WCF: "An error occurred when verifying security for the message." and Service Security Audit
I’ve been struggling with an obscure WCF FaultException
that kept popping up from time to time when we worked with my services.
Basically I’d get a MessageSecurityException that says:
unsecured or incorrectly secured fault was received from the other party. See
the inner FaultException for the fault code and detail." And the inner FaultException would
error occurred when verifying security for the message."
It turns out that this is a “garbage” exception that
potentially hides behind it any exception that might have possibly
occurred when WCF tried to enforce security on the server side. The
exception itself is useless when trying to figure out what went wrong.
Luckily, I was able to find out what actually went wrong
behind the scenes by enabling a WCF feature called Service Security Audit. This
is done by adding (and configuring) a line like this to the WCF behavior
configuration on the server side:
<serviceSecurityAudit auditLogLocation="Application" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="Failure" suppressAuditFailure="true" />
The full details of the real exception are written to the
server’s Application event log. In my case, I had a mismatch in the version
of a signed DLL.
Here is a much more detailed explanation of how to use this
feature: http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/ . Many thanks go to Gaurav Pandey for his useful write-up there.
Remember to disable the feature when you’re done
auditing, because it has a negative impact on performance.