WCF: "An error occurred when verifying security for the message." and Service Security Audit

I’ve been struggling with an obscure WCF FaultException that kept popping up from time to time when we worked with my services.

Basically I’d get a MessageSecurityException that says:  "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail." And the inner FaultException would say:  "An error occurred when verifying security for the message."

It turns out that this is a “garbage” exception that potentially hides behind it any exception that might have possibly occurred when WCF tried to enforce security on the server side.  The exception itself is useless when trying to figure out what went wrong.

Luckily, I was able to find out what actually went wrong behind the scenes by enabling a WCF feature called Service Security Audit. This is done by adding (and configuring) a line like this to the WCF behavior configuration on the server side:

<serviceSecurityAudit auditLogLocation="Application" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="Failure" suppressAuditFailure="true" />

The full details of the real exception are written to the server’s Application event log. In my case, I had a mismatch in the version of a signed DLL.

Here is a much more detailed explanation of how to use this feature: http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/ . Many thanks go to Gaurav Pandey for his useful write-up there.

Remember to disable the feature when you’re done auditing, because it has a negative impact on performance.