Security Exceptions

 

This topic lists all security exceptions.

Resource CodeResource String
AnonymousLogonsAreNotAllowedThe service does not allow you to log on anonymously.
AtLeastOneContractOperationRequestRequiresProtectionLevelNotSupportedByBindingThe request message must be protected. This is required by an operation of the specified contract. The protection must be provided by the specified binding.
AtLeastOneContractOperationResponseRequiresProtectionLevelNotSupportedByBindingThe response message must be protected. This is required by an operation of the specified contract. The protection must be provided by the specified binding.
AtMostOnePrimarySignatureInReceiveSecurityHeaderOnly one primary signature is allowed in a security header.
BadContextTokenFaultReasonThe security context token expired or is not valid. The message was not processed.
BadEncryptionStateThe EncryptedData or EncryptedKey is in an invalid state for this operation.
BasicHttpMessageSecurityRequiresCertificateBasicHttp binding requires that BasicHttpBinding.Security.Message.ClientCredentialType be equivalent to the BasicHttpMessageCredentialType.Certificate credential type for secure messages. Select Transport or TransportWithMessageCredential security for UserName credentials.
BasicTokenCannotBeWrittenWithoutEncryptionThe basic token cannot be written without encryption.
BindingDoesNotSupportProtectionForRstThe specified binding for the specified contract is configured with SecureConversation, but the authentication mode is not able to provide the request/reply-based integrity and confidentiality required for the negotiation.
BindingDoesNotSupportWindowsIdenityForImpersonationThe specified contract operation requires Windows identity for automatic impersonation. A Windows identity that represents the caller is not provided by the specified binding for the specified contract.
CachedNegotiationStateQuotaReachedThe service cannot cache the negotiation state as the specified capacity has been reached. Retry the request.
CacheQuotaReachedThe item cannot be added. The maximum cache size is specified.
CannotDetermineSPNBasedOnAddressClient cannot determine the Service Principal Name based on the identity in the specified target address for the purpose of SspiNegotiation/Kerberos. The target address identity must be a UPN identity (like acmedomain\\alice) or SPN identity (like host/bobs-machine).
CannotFindCertCannot find the X.509 certificate using the specified search criteria: StoreName, StoreLocation, FindType, FindValue.
CannotFindCertForTargetCannot find The X.509 certificate using the specified search criteria: StoreName, StoreLocation, FindType, FindValue for the specified target.
CannotFindCorrelationStateForApplyingSecurityCannot find the correlation state for applying security to reply at the responder.
CannotFindNegotiationStateCannot find the negotiation state for the specified context.
CannotFindSecuritySessionCannot find the security session with the specified ID.
CannotImportProtectionLevelForContractThe policy to import a process cannot import a binding for the specified contract. The protection requirements for the binding are not compatible with a binding already imported for the contract. You must reconfigure the binding.
CannotImportSupportingTokensForOperationWithoutRequestActionSecurity policy import failed. The security policy contains supporting token requirements at the operation scope. The contract description does not specify the action for the request message associated with this operation.
CannotIssueRstTokenTypeCannot issue the token or specified type.
CannotObtainIssuedTokenKeySizeCannot determine the key size of the issued token.
CannotPerformImpersonationOnUsernameTokenImpersonation using the client token is not possible. The specified binding for the specified contract uses the Username Security Token for client authentication with a Membership Provider registered. Use a different type of security token for the client.
CannotPerformS4UImpersonationOnPlatformThe specified binding for the specified contract supports impersonation only on Windows Server 2003 and newer version of Windows. Use SspiNegotiated authentication and a binding with Secure Conversation with cancellation enabled.
CannotReadKeyIdentifierCannot read the KeyIdentifier from the specified element with the specified namespace.
CannotReadTokenCannot read the token from the specified element with the specified namespace for BinarySecretSecurityToken, with a specified ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified.
CertificateUnsupportedForHttpTransportCredentialOnlyCertificate-based client authentication is not supported in TransportCredentialOnly security mode. Select the Transport security mode.
ClaimTypeCannotBeEmptyThe claimType cannot be an empty string.
ClientCertificateNotProvidedThe certificate for the client has not been provided. The certificate can be set on the ClientCredentials or ServiceCredentials.
ClientCredentialTypeMustBeSpecifiedForMixedModeClientCredentialType.None is not valid for the TransportWithMessageCredential security mode. Specify a credential type or use a different security mode.
ConfigurationSchemaInsuffientForSecurityBindingElementInstanceThe configuration schema is insufficient to describe the non-standard configuration of the following security binding element:
DerivedKeyTokenGenerationAndLengthTooHighThe derived key's specified generation and length result in a key derivation offset that is greater than the maximum offset allowed.
