Share via


Security Exceptions

This topic lists all security exceptions.

Exception List

Resource Code Resource String

AnonymousLogonsAreNotAllowed

The service does not allow you to log on anonymously.

AtLeastOneContractOperationRequestRequiresProtectionLevelNotSupportedByBinding

The request message must be protected. This is required by an operation of the specified contract. The protection must be provided by the specified binding.

AtLeastOneContractOperationResponseRequiresProtectionLevelNotSupportedByBinding

The response message must be protected. This is required by an operation of the specified contract. The protection must be provided by the specified binding.

AtMostOnePrimarySignatureInReceiveSecurityHeader

Only one primary signature is allowed in a security header.

BadContextTokenFaultReason

The security context token expired or is not valid. The message was not processed.

BadEncryptionState

The EncryptedData or EncryptedKey is in an invalid state for this operation.

BasicHttpMessageSecurityRequiresCertificate

BasicHttp binding requires that BasicHttpBinding.Security.Message.ClientCredentialType be equivalent to the BasicHttpMessageCredentialType.Certificate credential type for secure messages. Select Transport or TransportWithMessageCredential security for UserName credentials.

BasicTokenCannotBeWrittenWithoutEncryption

The basic token cannot be written without encryption.

BindingDoesNotSupportProtectionForRst

The specified binding for the specified contract is configured with SecureConversation, but the authentication mode is not able to provide the request/reply-based integrity and confidentiality required for the negotiation.

BindingDoesNotSupportWindowsIdenityForImpersonation

The specified contract operation requires Windows identity for automatic impersonation. A Windows identity that represents the caller is not provided by the specified binding for the specified contract.

CachedNegotiationStateQuotaReached

The service cannot cache the negotiation state as the specified capacity has been reached. Retry the request.

CacheQuotaReached

The item cannot be added. The maximum cache size is specified.

CannotDetermineSPNBasedOnAddress

Client cannot determine the Service Principal Name based on the identity in the specified target address for the purpose of SspiNegotiation/Kerberos. The target address identity must be a UPN identity (like acmedomain\\alice) or SPN identity (like host/bobs-machine).

CannotFindCert

Cannot find the X.509 certificate using the specified search criteria: StoreName, StoreLocation, FindType, FindValue.

CannotFindCertForTarget

Cannot find The X.509 certificate using the specified search criteria: StoreName, StoreLocation, FindType, FindValue for the specified target.

CannotFindCorrelationStateForApplyingSecurity

Cannot find the correlation state for applying security to reply at the responder.

CannotFindNegotiationState

Cannot find the negotiation state for the specified context.

CannotFindSecuritySession

Cannot find the security session with the specified ID.

CannotImportProtectionLevelForContract

The policy to import a process cannot import a binding for the specified contract. The protection requirements for the binding are not compatible with a binding already imported for the contract. You must reconfigure the binding.

CannotImportSupportingTokensForOperationWithoutRequestAction

Security policy import failed. The security policy contains supporting token requirements at the operation scope. The contract description does not specify the action for the request message associated with this operation.

CannotIssueRstTokenType

Cannot issue the token or specified type.

CannotObtainIssuedTokenKeySize

Cannot determine the key size of the issued token.

CannotPerformImpersonationOnUsernameToken

Impersonation using the client token is not possible. The specified binding for the specified contract uses the Username Security Token for client authentication with a Membership Provider registered. Use a different type of security token for the client.

CannotPerformS4UImpersonationOnPlatform

The specified binding for the specified contract supports impersonation only on Windows Server 2003 and newer version of Windows. Use SspiNegotiated authentication and a binding with Secure Conversation with cancellation enabled.

CannotReadKeyIdentifier

Cannot read the KeyIdentifier from the specified element with the specified namespace.

CannotReadToken

Cannot read the token from the specified element with the specified namespace for BinarySecretSecurityToken, with a specified ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified.

CertificateUnsupportedForHttpTransportCredentialOnly

Certificate-based client authentication is not supported in TransportCredentialOnly security mode. Select the Transport security mode.

ClaimTypeCannotBeEmpty

The claimType cannot be an empty string.

ClientCertificateNotProvided

The certificate for the client has not been provided. The certificate can be set on the ClientCredentials or ServiceCredentials.

ClientCredentialTypeMustBeSpecifiedForMixedMode

ClientCredentialType.None is not valid for the TransportWithMessageCredential security mode. Specify a credential type or use a different security mode.

ConfigurationSchemaInsuffientForSecurityBindingElementInstance

The configuration schema is insufficient to describe the non-standard configuration of the following security binding element:

DerivedKeyTokenGenerationAndLengthTooHigh

The derived key's specified generation and length result in a key derivation offset that is greater than the maximum offset allowed.

DnsIdentityCheckFailedForIncomingMessage

The identity check failed for the incoming message. The expected domain name system (DNS) identity of the remote endpoint was specified. The remote endpoint provided the specified domain name system (DNS) claim. If this is a legitimate remote endpoint, you can fix the problem by specifying domain name system identity as the identity property of EndpointAddress when creating channel proxy.

DnsIdentityCheckFailedForOutgoingMessage

The identity check failed for the message that was going out. The remote endpoint should have had the specified domain name system identity. The remote endpoint provided the domain name system (DNS) claim. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity as the Identity property of EndpointAddress when creating channel proxy.

DuplicateIdInMessageToBeVerified

The specified id occurred twice in the message that is supplied for verification.

EmptyBase64Attribute

An empty value was found for the required base-64 attribute name and namespace.

ExportOfBindingWithAsymmetricAndTransportSecurityNotSupported

Security policy export failed. The binding contains both an AsymmetricSecurityBindingElement and a secure transport binding element. Policy export for such a binding is not supported.

ExportOfBindingWithSymmetricAndTransportSecurityNotSupported

Security policy export failed. The binding contains both a SymmetricSecurityBindingElement and a secure transport binding element. Policy export for such a binding is not supported.

ExportOfBindingWithTransportSecurityBindingElementAndNoTransportSecurityNotSupported

Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider. Policy export for such a binding is not supported. Make sure the transport binding element in the binding implements the ITransportTokenAssertionProvider interface.

FoundMultipleCerts

Found multiple X.509 certificates using the specified search criteria: StoreName, StoreLocation, FindType, FindValue. Provide a more specific find value.

FoundMultipleCertsForTarget

Found multiple X.509 certificates using the specified search criteria: StoreName, StoreLocation, FindType, FindValue for the specified target. Provide a more specific find value.

HeaderDecryptionNotSupportedInWsSecurityJan2004

SecurityVersion.WSSecurityJan2004 does not support header decryption. Use SecurityVersion.WsSecurityXXX2005 and above or use transport security to encrypt the full message.

IdentityCheckFailedForIncomingMessage

The identity check failed for the incoming message. The expected identity is specified for the target endpoint.

IdentityCheckFailedForOutgoingMessage

The identity check failed for the outgoing message. The expected identity is specified for the target endpoint.

IncorrectSpnOrUpnSpecified

Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with the specified identity. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.

InvalidAttributeInSignedHeader

The specified signed header contains the specified attribute. The expected attribute is specified.

InvalidCloseResponseAction

A security session close response was received with the specified invalid action.

InvalidQName

The QName is invalid.

InvalidRenewResponseAction

A security session renew response was received with the specified invalid action.

InvalidSspiNegotiation

The Security Support Provider Interface negotiation failed.

IssuerBindingNotPresentInTokenRequirement

The security token manager requires the bootstrap security binding element to be specified in the token requirement that describes secure conversation. The token requirement is specified as follows.

KeyLengthMustBeMultipleOfEight

The specified key length is not a multiple of 8 for symmetric keys.

LsaAuthorityNotContacted

Internal SSL error (refer to Win32 status code for details). Check the server certificate to determine if it is capable of key exchange.

MaximumPolicyRedirectionsExceeded

The recursive policy fetching limit has been reached. Check to determine if there is a loop in the federation service chain.

MessagePartSpecificationMustBeImmutable

Message part specification must be made constant before being set.

MissingCustomCertificateValidator

X509CertificateValidationMode.Custom requires CustomCertificateValidator. Specify the CustomCertificateValidator property.

MissingCustomUserNamePasswordValidator

UserNamePasswordValidationMode.Custom requires CustomUserNamePasswordValidator. Specify the CustomUserNamePasswordValidator property.

MissingMembershipProvider

UserNamePasswordValidationMode.MembershipProvider requires MembershipProvider. Specify the MembershipProvider property.

NoBinaryNegoToSend

No binary negotiation was sent to the other party.

NoEncryptionPartsSpecified

No encryption message parts were specified for messages with the specified action.

NoKeyInfoInEncryptedItemToFindDecryptingToken

The KeyInfo value was not found in the encrypted item to find the decrypting token.

NonceLengthTooShort

The specified nonce is too short. The minimum required nonce length is 4 bytes.

NoOutgoingEndpointAddressAvailableForDoingIdentityCheck

No outgoing EndpointAddress is available to check the identity on a message to be sent.

NoOutgoingEndpointAddressAvailableForDoingIdentityCheckOnReply

No outgoing EndpointAddress is available to check the identity on a received reply.

NoPartsOfMessageMatchedPartsToSign

No signature was created because no part of the message matched the supplied message part specification.

NoPrincipalSpecifiedInAuthorizationContext

No custom principal is specified in the authorization context.

