WCF: "An error occurred when verifying security for the message." and Service Security Audit

January 23, 2011

no comments

I’ve been struggling with an obscure WCF FaultException
that kept popping up from time to time when we worked with my services.

Basically I’d get a MessageSecurityException that says:
unsecured or incorrectly secured fault was received from the other party. See
the inner FaultException for the fault code and detail.”
And the inner FaultException would
say:  “An
error occurred when verifying security for the message.

It turns out that this is a “garbage” exception that
potentially hides behind it any exception that might have possibly
occurred when WCF tried to enforce security on the server side.  The
exception itself is useless when trying to figure out what went wrong.

Luckily, I was able to find out what actually went wrong
behind the scenes by enabling a WCF feature called Service Security Audit. This
is done by adding (and configuring) a line like this to the WCF behavior
configuration on the server side:

<serviceSecurityAudit auditLogLocation=Application serviceAuthorizationAuditLevel=Failure messageAuthenticationAuditLevel=Failure suppressAuditFailure=true />

The full details of the real exception are written to the
server’s Application event log. In my case, I had a mismatch in the version
of a signed DLL.

Here is a much more detailed explanation of how to use this
feature: http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/ . Many thanks go to Gaurav Pandey for his useful write-up there.


Remember to disable the feature when you’re done
auditing, because it has a negative impact on performance.

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>