Sunday, December 09, 2007

WCF Security with DeKlarit's Membership Provider

I've been working in the DeKlarit's WCF addin for a long time now, and lately I've been trying to implement the security features. Security in WCF is "pretty easy", first of all cause by default, everything is secured. The problem comes when you want to move things around.

DeKlarit uses ASP.Net Membership Provider to implement security in its addin's generated applications. So I needed to bind WCF Security with our Membership Provider implementation in order to secure the communication between applications (client and services). Once I'd set everything up I got an error on the client side saying: "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail." and the inner exception had the message: "At least one security token in the message could not be validated." :(

I googled around about these issues with no luck. I also opened many threads at the Indigo forum about it but nobody seemed to know what was it about. And I can't blame them, cause the problem was that I was missing the  applicationName attribute in the membership provider configuration. It had nothing to do with WCF but the message I got was not clear enough. According to some people at the Indigo forum that was done on purpose, so an attacker wouldn't get much information about what's going on at the server side. The problem comes when the attacker is the developer trying to get in :)

So there!, if you come to those messages check everything in your config files cause it could be anything.

4 comments:

Anonymous said...

Good one chana. Good one.

Anonymous said...

Infinite thanks. Saved me all kinds of time. I had the applicationName set to "/" when it should have been "\". I never would have caught that.

basquang said...

Could you tell me how to fix the problem in detail.

Sebastián Gómez said...

take a look at this post