WCF: The request for security token could not be satisfied because authentication failed.

Question

I have written a very simple WCF Service that sends and receives messages. I have tested the app through the VS 2008 default web server host and everything works fine. But when I deploy the WCF service to another computer's IIS I receive the following error:

"The request for security token could not be satisfied because authentication failed."

How can I set the authentication type to use my custom username and password in config file? If it is not possible, please tell me how I can set its windows credentials because the 2 computers that I'm using, don't share the same users.

Answer 1

You need to turn off security for the binding. Otherwise, I believe that, by default, the wsHttpBinding will try to negotiate a Security Context Token (SCT).

So, modify the endpoint definition to point to a binding configuration section. Here's an example:

<endpoint address="" 
          binding="wsHttpBinding" 
          contract="HelloWorldService.IService1"
          bindingConfiguration="TheBindingConfig">

And then add something like the following binding configuration right after the <services> section in the web.config's <system.serviceModel> section.

<bindings>
  <wsHttpBinding>
    <binding name="TheBindingConfig">
      <security mode="None" />
    </binding>
  </wsHttpBinding>
</bindings>

Setting security to "None" is the key.

Hope this helped!

---

The above helped me - but what is not immediately obvious is how to add to the service end (its clear once you've done it what's needed, but not until you've done so). The reason its not entirely obvious is because there isn't a bindings section by default whereas there is liable to be one in the client.

So, just to be very clear - at the service end, add the bindings section (as detailed above) and then to the appropriate endpoint add the bindingConfiguration="TheBindingConfig" attribute. Obvious once you've done it once...

Answer 2

Be sure to set this bindingConfiguration (specifying security mode 'none') on both client and server or else you will get this message - which is quite a red herring as far as debugging the problem.

The message could not be processed. This is most likely because the action 'http://tempuri.org/IInterfaceName/OperationName' is incorrect or because the message contains an invalid or expired security context token or because there is a mismatch between bindings. The security context token would be invalid if the service aborted the channel due to inactivity. To prevent the service from aborting idle sessions prematurely increase the Receive timeout on the service endpoint's binding.

Answer 3

You don't actually need to turn off security and in some cases you shouldn't. Within a bindingConfiguration, you can specify message level security that does not establish a security context as follows:

<security mode="Message">
    <transport clientCredentialType="Windows" proxyCredentialType="None"
                        realm="" />
    <message clientCredentialType="Windows" negotiateServiceCredential="true"
        algorithmSuite="Default" establishSecurityContext="false" />
</security>

Note the establishSecurityContext attribute. Both the client and service should have a security configuration with establishSecurityContext set to the same value. A value of true also works fine but false is recommended in an environment where the servers are load balanced.