Home » Visual Studio

WCF Security Certificate issue

I am trying to implement message security in my wcf application and I am getting some error "The caller was not authenticated by service" here is my Service Host code

WSHttpBinding obHttpBinding = new WSHttpBinding();
obHttpBinding.Security.Mode = SecurityMode.Message;
obHttpBinding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
obHost = new ServiceHost(typeof(IserviceDescription), new Uri[] { new Uri("http://localhost:8000"), new Uri("net.tcp://localhost:9000") });
obHost.AddServiceEndpoint(typeof(IService), obHttpBinding, "");

obHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "TestCert");


Client Web Config

<?xmlversion= "1.0 "encoding= "utf-8 " ?>


    < system.serviceModel >

        < behaviors >

            < endpointBehaviors >

                < behaviorname= "NewBehavior ">

                    < clientCredentials >

                        < clientCertificatefindValue= "TestCert "storeLocation= "LocalMachine "storeName= "My "x509FindType= "FindBySubjectName " />

                        < serviceCertificate >

                            < authenticationcertificateValidationMode= "ChainTrust "revocationMode= "NoCheck "/>

                        </ serviceCertificate >

                    </ clientCredentials >

                </ behavior >

            </ endpointBehaviors >

        </ behaviors >

        < bindings >

            < wsHttpBinding >

                < bindingname= "WSHttpBinding_IService "closeTimeout= "00:01:00 "

                    openTimeout= "00:01:00 "receiveTimeout= "00:10:00 "sendTimeout= "00:01:00 "

                    bypassProxyOnLocal= "false "transactionFlow= "false "hostNameComparisonMode = "StrongWildcard "

                    maxBufferPoolSize= "524288 "maxReceivedMessageSize= "65536 "

                    messageEncoding= "Text "textEncoding= "utf-8 "useDefaultWebProxy = "true "

                    allowCookies= "false ">

                    < readerQuotasmaxDepth= "32 "maxStringContentLength= "8192 "maxArrayLength= "16384 "

                        maxBytesPerRead= "4096 "maxNameTableCharCount= "16384 " />

                    < reliableSessionordered= "true "inactivityTimeout= "00:10:00 "

                        enabled= "false " />

                    < securitymode= "Message ">

                        < transportclientCredentialType= "Windows "proxyCredentialType= "None "

                            realm= "" />

                        < messageclientCredentialType= "Certificate "negotiateServiceCredential = "true "

                            algorithmSuite= "Default "establishSecurityContext = "true " />

                    </ security >

                </ binding >

            </ wsHttpBinding >

        </ bindings >

        < client >

            < endpointaddress= " "behaviorConfiguration = "NewBehavior "

                binding= "wsHttpBinding "bindingConfiguration = "WSHttpBinding_IService "

                contract= "ServiceReference1.IService "name= "WSHttpBinding_IService ">


                    < certificateencodedValue= "AwAAAAEAAAAU…/>

                </ identity >

            </ endpoint >


I have tried to search a lot about this type of error but unable to get any reliable information please suggest where I am wrong in this.



2 Answers Found


Answer 1

turn on WCF trace on the server side and you will see the detailed error:



most probably the client certificate  is not trusted on the server.


Answer 2

I am able to implement security  successfully the error  was occurred due to my small bug which I have rectified..now

I'm fairly new to WCF, and wanted to know if it is possible to do Message Security, where I use a x.509 certificate for the service only, and for client security do windows credentials, is this acceptable, does it work? Tried searching the web, but either no discuss on this approach exists, or I have put the wrong wording in my google search, any help is much appreciated, thank you all.

basically, I'd have this in my binding:

  <binding name="msgBinding">
    <security mode="Message">
      <message clientCredentialType="Windows" />

and on my behavior:
<behavior name="wsHttpCertificateBehavior">
    <serviceCertificate findValue="MyCert" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="My" />


I'm struggling to get a self-hosted WCF service to do what I want it to do, so I'm probably doing it wrong. What I want is transport over SSL with a client certificate for authentication, preferably with self-signed client certificates.

Getting WCF to work over SSL is a piece of cake, I have that working. However when I try to add client credentials things start to fail. At first I expected it to be as simple as adding the client certificate to the trusted people store of the PC running the service, setting it to use peertrust and then things would just magically work. This proved not be the case.

Finally I figured out that the certificate negotiation is happening outside of WCF's control and that I had to use CTLs to control who could connect. So I setup a CTL containing a self-signed certificate which the client would use, still no dice.

