We Keep Coding

WCF wsHttpBinding Security Error

I have a WCF hosted in a Windows Service and running with user domain account.
All my clients (Console applicatio or Web Applications) in the domain work very well.
I have a console application that is not in the domain that does not work.
Herei is the error :
Exception non gérée : System.ServiceModel.Security.SecurityNegotiationException:
L'appelant n'a pas été authentifié par le service. ---> System.ServiceModel.Fau
ltException: The request for security token could not be satisfied because authe
ntication failed.
Here is the WCF Server config :
<wsHttpBinding>
<binding name="TransactionalBind" transactionFlow="true"/>
</wsHttpBinding>
[...]
<endpoint address="http://machine.domain.fr:1083/MyService/"
binding="wsHttpBinding"
bindingConfiguration="TransactionalBind"
contract="MyService.IMyService"/>
[...]
<behavior name="MyBahavior">
<serviceMetadata httpGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="True" />
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
</behavior>
Here is my client config :
<wsHttpBinding>
<binding name="WSHttpBinding_IMyService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="true" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows" negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
[...]
<client>
<endpoint address="http://machine.domain.fr:1083/MyService/"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IMyService"
contract="wsArchi.IMyService" name="WSHttpBinding_IMyService">
</endpoint>
</client>
Can you help me please ?
Many Thanks

Try using BasicHttpBinding...
I was facing issues when i used WSHttpBinding....
BasicHttpBinding solved my problem.!!!

WCF charset=utf-8 of the response message does not match the content type of the binding (application/soap+xml; charset=utf-8)

I'm hosting a WCF service in IIS 7.5 using .NET 4.0. I also have a WPF application that I am using as my client that was built with Visual Studio 2010 and .NET 4.0. I added my service reference and when I attempt to call a function, I get the following exception
The content type application/xml; charset=utf-8 of the response message does not match the content type of the binding (application/soap+xml; charset=utf-8)
I am able to navigate to the service in a web browser and my bindings appear to be the same between the client and service (WsHttp bindings).
I know there are alot of google results about this error but none of them seemed to be relevant/help my specific problem. I tried installing Non-HTTP Activation features as well as a wide variety of other small tricks. Anybody be able to help? Thanks
edit, here are my configs (they are quite lengthy)
Client
<?xml version="1.0"?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="ContentSoap"
closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="2147483647" maxBufferPoolSize="2147483647"
maxReceivedMessageSize="2147483647"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="2147483647"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
<binding name="OrderSoap"
closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384" maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
<netTcpBinding>
<binding name="NetTcpBindingEndpoint" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered"
transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10"
maxBufferPoolSize="2147000000" maxBufferSize="65536" maxConnections="10"
maxReceivedMessageSize="2147000000">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="2147000000" maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:01:00"
enabled="true" />
<security mode="None">
<transport clientCredentialType="Windows"
protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
<wsHttpBinding>
<binding name="WSHttpBinding_IInmateCanteenServiceWeb"
closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384" maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint name="ContentSoap"
address="http://media.team.twvending.net/storeservices/content.asmx"
binding="basicHttpBinding" bindingConfiguration="ContentSoap"
contract="MediaPortContent.ContentSoap" />
<endpoint name="OrderSoap"
address="http://media.team.twvending.net/storeservices/order.asmx"
binding="basicHttpBinding" bindingConfiguration="OrderSoap"
contract="MediaPortOrder.OrderSoap" />
<endpoint name="NetTcpBindingEndpoint"
address="..."
binding="netTcpBinding" bindingConfiguration="NetTcpBindingEndpoint"
contract="WebCallBack.ICallbackService" />
<endpoint name="WSHttpBinding_IInmateCanteenServiceWeb"
address="..."
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IInmateCanteenServiceWeb"
contract="InmateCanteenWeb.IInmateCanteenServiceWeb" />
<endpoint name="WSHttpBinding_ICommAccountingBinding"
address="..."
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IInmateCanteenServiceWeb"
contract="CommAccountingWeb.ICommAccountingWeb" />
</client>
</system.serviceModel>
and Server
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="httpBehavior">
<!--<webHttp />-->
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceCredentials>
<clientCertificate>
<authentication revocationMode="NoCheck" />
</clientCertificate>
<serviceCertificate findValue="CN=secure.inmatecanteen.com" />
</serviceCredentials>
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="MexBehavior">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="HttpMexBehavior">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="BasicHttpMexBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="false"
multipleSiteBindingsEnabled="true" />
<bindings>
<wsHttpBinding>
<binding name="myWsHttpBinding" maxBufferPoolSize="2147483647"
maxReceivedMessageSize="2147483647" messageEncoding="Text">
<readerQuotas maxDepth="32" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
<webHttpBinding>
<binding name="myWebHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
</security>
</binding>
</webHttpBinding>
<basicHttpBinding>
<binding name="myBasicHttpBinding" maxBufferPoolSize="2147483647"
maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="32" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="CommAccountingWeb.CommAccountingWeb"
behaviorConfiguration="HttpMexBehavior">
<endpoint
address=""
behaviorConfiguration="httpBehavior"
binding="webHttpBinding" bindingConfiguration="myWebHttpBinding"
contract="CommAccountingWeb.ICommAccountingWeb" />
<endpoint
address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="..."></add>
</baseAddresses>
</host>
</service>
<service name="CommAccountingWeb.CommAccountingBasic"
behaviorConfiguration="BasicHttpMexBehavior">
<endpoint
address=""
binding="basicHttpBinding"
bindingConfiguration="myBasicHttpBinding"
contract="CommAccountingWeb.ICommAccountingBasic" />
<endpoint
address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="..." />
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>

As I suspected - your client-side config looks like this:
<endpoint name="WSHttpBinding_ICommAccountingBinding"
address="https://secure.inmatecanteen.com/CommAccountingService/CommAccountingWeb.svc"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IInmateCanteenServiceWeb"
contract="CommAccountingWeb.ICommAccountingWeb" />
It expects wsHttpBinding - but the server-side address it's connecting to is:
<service name="CommAccountingWeb.CommAccountingWeb"
behaviorConfiguration="HttpMexBehavior">
<endpoint
address=""
behaviorConfiguration="httpBehavior"
binding="webHttpBinding" bindingConfiguration="myWebHttpBinding"
contract="CommAccountingWeb.ICommAccountingWeb" />
<host>
<baseAddresses>
<add baseAddress="https://secure.inmatecanteen.com/CommAccountingService/CommAccountingWeb.svc"></add>
</baseAddresses>
</host>
</service>
and this server endpoint uses webHttpBinding.
So while the client expects a SOAP XML message (content type: application/soap+xml; charset=utf-8), the server-side endpoint is a REST endpoint which returns plain XML (content type: application/xml; charset=utf-8)
Solution: you need to make sure both the client and the server endpoint used are in sync with regards to bindings and configuration!

As Steven Westbrook says in a comment on this answer:
Add ?wsdl to your client's endpoint address, and you should have more luck with the service. ?wsdl is important - it means the browser is just getting "Web Services Description Language" for the service, and not calling the service.
I had the same issue and adding ?wsdl solved my headache.

I came across a similar error while creating a client service to one of the existing server side WebService. I could rectify it using SOAP 1.1 transport protocol on the client. Somehow soap 1.2 is giving/expecting a different format. This trace back to the difference between BasicHttpBinding vs WebHttpBinding vs WsHttpBinding.

I got this problem after I added a method that returned a collection of instances of a base class that didn't have a [KnownType] attribute that would resolve to a concrete instance.
With the [KnownType] attribute in place the problem disappeared.
[ServiceContract]
public interface IService {
[OperationContract]
IEnumerable<ItemBase> GetItems();
}
[DataContract]
// [KnownType(typeof(RealItemA))] <--- without these attributes you will get a problem
// [KnownType(typeof(RealItemB))]
public class ItemBase {
}
[DataContract]
public class RealItemA : ItemBase {
}
[DataContract]
public class RealItemB : ITemBase {
}

in my case same error was caused by missing
[datacontract]
[datamember]
attributes in returned data type.
Error message was really misleading.

In my case a specific service was using SOAP 1.1 instead of the usual 1.2.
I had to change the binding from this:
<system.serviceModel>
<bindings>
<customBinding>
<binding name="ServiceSoapBinding">
<textMessageEncoding messageVersion="Soap12"/>
</binding>
</customBinding>
</bindings>
</system.serviceModel>
To this:
<system.serviceModel>
<bindings>
<customBinding>
<binding name="ServiceSoapBinding">
<textMessageEncoding messageVersion="Soap11"/>
</binding>
</customBinding>
</bindings>
</system.serviceModel>

