Home/ Questions/Q 3229156
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T16:46:41+00:00

This is my service configuration in web.config: <binding name=statefulSessionWithUsernameOverTransport> <security authenticationMode=SecureConversation requireSecurityContextCancellation=False allowInsecureTransport=True> <secureConversationBootstrap

  • 0

This is my service configuration in web.config:

<binding name="statefulSessionWithUsernameOverTransport">
  <security authenticationMode="SecureConversation"
    requireSecurityContextCancellation="False" allowInsecureTransport="True">
    <secureConversationBootstrap authenticationMode="UserNameOverTransport"/>
  </security>
  <binaryMessageEncoding />
  <httpTransport />
</binding>

<service name="com.example.FooService"
  behaviorConfiguration="usernamePasswordAuthBehavior">
  <endpoint contract="com.example.FooService.IFooService"
    address="custom" binding="customBinding"
    bindingConfiguration="statefulSessionWithUsernameOverTransport" />
</service>

I am setting allowInsecureTransport=True because in Production the Service will be running behind an SSL Terminating Load Balancer. Calling the Service from my .Net 4.0 Client works without any problems but trying to update the service reference in VS2010 always results in an error:

System.ServiceModel.Channels.TransportSecurityBindingElement
Error: Security Policy Export failed. The Binding contains a TransportSecurityBindingElement but no transport security binding element that implements ITransportTokenAssertionProvider. Policy export for such a policy export is not supported.*

I understand what it is trying to tell me – which is basically that I’ve disabled transport security on a binding that requires it to avoid compromising the credentials travelling over the wire. But – that is the whole point of allowInsecureTransport. Could it be that the proxy generator is simply not aware of this attribute?

Update:

It looks like the wsdl generator is indeed unable to deal with the attribute. I had to go back to Message Level Security and a Self-Signed Certificate for development. Using Message Security had the advantage of being able to stick to Cassini for Development instead of going full blown IIS.

<wsHttpBinding>
    <binding name="wshttpDevelopmentBinding">
      <security mode="Message">
        <message clientCredentialType="UserName" />
      </security>
    </binding>
</wsHttpBinding>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I ran into this same issue. The problem seems to be the http transport because it doesn’t implement the ITransportTokenAssertionProvider interface, but https does. I was able to get around this two ways: switch my custom binding to use https transport, which implements the interface, and add enableUnsecuredResponse=”true” to the security element in the config, or write a custom binding deriving from HttpTransportBindingElement but implementing the necessary interface.

    • 0