DnsIdentityCheckFailedForIncomingMessageThe identity check failed for the incoming message. The expected domain name system (DNS) identity of the remote endpoint was specified. The remote endpoint provided the specified domain name system (DNS) claim. If this is a legitimate remote endpoint, you can fix the problem by specifying domain name system identity as the identity property of EndpointAddress when creating channel proxy.
DnsIdentityCheckFailedForOutgoingMessageThe identity check failed for the message that was going out. The remote endpoint should have had the specified domain name system identity. The remote endpoint provided the domain name system (DNS) claim. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity as the Identity property of EndpointAddress when creating channel proxy.
DuplicateIdInMessageToBeVerifiedThe specified id occurred twice in the message that is supplied for verification.
EmptyBase64AttributeAn empty value was found for the required base-64 attribute name and namespace.
ExportOfBindingWithAsymmetricAndTransportSecurityNotSupportedSecurity policy export failed. The binding contains both an AsymmetricSecurityBindingElement and a secure transport binding element. Policy export for such a binding is not supported.
ExportOfBindingWithSymmetricAndTransportSecurityNotSupportedSecurity policy export failed. The binding contains both a SymmetricSecurityBindingElement and a secure transport binding element. Policy export for such a binding is not supported.
ExportOfBindingWithTransportSecurityBindingElementAndNoTransportSecurityNotSupportedSecurity policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider. Policy export for such a binding is not supported. Make sure the transport binding element in the binding implements the ITransportTokenAssertionProvider interface.
FoundMultipleCertsFound multiple X.509 certificates using the specified search criteria: StoreName, StoreLocation, FindType, FindValue. Provide a more specific find value.
FoundMultipleCertsForTargetFound multiple X.509 certificates using the specified search criteria: StoreName, StoreLocation, FindType, FindValue for the specified target. Provide a more specific find value.
HeaderDecryptionNotSupportedInWsSecurityJan2004SecurityVersion.WSSecurityJan2004 does not support header decryption. Use SecurityVersion.WsSecurityXXX2005 and above or use transport security to encrypt the full message.
IdentityCheckFailedForIncomingMessageThe identity check failed for the incoming message. The expected identity is specified for the target endpoint.
IdentityCheckFailedForOutgoingMessageThe identity check failed for the outgoing message. The expected identity is specified for the target endpoint.
IncorrectSpnOrUpnSpecifiedSecurity Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with the specified identity. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.
InvalidAttributeInSignedHeaderThe specified signed header contains the specified attribute. The expected attribute is specified.
InvalidCloseResponseActionA security session close response was received with the specified invalid action.
InvalidQNameThe QName is invalid.
InvalidRenewResponseActionA security session renew response was received with the specified invalid action.
InvalidSspiNegotiationThe Security Support Provider Interface negotiation failed.
IssuerBindingNotPresentInTokenRequirementThe security token manager requires the bootstrap security binding element to be specified in the token requirement that describes secure conversation. The token requirement is specified as follows.
KeyLengthMustBeMultipleOfEightThe specified key length is not a multiple of 8 for symmetric keys.
LsaAuthorityNotContactedInternal SSL error (refer to Win32 status code for details). Check the server certificate to determine if it is capable of key exchange.
MaximumPolicyRedirectionsExceededThe recursive policy fetching limit has been reached. Check to determine if there is a loop in the federation service chain.
MessagePartSpecificationMustBeImmutableMessage part specification must be made constant before being set.
MissingCustomCertificateValidatorX509CertificateValidationMode.Custom requires CustomCertificateValidator. Specify the CustomCertificateValidator property.
MissingCustomUserNamePasswordValidatorUserNamePasswordValidationMode.Custom requires CustomUserNamePasswordValidator. Specify the CustomUserNamePasswordValidator property.
MissingMembershipProviderUserNamePasswordValidationMode.MembershipProvider requires MembershipProvider. Specify the MembershipProvider property.
NoBinaryNegoToSendNo binary negotiation was sent to the other party.
NoEncryptionPartsSpecifiedNo encryption message parts were specified for messages with the specified action.
NoKeyInfoInEncryptedItemToFindDecryptingTokenThe KeyInfo value was not found in the encrypted item to find the decrypting token.
NonceLengthTooShortThe specified nonce is too short. The minimum required nonce length is 4 bytes.
NoOutgoingEndpointAddressAvailableForDoingIdentityCheckNo outgoing EndpointAddress is available to check the identity on a message to be sent.
NoOutgoingEndpointAddressAvailableForDoingIdentityCheckOnReplyNo outgoing EndpointAddress is available to check the identity on a received reply.
NoPartsOfMessageMatchedPartsToSignNo signature was created because no part of the message matched the supplied message part specification.
NoPrincipalSpecifiedInAuthorizationContextNo custom principal is specified in the authorization context.
NoSignatureAvailableInSecurityHeaderToDoReplayDetectionNo signature is available in the security header to provide the nonce for replay detection.
