceDebug>
</behavior>
</serviceBehaviors>
…
<customBinding>
<binding name="WsSoapBinding " >
<textMessageEncoding messageVersion="Soap12" writeEncoding="utf-8" />
<security defaultAlgorithmSuite="Basic128Rsa15" authenticationMode="MutualCertificate"
securityHeaderLayout="Lax" includeTimestamp="false" messageProtectionOrder="EncryptBeforeSign"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="false">
</security>
<httpsTransport requireClientCertificate="false" />
</binding>
</customBinding>
.NET
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 4%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQM%3C/text%3E%3C/svg%3E)
QiYou-MSFT 4,306 Reputation points Microsoft Vendor2023-03-24T03:16:32.3233333+00:00 You can try following codes:
<serviceBehaviors> <behavior name="CustomServiceBehaviorConfig"> <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" /> <serviceCertificate findValue="servicecertifica…." storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" ></serviceCertificate> <clientCertificate> <defaultCertificate findValue="clientcertificate…." x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"></certificate></clientCertificate> <serviceDebug includeExceptionDetailInFaults ="true"></serviceDebug> </behavior> </serviceBehaviors>Then <bindings> add:
<security mode="Message"> <message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false" /> </security>I think following document can help you:
Best Regards
Qi You
Sign in to comment