wcfwifsts-securitytokenservice

WIF STS ID3242: The security token could not be authenticated or authorized


I'm getting the following error in my client application when it tries to authenticate to my service:

ID3242: The security token could not be authenticated or authorized

Here is the configuration of the client:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
  <ws2007HttpBinding>
    <binding name="stsBinding">
      <security mode="Message">
        <message clientCredentialType="UserName"
          establishSecurityContext="false"
          negotiateServiceCredential="true"/>
      </security>
    </binding>
  </ws2007HttpBinding>
  <ws2007FederationHttpBinding>
    <binding name="echoClaimsBinding">
      <security mode="Message">
        <message>
          <claimTypeRequirements>
            <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false"/>
          </claimTypeRequirements>
          <issuer address="http://localhost:17240/STS.svc"
                  bindingConfiguration="stsBinding"
                  binding="ws2007HttpBinding">
            <identity>
              <dns value="WCFSTS"/>
            </identity>
          </issuer>
          <issuerMetadata address="http://localhost:17240/STS.svc/Mex"></issuerMetadata>
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>
</bindings>
<behaviors>
  <endpointBehaviors>
    <behavior name="echoClaimsBehavior">
      <clientCredentials>
        <serviceCertificate>
          <defaultCertificate
            findValue="CN=WCFSTS"
            storeLocation="LocalMachine"
            storeName="My"
            x509FindType="FindBySubjectDistinguishedName"/>
          <authentication
            revocationMode="NoCheck"
            certificateValidationMode="None"/>
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>
<client>
  <endpoint address="http://localhost:1438/EchoClaims.svc/EchoClaims"
            binding="ws2007FederationHttpBinding"
            bindingConfiguration="echoClaimsBinding"
            contract="TestService.IEchoClaims"
            name="WS2007FederationHttpBinding_IEchoClaims"
            behaviorConfiguration="echoClaimsBehavior">
    <identity>
      <dns value="WCFServer"/>
    </identity>
  </endpoint>
</client>
</system.serviceModel>
</configuration>

Here is the configuration of the service

<?xml version="1.0"?>
<configuration>
<configSections>
<section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>

<system.web>
<compilation debug="true" targetFramework="4.0">
  <assemblies>
    <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
  </assemblies>
</compilation>
</system.web>

<system.serviceModel>
<services>
  <service name="WcfService1.EchoClaims"
           behaviorConfiguration="echoClaimsBehavior">

    <endpoint address=""
              contract="WcfService1.IEchoClaims"
              binding="ws2007FederationHttpBinding"
              bindingConfiguration="echoClaimsBinding"></endpoint>
    <endpoint address="mex"
           binding="mexHttpBinding"
           contract="IMetadataExchange" />
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="echoClaimsBehavior">

      <serviceMetadata httpGetEnabled="true" />
      <serviceCredentials>           
        <serviceCertificate 
          findValue="CN=WCFServer" 
          storeLocation="LocalMachine" 
          storeName="My" 
          x509FindType="FindBySubjectDistinguishedName" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

<bindings>
  <ws2007FederationHttpBinding>
    <binding name="echoClaimsBinding">
      <security mode="Message">
        <message negotiateServiceCredential="true">
          <!--<issuerMetadata address="http://localhost:17240/STS.svc/mex" />-->
          <claimTypeRequirements>
            <!--Following are the claims offered by STS 'http://localhost:17240/STS.svc'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
            <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false" />               
          </claimTypeRequirements>
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>
</bindings>
<diagnostics>
  <messageLogging logEntireMessage="true"
                  logMessagesAtServiceLevel="true"
                  logMessagesAtTransportLevel="true"></messageLogging>
</diagnostics>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<microsoft.identityModel>
<service>
  <audienceUris mode="Never"/>        
  <issuerNameRegistry type="WcfService1.CustomIssuerNameRegistry, WcfService1"/>        
</service>
</microsoft.identityModel>
<system.diagnostics>
<sources>
  <source name="System.ServiceModel" switchValue="Warning, Error, ActivityTracing"
       propagateActivity="true">
    <listeners>
      <add name="ServiceModelTraceListener"/>
    </listeners>
  </source>
</sources>
<sharedListeners>
  <add initializeData="ecb_tracelog.svclog"
                type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
                name="ServiceModelTraceListener" traceOutputOptions="Timestamp">
    <filter type="" />
  </add>
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics>
</configuration>

Please let me know if anyone has an idea of how to determine why authentication is failing. I have Geneva STS tracing on verbose, but it's not giving me any messages about why the certificate isn't being authenticated.


Solution

  • In a similar situation, this forum post by Dominick Baier suggests that the web service rejects the token, so tracing at the STS would not show any problem.

    He suggests to check this web service's <microsoft.identityModel><service><securityTokenHandlers><securityTokenHandlerConfiguration><audienceUris> section in its web.config, and to switch on the Microsoft.IdentityModel trace source in that same file.