NoSignaturePartsSpecifiedNo signature message parts were specified for messages with the specified action.
NoSigningTokenAvailableToDoIncomingIdentityCheckNo signing token is available to do an incoming identity check.
NoTimestampAvailableInSecurityHeaderToDoReplayDetectionNo timestamp is available in the security header to do replay detection.
NoTransportTokenAssertionProvidedThe security policy expert failed. The provided transport token assertion of the specified type did not create a transport token assertion to include the sp:TransportBinding security policy assertion.
OnlyOneOfEncryptedKeyOrSymmetricBindingCanBeSelectedThe symmetric security protocol can either be configured with a symmetric token provider and a symmetric token authenticator or an asymmetric token provider. It cannot be configured with both.
OperationCannotBeDoneOnReceiverSideSecurityHeadersThis operation cannot be done on the receiver security headers.
OperationDoesNotAllowImpersonationThe specified service operation that belongs to the contract with the specified name and the namespace does not allow impersonation.
PolicyRequiresConfidentialityWithoutIntegrityMessage security policy for the specified action requires confidentiality without integrity. Confidentiality without integrity is not supported.
PrimarySignatureIsRequiredToBeEncryptedThe primary signature must be encrypted.
PropertySettingErrorOnProtocolFactoryThe required property on the specified security protocol factory is not set or has an invalid value.
ProtocolFactoryCouldNotCreateProtocolThe protocol factory cannot create a protocol.
PublicKeyNotRSAThe public key is not an RSA key.
RequiredMessagePartNotEncryptedThe specified required message part was not encrypted.
RequiredMessagePartNotEncryptedNsThe specified required message part was not encrypted.
RequiredMessagePartNotSignedThe specified required message part was not signed.
RequiredMessagePartNotSignedNsThe specified required message part was not signed.
RequiredSecurityHeaderElementNotSignedThe specified security header element with the specified id must be signed.
RequiredSecurityTokenNotEncryptedThe specified ' security token with the specified attachment mode must be encrypted.
RequiredSecurityTokenNotSignedThe specified security token with the specified attachment mode must be signed.
RequiredSignatureMissingThe signature must be in the security header.
RequireNonCookieModeThe specified binding with the specified namespace is configured to issue cookie security context tokens. COM+ Integration services does not support cookie security context tokens.
RevertingPrivilegeFailedThe reverting operation failed with the specified exception.
RSTRAuthenticatorIncorrectThe RequestSecurityTokenResponse CombinedHash is incorrect.
SecureConversationCancelNotAllowedFaultReasonA secure conversation cancellation is not allowed by the binding.
SecureConversationDriverVersionDoesNotSupportSessionThe configured SecureConversation version does not support sessions. Use WSSecureConversationFeb2005 or above.
SecureConversationRequiredByReliableSessionCannot establish a reliable session without secure conversation. Enable secure conversation.
SecurityAuditFailToLoadDllThe specified dynamic link library (dll) failed to load.
SecurityAuditNotSupportedOnChannelFactorySecurityAuditBehavior is not supported on the channel factory.
SecurityAuditPlatformNotSupportedWriting audit messages to the Security log is not supported by the current platform. You must write audit messages to the Application log.
SecurityBindingElementCannotBeExpressedInConfigA security policy was imported for the endpoint. The security policy contains requirements that cannot be represented in a Windows Communication Foundation configuration. Look for a comment about the SecurityBindingElement parameters that are required in the configuration file that was generated. Create the correct binding element with code. The binding configuration that is in the configuration file is not secure.
SecurityBindingSupportsOneWayOnlyThe SecurityBinding for the specified binding for the specified contract only supports the OneWay operation.
SecurityContextDoesNotAllowImpersonationCannot start impersonation because the SecurityContext for the UltimateReceiver role from the request message with the specified action is not mapped to a Windows identity.
SecurityListenerClosingThe listener is not accepting new secure conversations because it is closing.
SecurityListenerClosingFaultReasonThe server is not accepting new secure conversations currently because it is closing. Please retry later.
SecurityProtocolFactoryShouldBeSetBeforeThisOperationThe security protocol factory must be set before this operation is performed.
SecuritySessionAbortedFaultReasonThe security session was terminated. This may be because no messages were received on the session for too long.
SecuritySessionKeyIsStaleThe session key must be renewed before it can secure application messages.
SecuritySessionLimitReachedCannot create a security session. Retry later.
SecuritySessionNotPendingNo security session with the specified id is pending.
SecurityTokenParametersHasIncompatibleInclusionModeThe specified binding is configured with a security token parameter that has the specified incompatible security token inclusion mode. Specify an alternate security token inclusion mode.
