At least one security token in the message could not be validated

Server config:

<?xml version="1.0"?>
            <behavior name="ServiceCredentialsBehavior">
                    <serviceCertificate findValue="cn=cool" storeName="TrustedPeople" storeLocation="CurrentUser" />
                <serviceMetadata httpGetEnabled="true" />
        <service behaviorConfiguration="ServiceCredentialsBehavior" name="Service">
            <endpoint address="" binding="wsHttpBinding" bindingConfiguration="MessageAndUserName" name="SecuredByTransportEndpoint" contract="IService"/>
            <binding name="MessageAndUserName">
                <security mode="Message">
                    <message clientCredentialType="UserName"/>
    <compilation debug="true"/>

My client config:

<?xml version="1.0" encoding="utf-8"?>
            <behavior name="LocalCertValidation">
                        <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="CurrentUser" />
            <binding name="WSHttpBinding_IService" >
                <security mode="Message">
                    <message clientCredentialType="UserName" />
        <endpoint address="http://localhost:48097/WCFServer/Service.svc"
                  name="WSHttpBinding_IService" behaviorConfiguration="LocalCertValidation">
                <dns value ="cool" />


public string TestAccess()
    return OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name;


        ServiceClient client = new ServiceClient();
        client.ClientCredentials.UserName.UserName = "Admin";
        client.ClientCredentials.UserName.Password = "123";

Error: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. Inner exception: At least one security token in the message could not be validated.

How do I resolve this exception?


I think the problem is your user name and password. With default configuration user name and password is validated as windows account. If you want other validation you must either use membership provider or custom user name password validator.

Since the error message is rather obscure, thought I would put it out there as another possible solution.

My environment uses Single Sign On (or STS if you prefer) to authenticate a user through ASP.NET MVC site. MVC site in turn makes a service call to my service endpoint by passing bearer token which it requested from STS server with Bootstrap token previously. The error I got was when I made a service call from MVC site.

In my case, this is caused by my Service's configuration as stated below. Particularly audienceUris node, it must exactly match the service endpoint:

            <add value="https://localhost/IdpExample.YService/YService.svc" />


Need Your Help

best practice to generate random token for forgot password

php security random timestamp token

I want to generate identifier for forgot password . I read i can do it by using timestamp with mt_rand(), but some people are saying that time stamp might not be unique every time. So i am bit of

User GETDATE() to put current date into SQL variable

sql tsql

I'm trying to get the current date into a variable inside a SQL stored procedure using the following commands