If you are using the default bindings that are installed with the MSE, those are configured with no security so the endpoints you host are anonymous. It sounds like the error you are getting may be comming from the MSE trying to invoke your service
implementation. Are your service implementations setup for TransportWithMessageCredential? If so, the MSE won't be able to call your service without some policy assertions applied to indicate what credentials should be passed along to the
Have you looked at the security guide? It covers what policy assertions are needed for different security scenarios. you can then look into each assertion to understand how to configure it.
For example, if you have a virtual service that takes in username tokens and then calls a service that is TransportWithMessageCredentials, you'll need to configure several things:
MSE Endpoint Binding: create a wshttpbinding that uses message security and username client credentials, apply the binding to the endpoint.
MSE Endpoint Policy: you'll need to create an endpoint policy that includes a few assertions:
ServiceCredentials - a)to specify what service certificate will be used to secure the messages, and b) to indicate flowing of UserName token (with no authentication to keep it simpler for now)
MessageProtection - ensures MSE can process messages coming in at a message secured endpoint
MSE Resource Policy: here you'll need a policy on the resource to take the credentials received at the endpoint and flow them to the service implementation. The assertions are:
IdentityAwareChannel - configured to flow UserName tokens
ServiceIdentity - may be needed if your service doesn't publish an identity or an unexpected identity (check out the security guide for more)
CertificateValidation - may be needed if your service's certificate isn't from a trusted issuer.
hope that helps.