Kirk Jackson's Page of Words - WCF: The security protocol cannot verify the incoming message

Thursday, October 02, 2008

WCF: The security protocol cannot verify the incoming message

If you're using certificates to authenticate, and you get the above error, then the root cause may be this:

System.ServiceModel.Security.MessageSecurityException
The security timestamp is invalid because its creation time ('2008-10-02T02:50:25.161Z') is in the future. Current time is '2008-10-02T02:44:44.909Z' and allowed clock skew is '00:05:00'.

Basically, if your client and server have clocks that are different by more than 5 minutes, the timestamp that they send to each other when they authenticate may be more than the tolerance allowed (default 5 minutes).... and it will fail.

The solution is to change one of the clocks :)

Kirk

posted on Thursday, October 02, 2008 3:30:58 PM (New Zealand Standard Time, UTC+12:00)

Comments [2]

Thursday, October 02, 2008 7:29:48 PM (New Zealand Standard Time, UTC+12:00)

Interesting... good thing you had logging on. Could have been a hard one to debug.

The server clocks aren't set to be synched automatically with the NTP timeservers?

Adam | adamAT NOSPAMflog dot co dot nz

Thursday, October 02, 2008 8:27:22 PM (New Zealand Standard Time, UTC+12:00)

Hi Adam,

Yeah, we had to use the very handy svctraceviewer to see that one. I'm not sure why our devt servers have the wrong time, something to do with the domain controller being out of synch -- it might not have access to the internet to get to a time server. I'll have to look into it :)

Kirk

Kirk Jackson | kirkAT NOSPAMpageofwords dot com

Comments are closed.