Hi,

There are two thing that you can use to avoid the timestamp problems:

1. Disable the replayDetection feature for the username tokens.

<microsoft.web.services3>
   <security>
     <securityTokenManager>
       <add
type="Microsoft.Web.Services3.Security.Tokens.UsernameTokenManager,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35"
namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
localName="UsernameToken" >
         <replayDetection enabled="false"/>
       </add>
     </securityTokenManager>
   </security>
</microsoft.web.services3>

2. Increase the timeToleranceInSeconds setting. The timeToleranceInSeconds
section defines a user supplied time buffer when WSE is comparing current
time against creation time for post dated and expiration time for past time.
It is usually  the time skew between client and server machine.  Default is
five minutes.

<microsoft.web.services3>
   <security>
         <timeToleranceInSeconds value="insert the time tolerance for
timestamp checking" />
   </security>
</microsoft.web.services3>

I hope one of these can help you with your problem.

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

Hi All,

I have a webservice which is consumed by clients the world over.I
needed some authentication for creating user specific views of the data
being accessed.I decided to use wse 2.0 UserToken custom authentication
(using a SqlServer Database).On the dev environment this worked like a
charm.
The moment i deployed this to a staging server located at a different
timezone than the calling client it started throwing the following
exception :

Microsoft.Web.Services2.Security.SecurityFault: An error was discovered

processing the <Security> header ---> System.Exception: Creation time
in the
timestamp can not be in the future.
  --- End of inner exception stack trace ---
  at Microsoft.Web.Services2.Security.Utility.Timestamp.CheckValid()
  at
Microsoft.Web.Services2.Security.Utility.Timestamp.LoadXml(XmlElement
element)
  at
Microsoft.Web.Services2.Security.Utility.Timestamp..ctor(XmlElement
element)
  at Microsoft.Web.Services2.Security.Security.LoadXml(XmlElement
element)
  at
Microsoft.Web.Services2.Security.SecurityInputFilter.ProcessMessage(SoapEnv­elope
envelope)
  at Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope

envelope)
  at
Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapSe­rverMessage
message)

After searching a bit i realised that it's been caused because the WSE
extensions use the timestamp and a nonce to provide further protection
from token replication by an attacker.
And only solution is to syncronize the client and server clocks.
Syncing the client and server clocks is an impossibility in my case.
Is there any other solution to this ?
Is there any way of disabling the clock comparisons from happening ?
Can anyone point me to an alternate way of solving the aforementioned
case if WSE 2.0 cant help me?

Thanks

Regards,
Ajay.