WSTrustClient from Silverlight returns Not Found

Question

I have a SL client and a WCF service that is working with StarterSTS for username/password authentication using WSTrustClient.  I ran FedUtil, generated the federationmetadata.xml file and added the WCF service as a RP to ADFSv2.  I had to merge the WIF configuration code and currently have two separate <service> entries in the config file - maybe it should be 1?  Or maybe it doesn't matter.

In my SL client i click on one of two buttons, username or windows auth.  When I click on Windows Auth I create an instance of WSTrustClient as follows:

        private WSTrustClient GetWindowsWSTrustClient()

        {

            var client = new WSTrustClient(

                new WSTrustBindingWindows(),

                new EndpointAddress(("https://sp2010server.sp2010.local/adfs/services/trust/13/windowstransport")),

                new WindowsCredentials());



            return client;

        }



Then I create the RST request -- how is the EndpointAddress used in ADFSv2?
       var rst = new RequestSecurityToken(WSTrust13Constants.KeyTypes.Symmetric)

       {

           AppliesTo = new EndpointAddress("https://sp2010server.sp2010.local/HelloWorldService/Service1.svc/Win")

       };
my bindings, generated by FedUtil (accept I tried turning off EstablishSecurityContext) are as follows
  <system.serviceModel>

    <services>

      <service name="HelloWorldService.Service1" behaviorConfiguration="starterRP_behavior">

        <endpoint address="Win" binding="ws2007FederationHttpBinding" contract="HelloWorldService.IService1" bindingConfiguration="HelloWorldService.IService1_ws2007FederationHttpBinding" />

        <endpoint binding="ws2007FederationHttpBinding" bindingConfiguration="mixedNoSession" bindingName="MixedSecurityBindingNoSession" contract="HelloWorldService.IService1" />

      </service>

    </services>

    <bindings>

      <ws2007FederationHttpBinding>

        <binding name="mixedNoSession">

          <security mode="TransportWithMessageCredential">

            <message establishSecurityContext="false">

              <issuerMetadata address="https://sp2010server.sp2010.local/StarterSTS/users/issue.svc/mex" />

            </message>

          </security>

        </binding>

        <binding name="HelloWorldService.IService1_ws2007FederationHttpBinding">

          <security mode="Message">

            <message establishSecurityContext="false">

              <issuerMetadata address="https://sp2010server.sp2010.local/adfs/services/trust/mex" />

              <claimTypeRequirements>

                <!--Following are the claims offered by STS 'http://SP2010Server.SP2010.local/adfs/services/trust'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->

                <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />

                <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />

                 .............


When the issue token is executed i get "Not Found" from the remote server, full exception:


System.ServiceModel.CommunicationException was unhandled by user code

  Message=The remote server returned an error: NotFound.

  StackTrace:

       at System.ServiceModel.AsyncResult.End[TAsyncResult](IAsyncResult result)

       at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)

       at System.ServiceModel.ClientBase`1.ChannelBase`1.EndInvoke(String methodName, Object[] args, IAsyncResult result)

       at SL.IdentityModel.Protocols.WSTrust.WSTrustClient.WSTrustClientChannel.EndIssue(IAsyncResult result)

       at SL.IdentityModel.Protocols.WSTrust.WSTrustClient.EndIssue(IAsyncResult asyncResult)

       at SL.IdentityModel.Protocols.WSTrust.WSTrustClient.OnEndIssue(IAsyncResult result)

       at System.ServiceModel.ClientBase`1.OnAsyncCallCompleted(IAsyncResult result)

  InnerException: System.Net.WebException

       Message=The remote server returned an error: NotFound.

       StackTrace:

            at System.Net.Browser.AsyncHelper.BeginOnUI(SendOrPostCallback beginMethod, Object state)

            at System.Net.Browser.BrowserHttpWebRequest.EndGetResponse(IAsyncResult asyncResult)

            at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelAsyncRequest.CompleteGetResponse(IAsyncResult result)

       InnerException: System.Net.WebException

            Message=The remote server returned an error: NotFound.

            StackTrace:

                 at System.Net.Browser.BrowserHttpWebRequest.InternalEndGetResponse(IAsyncResult asyncResult)

                 at System.Net.Browser.BrowserHttpWebRequest.<>c__DisplayClass5.b__4(Object sendState)

                 at System.Net.Browser.AsyncHelper.<>c__DisplayClass4.b__1(Object sendState)

            InnerException: 



Why is ADFS returning not found??

Apprcieate the help,

Tim

Answer 1

SL shows SOAP faults by default as "not found". This can be typically fixed by switching to the SL client HTTP stack.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 2

Indeed, changing to the SL client HTTP stack gave me a better clue.  The error I got back was Scope invalid, so, I checked the identifiers on my relying party in ADFS and it matched the URI below:

AppliesTo = new EndpointAddress(https://sp2010server.sp2010.local/HelloWorldService/Service1.svc/Win)

So, i added another identifier which was more global in ADFS and changed the AppliesTo accordingly

AppliesTo = new EndpointAddress(https://sp2010server.sp2010.local/HelloWorldService/)

This worked.  I don't know why, but it did.  I hit other issues I'm still looking into but the token is successfully issued now, thanks.

Tim