Intermittent System.ServiceModel.Security.Messa geSecurityException

I have a webservice hosted in Azure which is throwing intermittent message security exceptions. We do have retries but the retries have never succeeded even though the proxy is regenerated on every retry. Does anyone know about this or any pointers on how to get the real exception out?

Exception: "exceptionMessage": "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.", "exceptionType": "System.ServiceModel.Security.MessageSecurityException", "innerExceptionTree": "{\"InnerExceptions\":[{\"InnerExceptions\":null,\"Message\":\"The message could not be processed. This is most likely because the action 'http:\/\/schemas.xmlsoap.org\/ws\/2005\/02\/trust\/RST\/SCT\/Cancel' is incorrect or because the message contains an invalid or expired security context token or because there is a mismatch between bindings. The security context token would be invalid if the service aborted the channel due to inactivity. To prevent the service from aborting idle sessions prematurely increase the Receive timeout on the service endpoint's binding.\",\"StackTrace\":null,\"Type\":\"System.ServiceModel.FaultException\"}],\"Message\":\"An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.\",\"StackTrace\":\"\u000d\u000aServer stack trace: \u000d\u000a   at System.ServiceModel.Security.SecuritySessionClientSettings"1.ClientSecuritySessionChannel.ProcessRequestContext(RequestContext requestContext, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)\u000d\u000a   at System.ServiceModel.Security.SecuritySessionClientSettings"1.ClientSecuritySessionChannel.ReceiveInternal(TimeSpan timeout, SecurityProtocolCorrelationState correlationState)\u000d\u000a   at System.ServiceModel.Security.SecuritySessionClientSettings"1.SecurityRequestSessionChannel.CloseOutputSession(TimeSpan timeout)\u000d\u000a   at System.ServiceModel.Security.SecuritySessionClientSettings"1.ClientSecuritySessionChannel.CloseSession(TimeSpan timeout, Boolean& wasAborted)\u000d\u000a   at System.ServiceModel.Security.SecuritySessionClientSettings"1.ClientSecuritySessionChannel.OnClose(TimeSpan timeout)\u000d\u000a   at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout)\u000d\u000a   at System.ServiceModel.Channels.ServiceChannel.OnClose(TimeSpan timeout)\u000d\u000a   at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout)\u000d\u000a\u000d\u000aException rethrown at [0]: \u000d\u000a   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)\u000d\u000a   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)\u000d\u000a   at System.ServiceModel.ICommunicationObject.Close(TimeSpan timeout)\u000d\u000a   at System.ServiceModel.ClientBase"1.System.ServiceModel.ICommunicationObject.Close(TimeSpan timeout)\u000d\u000a   at System.ServiceModel.ClientBase"1.Close()\u000d\u000a   at System.ServiceModel.ClientBase"1.System.IDisposable.Dispose()\u000d\u000a

Server's web.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.diagnostics>
    <trace>
      <listeners>
        <add type="Microsoft.WindowsAzure.Diagnostics.DiagnosticMonitorTraceListener, Microsoft.WindowsAzure.Diagnostics, Version=2.4.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" name="AzureDiagnostics">
          <filter type="" />
        </add>
      </listeners>
    </trace>
  </system.diagnostics>
  <system.web>
    <compilation debug="true" targetFramework="4.5" />
    <authentication mode="Windows" />
  </system.web>
  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="binding" maxReceivedMessageSize="5000000" openTimeout="00:20:00" closeTimeout="00:20:00" sendTimeout="00:20:00" receiveTimeout="01:00:00">
          <readerQuotas maxStringContentLength="5000000" maxArrayLength="5000000" />
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="Certificate" negotiateServiceCredential="true"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <services>
      <service behaviorConfiguration="behavior" name="name">
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="binding"
          contract="contract" />
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="behavior">
          <serviceCredentials>
            <serviceCertificate findValue="15E957FE4732D15B8A88FE524B4CBF0B2F01B18E" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint"/>
            <clientCertificate>
              <authentication certificateValidationMode="Custom" customCertificateValidatorType="customCertificateValidatorType, Eventing.Core"/>
            </clientCertificate>
          </serviceCredentials>
          <serviceMetadata httpsGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceThrottling maxConcurrentCalls="500" maxConcurrentInstances ="500" maxConcurrentSessions ="500"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
    <!--
        To browse web app root directory during debugging, set the value below to true.
        Set to false before deployment to avoid disclosing web app folder information.
    -->
    <directoryBrowse enabled="false" />
  </system.webServer>
</configuration>

Client app.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
  </startup>
  <system.net>
    <connectionManagement>
      <add maxconnection = "500" address ="*" />
    </connectionManagement>
  </system.net>
  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_IFoo" 
                 closeTimeout="00:20:00"
                 openTimeout="00:20:00"
                 receiveTimeout="00:20:00"
                 sendTimeout="00:20:00"
                 maxBufferPoolSize="5000000" 
                 maxReceivedMessageSize="5000000">
          <readerQuotas maxDepth="32"
                        maxStringContentLength="5000000"
                        maxArrayLength="5000000"
                        maxBytesPerRead="5000000"
                        maxNameTableCharCount="5000000" />
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="None" />
            <message clientCredentialType="Certificate" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
       <endpoint address="https://foo.cloudapp.net/bar.svc"
          behaviorConfiguration="serviceBehavior" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_Foo"
          contract="XYZ.IAbc" name="WSHttpBinding_IFoo" />
    </client>
    <behaviors>
      <endpointBehaviors>
        <behavior name="serviceBehavior">
          <clientCredentials>
            <clientCertificate storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint" findValue="e1aa390214b6c7c0ec2b71624cafb0b5ffdccefd" />
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

I have replaced some confidential information with Foo/Bar.

May 29th, 2015 5:53pm

Hi,

  This is almost always because of a server time skew. The remote server and the client's system time must be within (typically) 10 minutes of each other. If they are not, security validation will fail.
  Refer: http://stackoverflow.com/questions/1484601/wcfan-unsecured-or-incorrectly-fault-error
  Also : http://stackoverflow.com/questions/912580/invalid-or-expired-security-context-token-in-wcf-web-service
 
Regards,
Nithin Rathnakar

Free Windows Admin Tool Kit Click here and download it now
May 30th, 2015 6:14am

Thanks Nithin. We thought the same but could not find a solution for it. Any suggestions on how to fix it.
June 1st, 2015 1:27pm

Hi,
   
 Its difficult to pinpoint an exact solution for this issue, some workarounds are given in the StackOverflow threads I mentioned in the earlier reply.
 If that does not work, we would need to perform some handson troubleshooting which would require access to your Instances and Subscription details.
 It is not recommended to provide those details in the Public forum.
 I would suggest, if possible, you have a support ticket created for this issue and have a support professional look into this issue.
 
Regards,
Nithin Rathnakar
Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2015 6:33am

Hi,
   
 Its difficult to pinpoint an exact solution for this issue, some workarounds are given in the StackOverflow threads I mentioned in the earlier reply.
 If that does not work, we would need to perform some handson troubleshooting which would require access to your Instances and Subscription details.
 It is not recommended to provide those details in the Public forum.
 I would suggest, if possible, you have a support ticket created for this issue and have a support professional look into this issue.
 
Regards,
Nithin Rathnakar
June 2nd, 2015 10:32am

Thanks!
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2015 1:41pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics