I've been working in the DeKlarit's WCF addin for a long time now, and lately I've been trying to implement the security features. Security in WCF is "pretty easy", first of all cause by default, everything is secured. The problem comes when you want to move things around.
DeKlarit uses ASP.Net Membership Provider to implement security in its addin's generated applications. So I needed to bind WCF Security with our Membership Provider implementation in order to secure the communication between applications (client and services). Once I'd set everything up I got an error on the client side saying: "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail." and the inner exception had the message: "At least one security token in the message could not be validated." :(
I googled around about these issues with no luck. I also opened many threads at the Indigo forum about it but nobody seemed to know what was it about. And I can't blame them, cause the problem was that I was missing the applicationName attribute in the membership provider configuration. It had nothing to do with WCF but the message I got was not clear enough. According to some people at the Indigo forum that was done on purpose, so an attacker wouldn't get much information about what's going on at the server side. The problem comes when the attacker is the developer trying to get in :)
So there!, if you come to those messages check everything in your config files cause it could be anything.