What is it that I'm missing or doing wrong?


I am new to wfc programming and trying to understand security aspects ('message' using certificates). I am using windows 7 and visual studio 2010. I have a few questions about how I have implemented wfc. I have a win forms app that will talk over the web to a wfc service. I need to make sure the message is encrypted enroute. This is an admin application and will be used only by me. I created certificates on my Dev machine and edited the web.config and app.config. This works. The problem is when I right click the service reference and select update service refernce, the app.config is overwritten. The identity element is removed and behior ref is removed  and now the app will not connect to the service any more. I am including my web.config and app.config (before and after updating svc ref) below. Please advice me on what I am doing wrong. Also please let me know if this is the right way to do it. While creating the certificates I wasnt prompted for any passwords, not sure why. Can I use this type of certificate eventually when I go live ? what are the risk if this is not advisable ? Thanks in advance for you help.

certificate creation and installation


makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=TradeService -sky exchange -pe

certmgr.exe -add -r CurrentUser -s My -c -n TradeService -r CurrentUser -s TrustedPeople


makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=WCFUser -sky exchange -pe

certmgr.exe -add -r CurrentUser -s My -c -n WCFUser -r CurrentUser -s TrustedPeople



        <behavior name="ServiceBehavior">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
            <serviceCertificate findValue="TradeService" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" />
              <authentication certificateValidationMode="PeerTrust" />



app.config before updating service ref

 <security mode="Message">
            <transport realm="" />
            <message clientCredentialType="Certificate" />

          <certificateReference findValue="TradeService" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" />

        <behavior name="CustomBehavior">
            <clientCertificate findValue="WCFUser" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" />
              <authentication certificateValidationMode="PeerOrChainTrust" />

app.config after updating service ref

        <behavior name="CustomBehavior">
            <clientCertificate findValue="WCFUser" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" />
              <authentication certificateValidationMode="PeerOrChainTrust" />


I'm having a difficult time setting up this WCF Service with wsHttpBinding, Transport Security, x509 and, the key part, the Load Balancer (F5). This all works without a problem in our Dev environment but as soon as I put it behind the F5 it fails giving me this message:

System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'servicechannelcert'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Is there any additional setup I need to do in IIS or the Load Balancer to handle these requests?

configuration files:

<binding name="wsHttpTransport">
 <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647"
  maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
 <security mode="Transport">
  <transport clientCredentialType="Certificate" />

<service behaviorConfiguration="ChannelServiceBehavior" name="TestService">
<endpoint address=""
     contract="TestService" />
<endpoint address="mex"

<behavior name="ChannelServiceBehavior">
 <serviceMetadata httpsGetEnabled="true"/>
 <serviceDebug includeExceptionDetailInFaults="false"/>
  <serviceCertificate findValue="x509-Dev" x509FindType="FindBySubjectName"storeLocation="LocalMachine" storeName="My" />
   <authentication certificateValidationMode="PeerTrust" />


Am consuming a webservice (it is developed in java). In my case both me (Client) and the webservice provider must encrypt the request or response using certificates.

Web service provider has shared the certificate with public key - We have to encrypt the request using that certificate and public key, Web service provider will decrypt the request using their private key.

I (Client) have provided them a certificate with public key - Host will encrypt the response using the public key and we have to decrypt that using our private key.

How i can implement this using WCF with visual studio 2008. What is the best way to implement this functionality in my application


Hello, like Title says I have two separate certificates for Transport and Message security in WCF.

How should I configure this into my WCF 3.51 C# client? I have tried everything I know but nothing seems to work. After using Google I found this article http://blogesh.wordpress.com/2009/10/08/separate-certificates-for-transport-and-message-security-in-wcf/

Is it really so that if you have to use two separate certificates you have create your own ClientCredentials and SecurityTokenManager class?

Have anyone found how to do this using WCF's own features?

Br Michael


Hi All

I do have Certification issue when i am trying to access a Java Service from another WCF Service. Exact error message is “The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.” “The remote certificate is invalid according to the validation procedure.”

Earlier when i was trying to access java service locally on my laptop, I was also getting the same issue. Then I installed the CA Certificate on my laptop, It starts working fine. Then i deployed my service on a server, which also has same CA Certificate installed.

Now if i am trying to access my wcf service to access from my laptop, it again start throwing the same error.

