Search code examples
c#wcfws-securityws-trust

Unable to track down error for WCF client created with CreateChannelWithIssuedToken

This is a followup of this question here. Might not be directly related to that.

I am trying to call a web service secured with a token (federated security, WS-Trust 1.3) which I obtain from a Secure Token Service. I have the SecurityToken (generic XML) and I create a ChannelFactory<T> on which I then call CreateChannelWithIssuedToken.

The actual error appears when I attempt to invoke a service method. The message is very short and I actually have no idea where to look next: MessageSecurityException and message Unable to create token reference. Well, that can mean anything.

The relevant code:

var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.EstablishSecurityContext = false; 

var factory = new ChannelFactory<IService>(
    binding, 
    new EndpointAddress("..."));
factory.Credentials.SupportInteractive = false;

var token = STSClient.Issue();
_channel = factory.CreateChannelWithIssuedToken(token);

And calling the service is:

var svcParams = ...;

//MessageSecurityException is thrown here
var svcResponse = _channel.SomeServiceMethod(params);

What I would like to know is where can I look next. What could cause this error ?

Additional details:

  1. The error is thrown before any request is made to the server (checked with Fiddler).
  2. The server is not WCF based. It's some service that complies to WS-Trust and WS-Security.
Solution

  • Actually, the issue was insufficient configuration of the federation binding. Because I already have the token and it is already signed I should have set the IssuedKeyType on the message security to SecurityKeyType.BearerKey.

    By playing further with this turns out that Unable to create token reference is thrown every time when there are, well, not enough details to embed the token in the request (typically it's missing configuration on the binding or on the binding's TransportSecurityBindingElement).

    This does not completely solve the entire "calling the service with a token" issue, but it does solve this particular error:

    var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey;
binding.Security.Message.NegotiateServiceCredential = false;