NoSignatureAvailableInSecurityHeaderToDoReplayDetection

No signature is available in the security header to provide the nonce for replay detection.

NoSignaturePartsSpecified

No signature message parts were specified for messages with the specified action.

NoSigningTokenAvailableToDoIncomingIdentityCheck

No signing token is available to do an incoming identity check.

NoTimestampAvailableInSecurityHeaderToDoReplayDetection

No timestamp is available in the security header to do replay detection.

NoTransportTokenAssertionProvided

The security policy expert failed. The provided transport token assertion of the specified type did not create a transport token assertion to include the sp:TransportBinding security policy assertion.

OnlyOneOfEncryptedKeyOrSymmetricBindingCanBeSelected

The symmetric security protocol can either be configured with a symmetric token provider and a symmetric token authenticator or an asymmetric token provider. It cannot be configured with both.

OperationCannotBeDoneOnReceiverSideSecurityHeaders

This operation cannot be done on the receiver security headers.

OperationDoesNotAllowImpersonation

The specified service operation that belongs to the contract with the specified name and the namespace does not allow impersonation.

PolicyRequiresConfidentialityWithoutIntegrity

Message security policy for the specified action requires confidentiality without integrity. Confidentiality without integrity is not supported.

PrimarySignatureIsRequiredToBeEncrypted

The primary signature must be encrypted.

PropertySettingErrorOnProtocolFactory

The required property on the specified security protocol factory is not set or has an invalid value.

ProtocolFactoryCouldNotCreateProtocol

The protocol factory cannot create a protocol.

PublicKeyNotRSA

The public key is not an RSA key.

RequiredMessagePartNotEncrypted

The specified required message part was not encrypted.

RequiredMessagePartNotEncryptedNs

The specified required message part was not encrypted.

RequiredMessagePartNotSigned

The specified required message part was not signed.

RequiredMessagePartNotSignedNs

The specified required message part was not signed.

RequiredSecurityHeaderElementNotSigned

The specified security header element with the specified id must be signed.

RequiredSecurityTokenNotEncrypted

The specified ' security token with the specified attachment mode must be encrypted.

RequiredSecurityTokenNotSigned

The specified security token with the specified attachment mode must be signed.

RequiredSignatureMissing

The signature must be in the security header.

RequireNonCookieMode

The specified binding with the specified namespace is configured to issue cookie security context tokens. COM+ Integration services does not support cookie security context tokens.

RevertingPrivilegeFailed

The reverting operation failed with the specified exception.

RSTRAuthenticatorIncorrect

The RequestSecurityTokenResponse CombinedHash is incorrect.

SecureConversationCancelNotAllowedFaultReason

A secure conversation cancellation is not allowed by the binding.

SecureConversationDriverVersionDoesNotSupportSession

The configured SecureConversation version does not support sessions. Use WSSecureConversationFeb2005 or above.

SecureConversationRequiredByReliableSession

Cannot establish a reliable session without secure conversation. Enable secure conversation.

SecurityAuditFailToLoadDll

The specified dynamic link library (dll) failed to load.

SecurityAuditNotSupportedOnChannelFactory

SecurityAuditBehavior is not supported on the channel factory.

SecurityAuditPlatformNotSupported

Writing audit messages to the Security log is not supported by the current platform. You must write audit messages to the Application log.

SecurityBindingElementCannotBeExpressedInConfig

A security policy was imported for the endpoint. The security policy contains requirements that cannot be represented in a Windows Communication Foundation configuration. Look for a comment about the SecurityBindingElement parameters that are required in the configuration file that was generated. Create the correct binding element with code. The binding configuration that is in the configuration file is not secure.

SecurityBindingSupportsOneWayOnly

The SecurityBinding for the specified binding for the specified contract only supports the OneWay operation.

SecurityContextDoesNotAllowImpersonation

Cannot start impersonation because the SecurityContext for the UltimateReceiver role from the request message with the specified action is not mapped to a Windows identity.

SecurityListenerClosing

The listener is not accepting new secure conversations because it is closing.

SecurityListenerClosingFaultReason

The server is not accepting new secure conversations currently because it is closing. Please retry later.

SecurityProtocolFactoryShouldBeSetBeforeThisOperation

The security protocol factory must be set before this operation is performed.

SecuritySessionAbortedFaultReason

The security session was terminated. This may be because no messages were received on the session for too long.

SecuritySessionKeyIsStale

The session key must be renewed before it can secure application messages.

SecuritySessionLimitReached

Cannot create a security session. Retry later.

SecuritySessionNotPending

No security session with the specified id is pending.

SecurityTokenParametersHasIncompatibleInclusionMode

The specified binding is configured with a security token parameter that has the specified incompatible security token inclusion mode. Specify an alternate security token inclusion mode.

