Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

WCF client to ASMX service - UserNameToken requires nonce

140 views
Skip to first unread message

Jo-Anne V

unread,
Nov 4, 2009, 12:09:01 AM11/4/09
to
I have a WCF client application, built in Visual Studio 2008, that is not
able to converse with an external ASMX service. The web service uses
transport security via HTTPS and requires a WSE-style UsernameToken section
in the SOAP header. The UsernameToken section must include a Nonce and
Created timestamp since the server uses them to prevent replay attacks. I've
tried numerous tweaks of my WCF configuration, but I can't get the Nonce to
appear.

I have a WSE 3.0 client app in Visual Studio 2005 that DOES work with this
web service. Here is the WORKING SOAP request:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>

<wsa:Action>https://www.vis-dhs.com/EmployerWebService/EmpGetCitizenshipStatusCodes</wsa:Action>

<wsa:MessageID>urn:uuid:32355d4f-f5f8-42f8-aede-8b625c28de19</wsa:MessageID>
<wsa:ReplyTo>

<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>

<wsa:To>https://stage.e-verify.uscis.gov/WebService/EmployerWebServiceV19.asmx</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp
wsu:Id="Timestamp-6cf8ea3f-6800-43d3-ba31-d886ca8d3aed">
<wsu:Created>2009-11-04T01:37:06Z</wsu:Created>
<wsu:Expires>2009-11-04T01:42:06Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-dc1cc4ef-4f7f-4585-891f-c427d397f636">
<wsse:Username>==removed==</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">==removed==</wsse:Password>
<wsse:Nonce>o5I3WVd1Rmcap7Q5JIEw9w==</wsse:Nonce>
<wsu:Created>2009-11-04T01:37:06Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<EmpGetCitizenshipStatusCodes
xmlns="https://www.vis-dhs.com/EmployerWebService/" />
</soap:Body>
</soap:Envelope>

I need to get this working in WCF and Visual Studio 2008. For my WCF client
I am using a custom binding as follows:

<customBinding>
<binding name="CustomSoap11">
<security authenticationMode="UserNameOverTransport"
requireDerivedKeys="true"
securityHeaderLayout="Strict" includeTimestamp="true"
keyEntropyMode="ClientEntropy"

messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="false" >
<localClientSettings detectReplays="true"/>
<localServiceSettings detectReplays="true"/>
</security>
<textMessageEncoding messageVersion="Soap11WSAddressing10" />
<httpsTransport />
</binding>
</customBinding>

This configuration generates the following XML:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action
s:mustUnderstand="1">https://www.vis-dhs.com/EmployerWebService/EmpGetCitizenshipStatusCodes</a:Action>

<a:MessageID>urn:uuid:3bb7cca8-9eea-4efe-b03f-2fc6e60c8718</a:MessageID>
<a:ReplyTo>

<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To
s:mustUnderstand="1">https://stage.e-verify.uscis.gov/WebService/EmployerWebServiceV19.asmx</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2009-11-04T03:42:57.879Z</u:Created>
<u:Expires>2009-11-04T03:47:57.879Z</u:Expires>
</u:Timestamp>
<o:UsernameToken
u:Id="uuid-20e6ef2e-be67-4fb7-9ae9-f9ac19a3b0c5-1">
<o:Username>==removed==</o:Username>
<o:Password
o:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">==removed==</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<EmpGetCitizenshipStatusCodes
xmlns="https://www.vis-dhs.com/EmployerWebService/"
xmlns:b="http://schemas.datacontract.org/2004/07/WCFTest.EvServiceRef"
xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/>
</s:Body>
</s:Envelope>


This XML is fine except for the missing Nonce and Created lines. The web
service returns the error "WSE567: The incoming Username token must contain
both a nonce and a creation time for the replay detection feature."

Can someone clue me in on how to generate a SOAP header in the required
format using WCF?

Thanks.
Jo-Anne V

sdclav

unread,
Jan 14, 2010, 1:26:01 PM1/14/10
to
Hey Jo-Anne,

I am having the same issue. Were you ever able to get a resolution to this
issue?

Thanks,

Steve

Simkin@discussions.microsoft.com Marc Simkin

unread,
Apr 2, 2010, 4:09:01 PM4/2/10
to
Hi Steve and Jo-Anne, were you guys ever able to resolve this issue? I need
to do the same thing, in order to talk to a Java Web Service.

thanks

marc

rourke11h...@discussions.microsoft.com

unread,
Jun 30, 2010, 4:16:30 PM6/30/10
to
Did you get WCF to work with Everify? If so how?
0 new messages