TransportWithClientCredentials error

Topics: Technical Questions, Usage Scenarios
Feb 10, 2010 at 3:52 PM

I've gone through the basic setups and samples and everything there seems to work ok.  When I try and hook up the services I use that use the TransportWithClientCredentials security setting I am unable to get a valid test working on the virtualized service.  I am able to create the endpoint ok and have tried using both BasicHttp(Soap11) and BasicHttp(Soap12).  Neither works.  I also tried the WsHttp bindings but neither seem to be configured to work with ClientCredentials.  The error that I receive when I try to test is a soap fault: The username is not provided.  Specify username in ClientCredentials. 

My test configuration is:

* Use Credentials (checked)
* UserId: populated
* Password: Populated
* Impersonation Level: Identification

Any ideas on how to get this working?



Feb 11, 2010 at 3:02 PM

If you are using the default bindings that are installed with the MSE, those are configured with no security so the endpoints you host are anonymous.  It sounds like the error you are getting may be comming from the MSE trying to invoke your service implementation.  Are your service implementations setup for TransportWithMessageCredential?  If so, the MSE won't be able to call your service without some policy assertions applied to indicate what credentials should be passed along to the service implementation.

Have you looked at the security guide?  It covers what policy assertions are needed for different security scenarios.  you can then look into each assertion to understand how to configure it.

For example, if you have a virtual service that takes in username tokens and then calls a service that is TransportWithMessageCredentials, you'll need to configure several things:

MSE Endpoint Binding: create a wshttpbinding that uses message security and username client credentials, apply the binding to the endpoint.

MSE Endpoint Policy: you'll need to create an endpoint policy that includes a few assertions:

ServiceCredentials - a)to specify what service certificate will be used to secure the messages, and b) to indicate flowing of UserName token (with no authentication to keep it simpler for now)

MessageProtection - ensures MSE can process messages coming in at a message secured endpoint

MSE Resource Policy:  here you'll need a policy on the resource to take the credentials received at the endpoint and flow them to the service implementation.  The assertions are:

IdentityAwareChannel - configured to flow UserName tokens

ServiceIdentity - may be needed if your service doesn't publish an identity or an unexpected identity (check out the security guide for more)

CertificateValidation - may be needed if your service's certificate isn't from a trusted issuer.


hope that helps.