How To Fix WSS039 - Wrong token type received. Endpoint expects &1 token.

SAP Error Message:

WSS039 Wrong token type received. Endpoint expects &1 token.

Cause:
This error occurs in the context of SAP Web Services Security (WS-Security) processing. It indicates that the security token received in the SOAP message does not match the type of token expected by the receiving endpoint.

The endpoint (SAP Web Service) expects a specific type of security token (e.g., UsernameToken, BinarySecurityToken, SAML token, X.509 certificate token, etc.).
However, the incoming SOAP message contains a different token type.
This mismatch can happen due to incorrect WS-Security configuration on the client or server side, or due to a misalignment in the security policy expectations.


Typical Scenarios:

The client sends a UsernameToken, but the server expects an X.509 certificate token.
The client sends a SAML token, but the server expects a UsernameToken.
The security policy on the server is configured to require a specific token type, but the client does not comply.
Misconfiguration in the WS-Security policy or in the SAP Web Service runtime settings.


Solution:


Check the WS-Security Policy Configuration:

Verify the security policy attached to the SAP Web Service endpoint.
Confirm which token type is expected (e.g., UsernameToken, X.509 certificate, SAML).
This can be checked in the SOAMANAGER transaction under the Web Service configuration.



Check the Client Configuration:

Ensure the client sends the correct token type as per the server's WS-Security policy.
If you are using SAP PI/PO, SOAP UI, or any other client, verify the WS-Security settings.
Adjust the client to send the expected token type.



Align Security Policies:

If possible, adjust the server's WS-Security policy to accept the token type sent by the client.
Or, update the client to comply with the server's expected token type.



Check the SOAP Message:

Analyze the SOAP message headers to see the actual token type sent.
Use tools like SOAP UI, Wireshark, or SAP's trace tools (e.g., ST22, SMICM trace) to inspect the message.



SAP Notes and Documentation:

Check SAP Notes related to WS-Security token issues.
For example, SAP Note 1689270 and others related to WS-Security token handling.




Related Information:

Transaction SOAMANAGER: Used to configure Web Service endpoints and their security policies.
WS-Security Token Types:  

UsernameToken  
X.509 Certificate Token (BinarySecurityToken)  
SAML Token  
Kerberos Token  


SAP Web Service Security: SAP supports WS-Security standards and requires correct token types as per policy.
SAP Help Portal: Documentation on WS-Security and Web Service configuration.
Common SAP Notes:  

1689270 - WS-Security: How to configure UsernameToken and X.509 certificates  
1789270 - Troubleshooting WS-Security issues in SAP Web Services




Summary:
The error WSS039 Wrong token type received. Endpoint expects &1 token. means the security token type in the incoming SOAP message does not match the expected token type configured on the SAP Web Service endpoint. To resolve, verify and align the WS-Security policies and client configurations to ensure the correct token type is sent and accepted.

If you provide details about your environment (e.g., client type, SAP system version, WS-Security policy), I can help with more specific guidance.