I’m getting the following error in my client application when it tries to authenticate to my service:
ID3242: The security token could not be authenticated or authorized
Here is the configuration of the client:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<ws2007HttpBinding>
<binding name="stsBinding">
<security mode="Message">
<message clientCredentialType="UserName"
establishSecurityContext="false"
negotiateServiceCredential="true"/>
</security>
</binding>
</ws2007HttpBinding>
<ws2007FederationHttpBinding>
<binding name="echoClaimsBinding">
<security mode="Message">
<message>
<claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false"/>
</claimTypeRequirements>
<issuer address="http://localhost:17240/STS.svc"
bindingConfiguration="stsBinding"
binding="ws2007HttpBinding">
<identity>
<dns value="WCFSTS"/>
</identity>
</issuer>
<issuerMetadata address="http://localhost:17240/STS.svc/Mex"></issuerMetadata>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="echoClaimsBehavior">
<clientCredentials>
<serviceCertificate>
<defaultCertificate
findValue="CN=WCFSTS"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectDistinguishedName"/>
<authentication
revocationMode="NoCheck"
certificateValidationMode="None"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="http://localhost:1438/EchoClaims.svc/EchoClaims"
binding="ws2007FederationHttpBinding"
bindingConfiguration="echoClaimsBinding"
contract="TestService.IEchoClaims"
name="WS2007FederationHttpBinding_IEchoClaims"
behaviorConfiguration="echoClaimsBehavior">
<identity>
<dns value="WCFServer"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
Here is the configuration of the service
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
</system.web>
<system.serviceModel>
<services>
<service name="WcfService1.EchoClaims"
behaviorConfiguration="echoClaimsBehavior">
<endpoint address=""
contract="WcfService1.IEchoClaims"
binding="ws2007FederationHttpBinding"
bindingConfiguration="echoClaimsBinding"></endpoint>
<endpoint address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="echoClaimsBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceCredentials>
<serviceCertificate
findValue="CN=WCFServer"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectDistinguishedName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<bindings>
<ws2007FederationHttpBinding>
<binding name="echoClaimsBinding">
<security mode="Message">
<message negotiateServiceCredential="true">
<!--<issuerMetadata address="http://localhost:17240/STS.svc/mex" />-->
<claimTypeRequirements>
<!--Following are the claims offered by STS 'http://localhost:17240/STS.svc'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false" />
</claimTypeRequirements>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
<diagnostics>
<messageLogging logEntireMessage="true"
logMessagesAtServiceLevel="true"
logMessagesAtTransportLevel="true"></messageLogging>
</diagnostics>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<microsoft.identityModel>
<service>
<audienceUris mode="Never"/>
<issuerNameRegistry type="WcfService1.CustomIssuerNameRegistry, WcfService1"/>
</service>
</microsoft.identityModel>
<system.diagnostics>
<sources>
<source name="System.ServiceModel" switchValue="Warning, Error, ActivityTracing"
propagateActivity="true">
<listeners>
<add name="ServiceModelTraceListener"/>
</listeners>
</source>
</sources>
<sharedListeners>
<add initializeData="ecb_tracelog.svclog"
type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ServiceModelTraceListener" traceOutputOptions="Timestamp">
<filter type="" />
</add>
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics>
</configuration>
Please let me know if anyone has an idea of how to determine why authentication is failing. I have Geneva STS tracing on verbose, but it’s not giving me any messages about why the certificate isn’t being authenticated.
In a similar situation, this forum post by Dominick Baier suggests that the web service rejects the token, so tracing at the STS would not show any problem.
He suggests to check this web service’s
<microsoft.identityModel><service><securityTokenHandlers><securityTokenHandlerConfiguration><audienceUris>section in itsweb.config, and to switch on the Microsoft.IdentityModel trace source in that same file.