WCF fails to deserialize correct(?) response message security headers (Security header is empty)

Question

I'm communicating with an OC4J webservice, using a WCF client. The client is configured as follows:

        <basicHttpBinding>
<binding name="MyBinding">
 <security mode="TransportWithMessageCredential">
  <transport clientCredentialType="None" proxyCredentialType="None" realm=""/>
  <message clientCredentialType="UserName" algorithmSuite="Default"/>
 </security>
</binding>

My clientcode looks as follows:

    ServicePointManager.CertificatePolicy = new AcceptAllCertificatePolicy();

    string username = ConfigurationManager.AppSettings["user"];
    string password = ConfigurationManager.AppSettings["pass"];

    // client instance maken
    WebserviceClient client = new WebserviceClient();

    client.Endpoint.Binding = new BasicHttpBinding("MyBinding");

    // credentials toevoegen
    client.ClientCredentials.UserName.UserName = username;
    client.ClientCredentials.UserName.Password = password;

    //uitvoeren request
    var response = client.Ping();

I've altered the CertificatePolicy to accept all certificates, because I need to insert Charles (ssl proxy) in between client and server to intercept the actual Xml that is sent across te wire.

My request looks as follows:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"&gt;
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
 <u:Timestamp u:Id="_0">
  <u:Created>2010-04-01T09:47:01.161Z</u:Created>
  <u:Expires>2010-04-01T09:52:01.161Z</u:Expires>
 </u:Timestamp>
 <o:UsernameToken u:Id="uuid-9b39760f-d504-4e53-908d-6125a1827aea-21">
  <o:Username>user</o:Username>
  <o:Password o:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username- token-profile-1.0#PasswordText">pass</o:Password>
 </o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<getPrdStatus xmlns="http://mynamespace.org/wsdl"&gt;
 <request xmlns="" xmlns:a="http://mynamespace.org/wsdl"  xmlns:i="http://www.w3.org/2001/XMLSchema-instance"&gt;
  <a:IsgrStsRequestTypeUser>
   <a:prdCode>LEPTO</a:prdCode>
   <a:sequenceNumber i:nil="true" />
   <a:productionType i:nil="true" />
   <a:statusDate>2010-04-01T11:47:01.1617641+02:00</a:statusDate>
   <a:ubn>123456</a:ubn>
   <a:animalSpeciesCode>RU</a:animalSpeciesCode>
  </a:IsgrStsRequestTypeUser>
 </request>
 </getPrdStatus>
 </s:Body>
</s:Envelope>

In return, I receive the following response:

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://mynamespace.org/wsdl"&gt;
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" env:mustUnderstand="1" />
</env:Header>
<env:Body>
<ns0:getPrdStatusResponse>
<result>
  <ns0:IsgrStsResponseTypeUser>
  <ns0:prdCode>LEPTO</ns0:prdCode>
  <ns0:color>green</ns0:color>
  <ns0:stsCode>LEP1</ns0:stsCode>
  <ns0:sequenceNumber xsi:nil="1" />
  <ns0:productionType xsi:nil="1" />
  <ns0:IAndRCode>00</ns0:IAndRCode>
  <ns0:statusDate>2010-04-01T00:00:00.000+02:00</ns0:statusDate>
  <ns0:description>Gecertificeerd vrij</ns0:description>
  <ns0:ubn>123456</ns0:ubn>
  <ns0:animalSpeciesCode>RU</ns0:animalSpeciesCode>
  <ns0:name>gecertificeerd vrij</ns0:name>
  <ns0:ranking>17</ns0:ranking>
  </ns0:IsgrStsResponseTypeUser>
 </result>
</ns0:getPrdStatusResponse>
</env:Body>
</env:Envelope>

Why can't WCF deserialize this response header? I'm getting a "Security header is empty" exception:

Server stack trace: 
at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout)
at     System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Who knows what is going on here? I've already tried Rick Strahl's suggestion and removed the timestamp from the request header. Any help greatly appreciated!

Answer 1

No idea if your specific problem is covered as well, but there are quite some options discussed in this thread.

Answer 2

It seems my problem is addressed in the following kb article: http://support.microsoft.com/kb/971493/

Haven't been able to download the fix yet, because no download link seems to be available... Will keep this thread updated.