Get started for free
Visual Studio Developer Center >
Adfs: Authentication fails after logon credentials are provided

Proposed Answer Adfs: Authentication fails after logon credentials are provided

  • Monday, July 30, 2012 11:11 PM
     
      Has Code
    Sign In to Vote
    0

    I am developing a SP (relying party). I manage to make it work with ADFS without a signature in AuthnRequest.

    But when sending the following request with signature, ADFS prompts for credentials and it accepts the correct credentials and fails to respond with user and groups. I will attach the request, response and exception logged.

    Relying Party Auth Request: 

    <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://adfs-sj1.sjlab.local/adfs/ls/" ID="_422d0bb72b1120db737695464793dedf4ea8ddd2" IssueInstant="2012-07-30T21:52:47.501Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spid</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#_422d0bb72b1120db737695464793dedf4ea8ddd2">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>S5b7PCF8WscoOX++EcpyjQNW4q0=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>g1PXYERi48Q/vGXNBPwZlteyihQmt3eo9+MIQlBdC8MqTsm8GdvE1Nq4osszEyprAK5Q6Uv5QV/UgctUWGV2hUxLc5bpXVwpaYaoywH0XPXArROR1EyGVz2g5YAjgGxpU0YbxJIk+2A1DblE0alYSK/88oHHcmpwp6dmgwmvfXcRA83DnVCeIZoKSPuNTqSLb6UKk+QxUABieuAb1ecsQmJsEjUXcrPq+RPL1+goNhC4/vbPatuK90ZyZe5CljwAtWXmqoBzWexxgWdzs4E9zIc/aQi/HFioGz0EnPiipgBjHRlV+Gv0iFV1dS++a24+F7H2NG6aZSGipcyj2kJMDg==</ds:SignatureValue>
    </ds:Signature>
</saml2p:AuthnRequest>

    response from adfs: 

    <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_f66aaa60-a0de-47c4-a3e8-2a046e75989c" Version="2.0" IssueInstant="2012-07-30T21:53:54.327Z" Destination="https://sp/auth/saml/response-endpoint.do" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_422d0bb72b1120db737695464793dedf4ea8ddd2">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://ADFS-SJ1.sjlab.local/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_f66aaa60-a0de-47c4-a3e8-2a046e75989c">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>MVyIqmJTc8+dFv1C1X+LNz4m2VyoSiOVkiEOu9xLGcM=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>Soxs08yX91iN/W3RT8iVqQUaqAmZPT7K3ct0ugD+PdVTDAHRiEqsJZPZ3A6dhaugw4IL1nZ9gFQpEjr1kn8mUiKW+joc6wS849BPEVFzRBtibFwMCT0PvHV9+NZkBcbWdrNdq9X1KzgF2I/8T/uG4j5E3QixHtiGH9eKTqAsWA3OdJi/yxQVQ/xCZxojmkCyyWbzJOzXLYd4OdmmgAhUjJj3oHwRRcx93G5jXeC4sMgvu/iLujAKcfkpuUvtAptDpkLSqudX0cex0JpabojST0+71HH3fScz77Tc4ncRQGDOACnhPntl23DlrVQrWDpXXa4NbpzQ7FbC8vP2WzzJAQ==</ds:SignatureValue>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>MIIC5DCCAcygAwIBAgIQEOuB20rSlJZKLAd1sNl5zTANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIFNpZ25pbmcgLSBBREZTLVNKMS5zamxhYi5sb2NhbDAeFw0xMjA3MDkxMTIyMzRaFw0xMzA3MDkxMTIyMzRaMC4xLDAqBgNVBAMTI0FERlMgU2lnbmluZyAtIEFERlMtU0oxLnNqbGFiLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApfybfzDIdxUs4L3OvyJv44M7srDZmq3uv19NxNJXh8+UcyBkyRcC2ooyQC6Hcq0cG7oFrnqIdai6s22BlWsd5fEPvlDVbylejD46NVrIhq5aRgfntYGKjGXVjOpa2/NaOIrYjtL9IQV3GgzbMsx8w+MljIP4HZklhCRJ5HN8mHdZDldPtuqEXcCDMatPSU7klMTEhao4pFYsAZmfQkQHSNeW2wg56ncrhvmnOD8FAkL4EFuydiEGB8Bl6vsLsO9WoHXCPOTvTlZj/kcKozsJzQyve8p8I4EM/1UcddFZgUfnEX6R1lv0SBN/uT93RZt/JtuBPZRunEOtRR6ZqGFZIwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBde/2bXlAjwIUDaorYvgg5kxKFpuj8b8MOxSYZHtM0l8sLhS5JSCzBp02xoyVtz2W0H7R23wv4LyWrFkeM0utZ3STS0AzFco/4g7FY3x3kNMOYt1/aM74tW0OIKRVjb8cj+jg81JLmxN/kK5u0LE+vMF1mfF5O9Xj8502QEiV27SY+X+gpu4RHjaG+g+Y5/x29btSyS8Mh94743lCFk20nIsd3B3AwyOCGFsWjelxLBe+fPGbLwfW8bhcpONkFPezOB+XNHyFfeCZb7FzYiOQhvBZXEGT84u0Ny2N+jepdVdPcLtL8HS5Obz2fUbhwbtomXZaD4ioxfaxShqXcx0IM</ds:X509Certificate>
            </ds:X509Data>
        </KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
    </samlp:Status>
</samlp:Response>

    Exception found in adfs 2.0 logs:

    Encountered error during federation passive request. 

Additional Data 

Exception details: 
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.InvalidOperationException: This message cannot support the operation because it has been written.

Server stack trace: 
   at System.ServiceModel.Channels.Message.WriteMessage(XmlDictionaryWriter writer)
   at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
   at System.ServiceModel.Channels.BinaryMessageEncoderFactory.BinaryMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
   at System.ServiceModel.Channels.FramingDuplexSessionChannel.EncodeMessage(Message message)
   at System.ServiceModel.Channels.FramingDuplexSessionChannel.OnSend(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.OutputChannel.Send(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.DuplexChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(Message message)
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

System.InvalidOperationException: This message cannot support the operation because it has been written.

Server stack trace: 
   at System.ServiceModel.Channels.Message.WriteMessage(XmlDictionaryWriter writer)
   at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
   at System.ServiceModel.Channels.BinaryMessageEncoderFactory.BinaryMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
   at System.ServiceModel.Channels.FramingDuplexSessionChannel.EncodeMessage(Message message)
   at System.ServiceModel.Channels.FramingDuplexSessionChannel.OnSend(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.OutputChannel.Send(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.DuplexChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(Message message)
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

    Could you please point me in the right direction to fix the issue? Please ask if you need more details. Thanks.

     

All Replies

  • Friday, August 24, 2012 2:03 PM
     
     
    Sign In to Vote
    0
    I am having exactly the same issue. Did you manage to resolve it?
     
  • Monday, September 03, 2012 5:38 PM
     
     Proposed Answer
    Sign In to Vote
    1

    The signature algorithm used by the relying party in the XML is SHA-1 but ADFS is configured to use SHA-256... on the Advanced tab in the UI try changing the Secure Hash Algorithm to SHA-1.

    Regards

    Mylo

    • Proposed As Answer by Mylo Friday, September 28, 2012 9:22 AM
    •