The security token could not be authenticated or authorized (.net, soap1.2)

Question

I've been trying to get access to a thirdparty-webservice for the past two weeks and right now I'm hopelessly confused.

So the webservice is setup in the Intranet. I have the URL, user and Password to access it. They also sent me the .wsdl which i used to generate the proxy-class, but whenever I try to invoke functions/methods I get the error "The security token could not be authenticated or authorized.".

Granted, I'm not really good with webservices and such, but I'm pretty sure most of the settings are made by the proxy-class. I set the URL of the webservice there and parse the account Information through the credentials as well as the custombinding, but something is wrong ... The 3rd-party developer only told me that the authentication mode is NTML Kerberos which doesn't exactly help me here. I tried to set the authenticationMode in security to Kerberos, but only ended up with another error (principal not found).

proxy-call:

 var binding = new CustomBinding("CrmDienstWSBinding"); //in web.config
 var proxy = new CrmDienstWSClient(binding, new EndpointAddress("xxxx"));
 proxy.ClientCredentials.UserName.UserName = user;
 proxy.ClientCredentials.UserName.Password = pw;

 var erg = proxy.erstelleAufgabe("false", erstAufg);

proxy-constructors:

    public CrmDienstWSClient() {
    }

    public CrmDienstWSClient(string endpointConfigurationName) : 
            base(endpointConfigurationName) {
    }

    public CrmDienstWSClient(string endpointConfigurationName, string remoteAddress) : 
            base(endpointConfigurationName, remoteAddress) {
    }

    public CrmDienstWSClient(string endpointConfigurationName, System.ServiceModel.EndpointAddress remoteAddress) : 
            base(endpointConfigurationName, remoteAddress) {
    }

    public CrmDienstWSClient(System.ServiceModel.Channels.Binding binding, System.ServiceModel.EndpointAddress remoteAddress) : 
            base(binding, remoteAddress) {
    }

web.config:

<system.serviceModel>
    <bindings>
      <customBinding>
        <binding name="CrmDienstWSBinding">
          <textMessageEncoding messageVersion="Soap12"  />
          <httpTransport />
        </binding>
      </customBinding>
    </bindings>
  </system.serviceModel>

I know these few lines are not very much to go by, but I can't really post that much as the webservice is from a third Party. I'll try to get whatever Information is needed to get this problem solved .. so please help me ~.~

Thanks in advance.

[EDIT 17.07.15] So I finally got some more Information ..

<soap:Header>
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>testmann@15885</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">geheim</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>

So now I know how the Header is supposed to look like, but usually this stuff should be created with the .wsdl anyways so that I just have to set my username and Password, right? Do I have to change the code that was generated by the wsdl?

There is also another method to get Access by using soapUI. Never worked with it before, but I'll take a look at it just now.

In the .wsdl the Header is not complete .. example:

<operation name="erstelleAufgabe">
  <soap12:operation soapAction="" />
  <input>
    <soap12:body use="literal" parts="erstelleAufgabe" />
    <soap12:header message="tns:CrmDienstWS_erstelleAufgabe" part="IgnoreWarnings" use="literal" />
  </input>
  <output>
    <soap12:body use="literal" />
  </output>
  <fault name="ServiceFault">
    <soap12:fault use="literal" name="ServiceFault" namespace="" />
  </fault>
</operation>

Namespace: xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/wsdl11soap12-20060302.xsd"

The xsd doesn't even have these kind of XML-elements under the header. Now I'm really confused. I think the service-provider screwed up big time.

Answer 1

In the end our dear service Provider forgot to activate the password ...

Answer 2

Not sure if this will work, but you could give it a try.

 UsernameToken token = new UsernameToken(username, password, PasswordOption.SendHashed);
 proxy.RequestSoapContext.Security.Tokens.Add(token);

 var result = proxy.MethodCall();

You can get more info here:

MSDN - WS-Security Authentication

MSDN - UsernameToken class