I have a load-balanced service that uses message protection:
<wsHttpBinding> <binding> <security mode="Message"> <message clientCredentialType="Windows" establishSecurityContext="false" /> </security> </binding> </wsHttpBinding>
All my calls to this service open and close their own channel, so there is no use for establishing a security context.
I call the service using WSHttpBinding , which matches the service configuration:
ws.Security.Mode = SecurityMode.Message; ws.Security.Transport.ClientCredentialType = HttpClientCredentialType.None; ws.Security.Message.ClientCredentialType = MessageCredentialType.Windows; ws.Security.Message.EstablishSecurityContext = false;
This works sometimes, but sometimes I get errors like
The security context identifier has expired or is invalid. The message was not processed.
or
The security token request has invalid or invalid elements.
Finally, I found that setting a InstallSecurityContext to false does not actually prevent the use of security context tokens. Our load balancer does not currently use sticky sessions, and I try to avoid this route.
I found that I had to set NegotiateServiceCredential to false on the client in order to allow load balancing without sticky sessions . My service is already running under the AD account, and I see it in WSDL:
<Upn> User@Domain </Upn>
However, when I try to add a service identifier to my client
EndpointIDentity.CreateUpnIdentity(" User@Domain ")
I get the following error:
Authentication of a service running under a user account that requires multi-level Kerberos is not supported.
How do I go through this to be able to call my service through a load balancer?