SecurityVersionDoesNotSupportEncryptedKeyBinding

The specified binding for the specified contract has been configured with an incompatible security version that does not support unattached references to EncryptedKeys. Use the specified value or higher as the security version for the binding.

SecurityVersionDoesNotSupportSignatureConfirmation

The specified SecurityVersion does not support signature confirmation. Use a later SecurityVersion.

SecurityVersionDoesNotSupportThumbprintX509KeyIdentifierClause

The specified binding for the specified contract is configured with a security version that does not support external references to X.509 tokens using the certificate's thumbprint value. Use the specified value or higher as the security version for the binding.

SenderSideSupportingTokensMustSpecifySecurityTokenParameters

Security token parameters must be specified with supporting tokens for each message.

ServerCertificateNotProvided

The recipient did not provide its certificate. This certificate is required by the TLS protocol. Both parties must have access to their certificates.

SignatureConfirmationNotSupported

The configured SecurityVersion does not support signature confirmation. Use WSSecurityXXX2005 or above.

SignatureConfirmationRequiresRequestReply

The protocol factory must support Request/Reply security in order to offer signature confirmation.

SignatureNotExpected

A signature is not expected for this message.

SigningTokenHasNoKeys

The specified signing token has no keys. The security token is used in a context that requires it to perform cryptographic operations, but the token contains no cryptographic keys. Either the token type does not support cryptographic operations, or the particular token instance does not contain cryptographic keys. Check your configuration to ensure that cryptographically disabled token types (for example, UserNameSecurityToken) are not specified in a context that requires cryptographic operations (for example, an endorsing supporting token).

SpnegoImpersonationLevelCannotBeSetToNone

The Security Support Provider Interface does not support Impersonation level 'None'. Specify Identification, Impersonation or Delegation level.

SslClientCertMustHavePrivateKey

The specified certificate must have a private key. The process must have access rights for the private key.

SslServerCertMustDoKeyExchange

The specified certificate must have a private key that is capable of key exchange. The process must have access rights for the private key.

StandardsManagerCannotWriteObject

The token Serializer cannot serialize the specified object. If this is a custom type you must supply a custom serializer.

TimeStampHasCreationAheadOfExpiry

The security timestamp is invalid because its creation time is greater than or equal to its expiration time.

TimeStampHasCreationTimeInFuture

The security timestamp is invalid because its creation time is in the future. Current time is specified and allowed clock skew is specified.

TimeStampHasExpiryTimeInPast

The security timestamp is stale because its expiration time is in the past. Current time is specified and allowed clock skew is specified.

TimeStampWasCreatedTooLongAgo

The security timestamp is stale because its creation time is too far back in the past. Current time, maximum timestamp lifetime, and allowed clock skew are specified.

TokenProviderCannotGetTokensForTarget

The token provider cannot get tokens for the specified target.

TooManyIssuedSecurityTokenParameters

A leg of the federated security chain contains multiple IssuedSecurityTokenParameters. The InfoCard system only supports one IssuedSecurityTokenParameters for each leg.

TransportDoesNotProtectMessage

The specified binding for the specified contract is configured with an authentication mode that requires transport level integrity and confidentiality. However the transport cannot provide integrity and confidentiality.

TrustApr2004DoesNotSupportCertainIssuedTokens

WSTrustApr2004 does not support issuing X.509 certificates or EncryptedKeys. Use WsTrustFeb2005 or above.

TrustDriverVersionDoesNotSupportSession

The configured Trust version does not support sessions. Use WSTrustFeb2005 or above.

UnableToCreateICryptoFromTokenForSignatureVerification

Cannot create an ICrypto interface from the specified token for signature verification.

UnableToCreateSymmetricAlgorithmFromToken

Cannot create the specified symmetric algorithm from the token.

UnableToDeriveKeyFromKeyInfoClause

The specified KeyInfo clause resolved to the specified token, which does not contain a symmetric key that can be used for derivation.

UnableToFindTokenAuthenticator

Cannot find a token authenticator for the specified token type. Tokens of that type cannot be accepted according to current security settings.

UnableToLoadCertificateIdentity

Cannot load the X.509 certificate identity specified in the configuration.

UnexpectedEmptyElementExpectingClaim

The specified element from the specified namespace is empty and does not specify a valid identity claim.

UnknownEncodingInBinarySecurityToken

Unrecognized encoding occurred while reading the binary security token.

UnsecuredMessageFaultReceived

An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.

UnsupportedPasswordType

The specified username token has an unsupported password type.

UnsupportedSecureConversationBootstrapProtectionRequirements

Cannot import the security policy. The protection requirements for the secure conversation bootstrap binding are not supported. Protection requirements for the secure conversation bootstrap must require both the request and the response to be signed and encrypted.

UnsupportedSecurityPolicyAssertion

An unsupported security policy assertion was detected during the specified security policy import.