Failing to call WCF Service

I have a WCF Service being hosted on IIS 5.1 with Anonymous access disabled. Below is a part of the web.config file showing how the service is configured:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="basicHttpBindingCfg">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ServiceBehavior" name="HelloService">
<endpoint name="BasicHttpEndpoint"
address=""
binding="basicHttpBinding"
bindingConfiguration="basicHttpBindingCfg"
contract="IHelloService">
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
Every time I call any operations that this service exposes from a desktop application, I receive the following error message:
Either a required impersonation level was not provided, or the
provided impersonation level is invalid.
Please note that binding type and hosting environment is pre-determined by the client and cannot be changed.
Any help that may lead to resolving this issue would be greatly appreciated.
Thanks!
Zen
EDIT: Here is how the client is configured:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpEndpoint" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint name="BasicHttpEndpoint"
address="http://vm00000033871b.intra.pri/WCFServiceBasicHttp/HelloService.svc"
binding="basicHttpBinding"
bindingConfiguration="BasicHttpEndpoint"
contract="Proxy.IHelloService" />
</client>
</system.serviceModel>

Try this to pass the current users Windows credentials:
Using proxy As New PRX.HelloServiceClient()
proxy.ClientCredentials.Windows.AllowedImpersonationLevel =
TokenImpersonationLevel.Impersonation
proxy.ChannelFactory.Credentials.Windows.ClientCredential =
CredentialCache.DefaultNetworkCredentials
Dim message As String = proxy.Hello("Hi")
MessageBox.Show(message)
End Using

WCF Authentication: Custom Username and Password Validator asp.net

is it necessary to create a service certificate to use custom username and password authentication? I want to authenticate my WCF service with custom username and password.
My Service web.config is as follows:
<system.serviceModel>
<bindings>
<wsHttpBinding>`enter code here`
<binding name="NewBinding0">
<security mode="Message">
<transport clientCredentialType="Basic" />
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="WcfTest.Service1Behavior" name="WcfTest.TestService">
<endpoint address="" binding="wsHttpBinding" contract="WcfTest.ITestService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="NewBehavior" />
</endpointBehaviors>
<serviceBehaviors>
<behavior name="WcfTest.Service1Behavior">
<serviceMetadata httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<!-- Use our own custom validation -->
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="MyValidator,WcfTest"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
and Client Web.config is:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ITestService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00"
sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384" maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:2374/Service1.svc" binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ITestService"
contract="ServiceReference1.ITestService"
name="WSHttpBinding_ITestService">
<identity>
<userPrincipalName value="NYSA31\abc" />
</identity>
</endpoint>
</client>
</system.serviceModel>
But i am getting following error accessing the service.

WsHttpBinding demands service certificate. WCF 4 (and older versions with special KB) allows exposing service authenticated with UserName and password without certificate but do you really want it? It means that user name and password will go in the plain text over the wire = no security because anybody who will capture the packet will be able to authenticate with stolen credentials.
To use user name password without certificate you need custom binding or you can use ClearUserNameBinding.

WSHttpBinding binding, client authentication

i am new to wcf and using wshttpbinding ,but i want to remove the user name and password form the service client (which i have to pass),
my client code is
RServiceClient serviceClient = new RServiceClient();
serviceClient.ClientCredentials.Windows.ClientCredential.UserName = "UserName";
serviceClient.ClientCredentials.Windows.ClientCredential.Password = "Password";
i dont want to pass this username and password.
my client app.config is:
<binding name="WSHttpBinding_IRService"
closeTimeout="00:01:00"
openTimeout="00:01:00"
receiveTimeout="00:10:00"
sendTimeout="00:01:00"
bypassProxyOnLocal="false"
transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536"
messageEncoding="Text"
textEncoding="utf-8"
useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32"
maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<reliableSession ordered="true"
inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows"
negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
rite now service is hosted in a web.
is there any change in service.config or client side app .config.
in my weak knowledge after googleing is that change should be the client side but i m unable to do that. :-(
note: my contract requires sessions too.
thanx in advance.

You need to change the web.config at the server side, your client web.config will be automatically updated after a refresh on the web reference.
If you do not want to use login/password, i can advice you to set up a mutual certificate authentication.
This approach is secure and interoperable with other WS stacks (eq. Java CXF, ...)
For Mutual Certification Authentication :
You will need a X.509 certificate to allow the client to be sure that the server is really who is pretend to be and an other X.509 certificate at the client-side.
Here an example of web.config, more informations at MSDN :
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="serviceCredentialBehavior">
<serviceCredentials>
<serviceCertificate findValue="Contoso.com"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="serviceCredentialBehavior"
name="ServiceModel.Calculator">
<endpoint address="http://localhost/Calculator"
binding="wsHttpBinding"
bindingConfiguration="InteropCertificateBinding"
name="WSHttpBinding_ICalculator"
contract="ServiceModel.ICalculator" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="InteropCertificateBinding">
<security mode="Message">
<message clientCredentialType="Certificate"
negotiateServiceCredential="false"
establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client />
</system.serviceModel>
</configuration>