SecurityVersionDoesNotSupportEncryptedKeyBindingThe specified binding for the specified contract has been configured with an incompatible security version that does not support unattached references to EncryptedKeys. Use the specified value or higher as the security version for the binding.
SecurityVersionDoesNotSupportSignatureConfirmationThe specified SecurityVersion does not support signature confirmation. Use a later SecurityVersion.
SecurityVersionDoesNotSupportThumbprintX509KeyIdentifierClauseThe specified binding for the specified contract is configured with a security version that does not support external references to X.509 tokens using the certificate's thumbprint value. Use the specified value or higher as the security version for the binding.
SenderSideSupportingTokensMustSpecifySecurityTokenParametersSecurity token parameters must be specified with supporting tokens for each message.
ServerCertificateNotProvidedThe recipient did not provide its certificate. This certificate is required by the TLS protocol. Both parties must have access to their certificates.
SignatureConfirmationNotSupportedThe configured SecurityVersion does not support signature confirmation. Use WSSecurityXXX2005 or above.
SignatureConfirmationRequiresRequestReplyThe protocol factory must support Request/Reply security in order to offer signature confirmation.
SignatureNotExpectedA signature is not expected for this message.
SigningTokenHasNoKeysThe specified signing token has no keys. The security token is used in a context that requires it to perform cryptographic operations, but the token contains no cryptographic keys. Either the token type does not support cryptographic operations, or the particular token instance does not contain cryptographic keys. Check your configuration to ensure that cryptographically disabled token types (for example, UserNameSecurityToken) are not specified in a context that requires cryptographic operations (for example, an endorsing supporting token).
SpnegoImpersonationLevelCannotBeSetToNoneThe Security Support Provider Interface does not support Impersonation level 'None'. Specify Identification, Impersonation or Delegation level.
SslClientCertMustHavePrivateKeyThe specified certificate must have a private key. The process must have access rights for the private key.
SslServerCertMustDoKeyExchangeThe specified certificate must have a private key that is capable of key exchange. The process must have access rights for the private key.
StandardsManagerCannotWriteObjectThe token Serializer cannot serialize the specified object. If this is a custom type you must supply a custom serializer.
TimeStampHasCreationAheadOfExpiryThe security timestamp is invalid because its creation time is greater than or equal to its expiration time.
TimeStampHasCreationTimeInFutureThe security timestamp is invalid because its creation time is in the future. Current time is specified and allowed clock skew is specified.
TimeStampHasExpiryTimeInPastThe security timestamp is stale because its expiration time is in the past. Current time is specified and allowed clock skew is specified.
TimeStampWasCreatedTooLongAgoThe security timestamp is stale because its creation time is too far back in the past. Current time, maximum timestamp lifetime, and allowed clock skew are specified.
TokenProviderCannotGetTokensForTargetThe token provider cannot get tokens for the specified target.
TooManyIssuedSecurityTokenParametersA leg of the federated security chain contains multiple IssuedSecurityTokenParameters. The InfoCard system only supports one IssuedSecurityTokenParameters for each leg.
TransportDoesNotProtectMessageThe specified binding for the specified contract is configured with an authentication mode that requires transport level integrity and confidentiality. However the transport cannot provide integrity and confidentiality.
TrustApr2004DoesNotSupportCertainIssuedTokensWSTrustApr2004 does not support issuing X.509 certificates or EncryptedKeys. Use WsTrustFeb2005 or above.
TrustDriverVersionDoesNotSupportSessionThe configured Trust version does not support sessions. Use WSTrustFeb2005 or above.
UnableToCreateICryptoFromTokenForSignatureVerificationCannot create an ICrypto interface from the specified token for signature verification.
UnableToCreateSymmetricAlgorithmFromTokenCannot create the specified symmetric algorithm from the token.
UnableToDeriveKeyFromKeyInfoClauseThe specified KeyInfo clause resolved to the specified token, which does not contain a symmetric key that can be used for derivation.
UnableToFindTokenAuthenticatorCannot find a token authenticator for the specified token type. Tokens of that type cannot be accepted according to current security settings.
UnableToLoadCertificateIdentityCannot load the X.509 certificate identity specified in the configuration.
UnexpectedEmptyElementExpectingClaimThe specified element from the specified namespace is empty and does not specify a valid identity claim.
UnknownEncodingInBinarySecurityTokenUnrecognized encoding occurred while reading the binary security token.
UnsecuredMessageFaultReceivedAn unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.
UnsupportedPasswordTypeThe specified username token has an unsupported password type.
UnsupportedSecureConversationBootstrapProtectionRequirementsCannot import the security policy. The protection requirements for the secure conversation bootstrap binding are not supported. Protection requirements for the secure conversation bootstrap must require both the request and the response to be signed and encrypted.
UnsupportedSecurityPolicyAssertionAn unsupported security policy assertion was detected during the specified security policy import.
Show: