Debugging FaultException: matched scope not found (Access Control Service)

FaultException: matched scope not found: applies-to-address is ‘…’

This can occur when trying to use a client that uses a service that uses the Access Control Service. The following snippet shows the code around the exception:

ServiceClient proxy = new ServiceClient("CalculatorEndpoint");
proxy.ClientCredentials.UserName.UserName = "user";
proxy.ClientCredentials.UserName.Password = "pass";
proxy.DoSomething(); // exception occurs here

The issue is that the service that you’re writing still needs to be set up with the Access Control Service. The Access Control Service needs to know the “scope”, or address of the service for which the credentials apply.

For example, if a service is hosted at, then the scope is simply “”. The address can even be your local machine (e.g. your dev machine), if that’s where the service is deployed (for example, “http://localhost:58260/Service.svc/ws”).

Scopes can be set via the Access Control Service website at

(Scopes can be set programmatically – see the Management\AtomClient sample in the .NET Services SDK for an excellent example. On my machine it’s located at C:\Program Files\Microsoft .NET Services SDK (July 2009 CTP)\Samples\AccessControl\ExploringFeatures\Management\AtomClient\CS35 )

From the Access Control Service management page:


First add a new scope by going to the Scopes page in the Access Control Service and clicking “Add Scope”.


Add the scope name and save it. The scope URI is the same as the location of your service. (In this example, the address of the service is “http://localhost:58260/Service.svc/ws” so I enter that as the Scope URI).

Don’t forget to add the encryption certificate if needed, otherwise you’ll see an unhandled “FaultException: cert not found: applies-to-address is 'http://localhost:58260/Service.svc/ws” when trying to call a method on the proxy.


I’ve been using the certificate that comes with the .NET Services SDK

(on my machine it is located at C:\Program Files\Microsoft .NET Services SDK (July 2009 CTP)\Samples\AccessControl\GettingStarted\UserNamePasswordCalculatorService\CS35\Utils)

When done, the scopes for your solution will list the newly-added scope


Note that once the service has been deployed to the cloud and has a public address that a new scope will need to be added to match the new address of the deployment.

That’s it!

For reference, the exception is as follows:
System.ServiceModel.FaultException was unhandled
Message="matched scope not found: applies-to-address is 'http://localhost:58260/Service.svc/ws' (#e2d1d0ef-df30-6681-e1ca-d4cd48e3cb08)"
Server stack trace:
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout)
at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)