I have no idea why this is happening. Please help, its urgent.

Thanks in advance,



I created a WCF service that has a method which makes a call to a SOAP web service over the internet.

In order to make a call to the SOAP web service, it requires that an X.509 certificate be sent with the HttpWebRequest.

The X.509 certificates are loaded in the Personal and Trusted Certificate store of the account which the service is running under.

When the service account is logged into the server, everything works just fine.

However, when the service account is not physically logged onto the server, it has problems loading up the X.509 certificate and fails authentication when trying to make the HttpWebRequest.

I am new to WCF services so I don't even know where to start looking.

Can anyone please help? Thanks in advance.


Hi. I have set up a WCF send port to call a web service hosted by a trading partner. The trading partner has sent us a certificate to secure the service.

I followed the steps here http://msdn.microsoft.com/en-us/library/cc296827(BTS.10).aspx for installing the certificate on our BizTalk dev machine: putting the certificate in the trusted root, other people, and the Biztalk service account personal certificate stores.

However, when calling the web service, we get the following error:

"Could not establish trust relationship for the SSL/TLS secure channel with authority XXXXX"

"The remote certificate is invalid according to the validation procedure"

How can I determine what the problem is here? It could be a problem with the way the WCF send port has been set up, the way the certificates were installed, or a problem with the supplier hosting the service.

Would a tool like Fiddler help to determine the underlying problem?





Hi Gurus,


We have a WCF Service with *wsHttpBinding* and consumed by our windows application. This application consumes other services (asmx) too.


In Production we deployed this WCF Service on 3 machines. Service is working perfectly when under software NLB for load balancing.


Recently, our production environment has changed the Load balancing technique with *Citrix NetScalar* for VMs.


Here the problem occurs, when we consume the WCFService from a netscalar environment, we are getting the below exception


“Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint. “


Here is the binding information





        <bindingname="PTBinding"maxReceivedMessageSize="2147483647" />





        logMessagesAtServiceLevel="false"logMessagesAtTransportLevel="false" />







            <dnsvalue="localhost" />



        <endpointaddress="mex"binding="mexHttpBinding"contract="IMetadataExchange" />



            <addbaseAddress="http://localhost/PermissionToolWCFService" />








          <serviceMetadatahttpGetEnabled="true" />

          <serviceDebugincludeExceptionDetailInFaults="false" />

          <serviceTimeouts />

          <serviceThrottlingmaxConcurrentCalls="10"maxConcurrentInstances="50" />







Any kind of informations are much appreciated.





I have developed a wcf Rest application and I have prepared a web client in which I am using simple javascript embed over html pages now I want to implement some security to my pages how can I do so can any one explain me. I am not using asp.net as client.

I am trying to implement some security to secure my data but I am not able find the way to do it.


Hi All,

I am facing validation issue when client send the request to Server.

Signing without primary signature requires timestamp.

this issue is becuase of missing timestamp.But i am sending the time stamp but after the signature.


 But i am sending the timestamp in my Soap request .Please find my soap request

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-D43334D6ACEBA3E32012719535506481">MIIFEzCCA/ugAwIBAgIQFL9Ls445O1SBMhn1cj8R6DANBgkqhkiG9w0BAQUFADCBtTELMAkGA1UEBhMCVVMxFzAVBgNVBAbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUUgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMDkxMDA3MDAwMDAwWhcNMTAxMDA3MjM1OTU5WjCBgzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxETAPBgNVBAcUCFNlY2F1Y3XXXXXXXXXXXXXXXXXXXXQ+MP5uMrLiv6SVf68s1zNvgkXhXXXXXXXXxOG/8xVPswSzX40B4hgG9xxxxxxxxxxxeFRcyTe/tdbmTh4xeOkP+86T25JIkWF+Q4KrEZJgOBvwq0/gDjChOIkd8zjov0vkM12W9VF7JfP6aFpeOn7PNxUvER5zf7gnNxmLrqh0gBRxomxyTg3Gk7IeFX/RGPDBQsg1Jd/0bHgvrt2C/qQoNoFqomSBCmw5wWkCyxo1we9RGplo3edOd0LmisOogWRBZHG6m2AMGw/ElaG40daCl1bpRYu09RmhHAD72Q==</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">


<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>

<ds:Reference URI="#id-3">


<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>


<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>









<ds:KeyInfo Id="KeyId-D43334D6ACEBA3E32012719535506582">

<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-D43334D6ACEBA3E32012719535506683"><wsse:Reference URI="#CertId-D43334D6ACEBA3E32012719535506481" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference></wsse:SecurityTokenReference>



