How to generate UsernameToken for WS-Security?

I have some web service (wrote in Java) and I need create client for it in .NET. The WebService has WS-Security and need PasswordDigest. First of all, I've tested it in SoapUI and it's works for:

Accept-Encoding: gzip,deflate
Content-Type: application/soap+xml;charset=UTF-8;action="someMethod"
Content-Length: 971
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

<soap:Envelope xmlns:not="" xmlns:soap="">
    <wsse:Security xmlns:wsse="" xmlns:wsu="">
        <wsse:UsernameToken wsu:Id="UsernameToken-2C1E2DE2B61EBB94E115572099598331">
            <wsse:Password Type="">rcSb6Hd8btcI9g6JvO7dGdiTBTI=</wsse:Password>
            <wsse:Nonce EncodingType="">PCoVwJm9oEXtusx6gkMb7w==</wsse:Nonce>

In the next step I've prepared simple client in .NET and check with Wireshark what it sends:

POST /services/ws/SomeService HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/soap+xml;charset=UTF-8;action="someMethod"
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Content-Length: 1124
Expect: 100-continue
Connection: Keep-Alive

<soap:Envelope xmlns:not="" xmlns:soap="">
    <wsse:Security xmlns:wsse="" xmlns:wsu="">
      <wsse:UsernameToken xmlns:wsu="" wsu:Id="SecurityToken-85707168-b5c6-47dc-93e9-45afa466fa2a" xmlns:wsse="">
        <wsse:Password Type="">g112a9eHPR1hXD4UH+Lh3o8JV/o=</wsse:Password>
    <not:someMethod />

Unfortunatelly I allways got 500 status code and response:

<soap:Envelope xmlns:soap="">
                    <soap:Value xmlns:ns1="">ns1:SecurityError</soap:Value>
                <soap:Text xml:lang="en">A security error was encountered when verifying the message</soap:Text>

I'm pretty sure it's appear because of authorization problem (I had same message in SoapUI if provided wrong credentials).

The section in my client is created with:

UsernameToken t = new UsernameToken("SOME_LOGIN", "SOME_PASSWORD", PasswordOption.SendHashed);
string usernameTokenSection = t.GetXml(new XmlDocument()).OuterXml.ToString();

There is a few articels how to create PasswordDigits (Base64( SHA1(password + nonce + created) )), Nonce (Base64(RandomString)) or Created date but I can't find what is wsu:Id="UsernameToken-2C1E2DE2B61EBB94E115572099598331" and how to create it. Above code where I get xml from UsernameToken returns complete section so I decided to use it, but I noticed that it append wsu:Id="SecurityToken-85707168-b5c6-47dc-93e9-45afa466fa2a" (instead of wsu:Id="UsernameToken-2C1E2DE2B61EBB94E115572099598331"). I can change the name and remove - characters but it's nothing changed and I still get 500 Internal Server Error with message "A security error was encountered when verifying the message".

So, my question is how to generate UsernameToken section with proper wsu:Id="UsernameToken-XXXXXXXXXXXXXXX"data? What is it - just random string or some hash created based on username and password?


  • Got it! I noticed that SOAP sent from .NET client doesn't have attribute EncodingType in Nonce node. After little modification in code:

    UsernameToken t = new UsernameToken("SOME_LOGIN", "SOME_PASSWORD", PasswordOption.SendHashed);
    string usernameTokenSection = t.GetXml(new XmlDocument()).OuterXml.ToString().Replace("<wsse:Nonce", "<wsse:Nonce EncodingType=\"\"");

    Everything works!

    Whole code for .NET client:

    public static void Execute()
            UsernameToken usernameTokenSection = new UsernameToken("SOME_LOGIN", "SOME_PASSWORD", PasswordOption.SendHashed);
            HttpWebRequest request = CreateWebRequest();
            XmlDocument soapEnvelopeXml = new XmlDocument();
            soapEnvelopeXml.LoadXml(@"<soap:Envelope xmlns:not="""" xmlns:soap="""">" +
                  "<soap:Header>" +
                    @"<wsse:Security xmlns:wsse="""" xmlns:wsu="""">"+
                        usernameTokenSection.GetXml(new XmlDocument()).OuterXml.ToString().Replace("<wsse:Nonce", "<wsse:Nonce EncodingType=\"\"") +
                    "</wsse:Security>" +
            using (Stream stream = request.GetRequestStream())
            using (WebResponse response = request.GetResponse())
                using (StreamReader rd = new StreamReader(response.GetResponseStream()))
                    string soapResult = rd.ReadToEnd();
    public static HttpWebRequest CreateWebRequest()
            HttpWebRequest webRequest = (HttpWebRequest)WebRequest.Create(@"");
            webRequest.Method = "POST";
            webRequest.ContentType = "application/soap+xml;charset=UTF-8;action=\"someMethod\"";
            //NOTE: below it's not necessary
            //webRequest.Host = "";
            //webRequest.KeepAlive = true;
            //webRequest.UserAgent = "Apache-HttpClient/4.1.1 (java 1.5)";
            return webRequest;
    static void Main(string[] args)
            catch (Exception ex)

    PS. For using UsernameToken class you have to using Microsoft.Web.Services2 reference, you can add it by Nuget from here: Microsoft.Web.Services2

    PPS. I know that there is simpler way by Add Service Reference... but it require additional classes and modifications for creating Security node in Header, so I decided to send raw xml and manipulate it directly.