SamlSecurityTokenRequirement enforceAudienceRestriction (AudienceUriMode) error when using BizTalk 2010 with a federated binding

When using a BizTalk 2010 WCF service in a federated environment, you may get the following non-descriptive error when you try to make a call into the BizTalk WCF service

"An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail".

This error unfortunately has nothing useful in the innerexception more often than not. Various security issues could cause this error (including certificate authentication). Turn on tracing on the BizTalk receive location by adding the following section into the web.config file for the service.
You can add it between the <connectionstrings /> and <system.web> nodes (just a guide)

    <system.diagnostics>
      <sources>
            <source name="System.ServiceModel" switchValue="Error, Warning, Verbose" propagateActivity="true">
            <listeners>
               <add name="traceListener"
                   type="System.Diagnostics.XmlWriterTraceListener"
                   initializeData= "c:\log\BizTalktraces.svclog" />
            </listeners>
         </source>
      </sources>
  </system.diagnostics>
Make sure to create a "log" folder at the root of your c: drive as the configuration suggests. For the purpose of this troubleshooting, you can also grant full permissions to everyone on the folder to make sure it can be written to.

When you try to run the service again and check the BizTalktraces.svclog file in a text editor, you might find the following lines in the stack trace:

<InnerException><ExceptionType>System.InvalidOperationException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>ID1032: At least one 'audienceUri' must be specified in the SamlSecurityTokenRequirement when the AudienceUriMode is set to 'Always' or 'BearerKeyOnly'. Either add the valid URI values to the AudienceUris property of SamlSecurityTokenRequirement,  or turn off checking by specifying an AudienceUriMode of 'Never' on the SamlSecurityTokenRequirement.</Message>

By default the federation binding will typically add a federationServiceHostConfiguration extension to the servicebehaviors section.

Open the receive location 'Behavior' tab, and click on the 'IssuedTokenAuthenticaiton' node. Set the audienceUriMode to 'Never'


Remove the federationServiceHostConfiguration extension from the configuration (should be in the same tab, above 'serviceMetadata', but has already been removed in the picture above).

This should stop the errors.