<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1"><wsu:Created>2010-04-22T16:25:50.638Z</wsu:Created><wsu:Expires>2010-04-22T16:30:50.638Z</wsu:Expires></wsu:Timestamp></wsse:Security></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-3"><mRequest xmlns="http://XXX.Sxxxes.com"><Input>003420837</Input></mRequest></soapenv:Body></soapenv:Envelope>

In above time stap is there in my request.why i am getting Same error?

the above request is coming from Java client.similer way my .Net client client also sending the request with same way here it is working fine.the only diff is timestam is at top above the binary signature token.(through soapUI also itested if the signature is after the Binary token i am getting error other wise this is working fine.

.Net Request (Working fine) :

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">


 <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

 <u:Timestamp u:Id="_0">




 <o:BinarySecurityToken u:Id="uuid-9e52ac15-201e-4b40-aab2-f237f42fdf56-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIDyzCCAzSgAXXXXXKVakH6AABAAAP3TANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQWV0bmEgSW5jLjEkMCIGA1UEAxMbQWV0bmEgSW5jLiBTZWN1cmUgU2VydmVyIENBMB4XDTEwMDMxMTE2MTQwMloXDTEyMDMxMDE2MTQwKBggrBgEFBQcDATAnBgNVHREEIDAeghxkYXRhZW5jcnlwdGlvbi5tZW1iZXJpYmEuY29tMA0GCSqGSIb3DQEBBQUAA4GBAHDleQnai+UC7yYiRg60fIqFREW/SwlpxK5/zGcykvpzboCguSHQhwusfgjdi5ySr5uSHlyRKBOomb9h/gr+5qkesXqOJ/dAR9fiSFF6z+/egMFUqsvUUw/4ZkS3345Y26YTqlxHeZ3ot1C7WC9XwA4Og8IbuNbvJBf0JiHPItif</o:BinarySecurityToken> 

 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">


 <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 

 <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 

 <Reference URI="#_0">


 <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 


 <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 







 <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-9e52ac15-201e-4b40-aab2-f237f42fdf56-1" /> 







 <mRequest xmlns="http://XXX.Sxxxes.com">





so is it possible to handle this?











  I get a problem authenticating people in Sharepoint 2010 LDAP provider.

  Right now, I can successfully config the central admin for LDAP provider, (I can search people that in LDAP server,assign ldap people without problem). Also I can search LDAP people in my site. Then I tried to login using ldap username and password, it shows "An exception occurred when trying to issue security token: The security token username and password could not be validated.."

  First, I thought maybe there were some typo in my site web.config, so I enabled the windows login, log into my site using my windows account, there, I can search LDAP user in my site with no problem. So I believe that my site web.config is alright. The only thing left is the STS.But I am not sure what could be wrong , because membership and role part are just simple copied and pasted from my site web.config.

  Here is the web.config for STS. Please Help. Thank you.

<?xmlversion="1.0"encoding="utf-8"?><configuration><system.serviceModel><!-- Behavior List: --><behaviors><serviceBehaviors><behaviorname="SecurityTokenServiceBehavior"><!-- The serviceMetadata behavior allows one to enable metadata (endpoints, bindings, services) publishing.
        This configuration enables publishing of such data over HTTP GET.
        This does not include metadata about the STS itself such as Claim Types, Keys and other elements to establish a trust.
     --><serviceMetadatahttpGetEnabled="true"/><!-- Default WCF throttling limits are too low --><serviceThrottlingmaxConcurrentCalls="65536"maxConcurrentSessions="65536"maxConcurrentInstances="65536"/><serviceDebugincludeExceptionDetailInFaults="True"httpHelpPageEnabled="True"/></behavior></serviceBehaviors></behaviors><!-- Service List: --><services><servicename="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract"behaviorConfiguration="SecurityTokenServiceBehavior"><!-- This is the HTTP endpoint that supports clients requesing tokens. This endpoint uses the default 
       standard ws2007HttpBinding which requires that clients authenticate using their Windows credentials. -->
				 contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />

				<!-- This is the HTTP endpoint that supports clients requesting service tokens. --><endpointname="ActAs"address="actas"binding="customBinding"bindingConfiguration="spStsActAsBinding"contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract"/><!-- This is the HTTP endpoint that supports IMetadataExchange. --><endpointaddress="mex"binding="mexHttpBinding"contract="IMetadataExchange"/></service><servicename="Microsoft.SharePoint.Administration.Claims.SPWindowsTokenCacheService">
				<endpoint address=""
						 contract="Microsoft.SharePoint.Administration.Claims.ISPWindowsTokenCacheServiceContract" />
			</service></services><!-- Binding List: --><bindings><customBinding><bindingname="spStsBinding"><binaryMessageEncoding><readerQuotasmaxStringContentLength="1048576"maxArrayLength="2097152"/></binaryMessageEncoding><httpTransportmaxReceivedMessageSize="2162688"authenticationScheme="Negotiate"useDefaultWebProxy="false"/></binding><bindingname="spStsActAsBinding"><securityauthenticationMode="SspiNegotiatedOverTransport"allowInsecureTransport="true"defaultAlgorithmSuite="Basic256Sha256"messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12"/><binaryMessageEncoding><readerQuotasmaxStringContentLength="1048576"maxArrayLength="2097152"/></binaryMessageEncoding><httpTransportmaxReceivedMessageSize="2162688"authenticationScheme="Negotiate"useDefaultWebProxy="false"/></binding><bindingname="SPWindowsTokenCacheServiceHttpsBinding"><securityauthenticationMode="IssuedTokenOverTransport"/><textMessageEncoding><readerQuotasmaxStringContentLength="1048576"maxArrayLength="2097152"/></textMessageEncoding><httpsTransportmaxReceivedMessageSize="2162688"authenticationScheme="Anonymous"useDefaultWebProxy="false"/></binding></customBinding></bindings></system.serviceModel><system.web><roleManagerenabled="true"><providers><addname="ldapRole"type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c"server="ldapservername"port="10389"useSSL="false"connectionUsername="uid=xxx,l=americas,ou=internal,ou=people,dc=global,dc=com"connectionPassword="xxx"userContainer="dc=global,dc=com"groupNameAttribute="cn"groupMemberAttribute="uniqueMember"userNameAttribute="uid"dnAttribute="entryDN"groupFilter="(ObjectClass=groupofuniquenames)"scope="Subtree"/></providers></roleManager><membership><providers><addname="ldapMembership"type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c"server="ldapserver"port="10389"useSSL="false"userDNAttribute="false"userNameAttribute="uid"connectionUsername="uid=xxx,l=americas,ou=internal,ou=people,dc=global,dc=com"connectionPassword="xxx"userContainer="dc=global,dc=com"userObjectClass="Inetorgperson"userFilter="(ObjectClass=Inetorgperson)"scope="Subtree"otherRequiredUserAttributes="sn,givenname,cn"/></providers></membership></system.web><system.webServer><security><authentication><anonymousAuthenticationenabled="true"/><windowsAuthenticationenabled="true"><providers><clear/><addvalue="Negotiate"/><addvalue="NTLM"/></providers></windowsAuthentication></authentication></security><modules><addname="WindowsAuthenticationModule"/></modules></system.webServer><system.net><connectionManagement><addaddress="*"maxconnection="10000"/></connectionManagement></system.net></configuration>




Hi I am trying to authentificate against an debian openLDAP, but I am getting this error : An exception occurred when trying to issue security token: The security token username and password could not be validated..

Here is the ldif of the user myuser:

dn: uid=myuser, ou=People, dc=debuntu,dc=local
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
shadowMax: 99999
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uid: myuser
gecos: myuser,,,
cn: marian
homeDirectory: /home/myuser
shadowWarning: 7

<addname="LdapMembership"type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c"server=""port="389"useSSL="false"userDNAttribute="dn"userNameAttribute="uid"userContainer="ou=People,dc=debuntu,dc=local"userObjectClass="account"userFilter="(ObjectClass=account)"scope="Subtree"connectionUsername="cn=admin,dc=debuntu,dc=local"connectionPassword="a"otherRequiredUserAttributes="gidNumber,cn"/>
I am able to list users from LDAP in sharepoint . can someone help me ?



if i have a WCF service which does some operation or return some data or if i have a WCF data service which shows some data. If i want to secure it in a way that only the app that i make can use it or only the apps to which i give permissions use it, is that possible?

I understand i can write query interceptors and that way filter the information that someone is retrieving but was wondering if there is a way to make it more tight.





I am running through an interesting problem.

I have a WCF service and i am using certificate authentication. I have deployed it on azure. Currently it can access the request of any client.I want to make my service more secure and only specific client can access it. I have done some web.config settings they are

              <authentication certificateValidationMode="ChainTrust"/>
              <certificate x509FindType="FindBySubjectName" findValue="XXXX" storeLocation="CurrentUser" storeName="My"/>

I thought this settings will allow this specific client only. But after deploying this service on azure i am getting an error "Certificate is not found at specified location...".

Can we have any best alternative to do this?

Help will be appreciate.

Thanks in advance.

Vishal Hirve.





We are in the midst of migrating to Windows 7 (and therefore IE 8). But I have a problem with one of my suppliers :-( They have a website, which they have signed with an internally certificate. In IE7 you could make exceptions, but in IE8 this is no longer an option.

The problem is that IE8 tells you that it is an untrusted certificate, and therefore halts loading the page. You can then press the yellow line in the top and say continue anyway, but the website is still not functioning as certain functions are beeing blocked.

Does anybody know what my options are? I've been talking to my supplier, and he is not openminded for not signing his website with his certificate.

I hope somebody can help me.

Best regards
Jimmy Dan Mortensen


Hello everyone,


I got a problem with my current XBAP application. Everyone had no problem running my application until on person had the following error:

<!-- [if gte mso 10]> <mce:style>

* An exception occurred while determining trust. Following failure messages were detected:

                        + User has refused to grant required permissions to the application.


Then I researched and found out I needed to set up a certificate and have them put it IE.

However now the people that once had no problem need to install the certificate.


I was wondering how to revert the project so EVERYONE can run my application WithOut a certificate.


*This application requires full trust.


Can anyone please help me?


I am trying to use the Sharepoint List Web Service and VS 2008 to read data from an Access database, create an XML document/element from the information in that database, and then use the XML to update a SP List.  However, our Development server has an invalid security certificate (to save money).  It appears that I can connect successfully to the Web Service (because I can add the Web reference to the project) but I get a connection error when I actually try to update the list.  (This article describes what needs to be done to fix my problem http://support.microsoft.com/kb/915599 but getting a valid security cert just isn't in the cards for this environment.)  The procedure worked correctly on a SP server that was hosted outside our company with a different validation method, i.e. not Active Directory.  We are using SP MOSS 2007.  Thanks for any ideas you can give me. 

I'm getting the following error when I access my webservice localhost/MyService/MyService.svc

The SSL settings for the service 'SslRequireCert' does not match those of the IIS 'Ssl, SslNegotiateCert'.

I've following the web.config examples as specified in http://msdn.microsoft.com/en-us/library/ms731074.aspx

Here is my wcf server web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
 <appSettings />
  <identity impersonate="false" />
  <roleManager enabled="true" />
  <authentication mode="Windows" />
  <customErrors mode="Off" />
    <add name="HttpGet" />
    <add name="HttpPost" />
  <directoryBrowse enabled="true" />
  <validation validateIntegratedModeConfiguration="false" />
    <remove users="*" roles="" verbs="" />
    <add accessType="Allow" users="*" roles="" />
   <service name="AspNetSqlProviderService" behaviorConfiguration="MyServiceBehavior">
    <endpoint binding="wsHttpBinding" contract="Interface1" bindingConfiguration="CertificateWithTransportWSHttpBinding" />
    <endpoint binding="wsHttpBinding" contract="Interface2" bindingConfiguration="CertificateWithTransportWSHttpBinding" />
    <endpoint address="mex" binding="wsHttpBinding" bindingConfiguration="CertificateWithTransportWSHttpBinding" name="Metadata_Exchange" contract="IMetadataExchange" />
    <behavior name="MyServiceBehavior">
     <serviceDebug includeExceptionDetailInFaults="True" />
     <serviceMetadata />
       <authentication trustedStoreLocation="LocalMachine"
    <binding name="CertificateWithTransportWSHttpBinding">
     <security mode="Transport">
      <transport clientCredentialType="Certificate" />

I've configured IIS as follows:

https binding added using self signed certificate Under SSL settings, require SSL and accept client certificates is checked The self signed certificate has been added to the Local Computer Trusted Root CA.

I can browse and execute the .asmx service definition, but the .svc gives me the error described above.


<< Previous      Next >>

Microsoft   |   Windows   |   Visual Studio   |   Sharepoint   |   Azure