Errors attempting ActAs Delegation

Question

When I attempt to invoke a wcf service that I've requested a delegated RST for, I see one of two errors;

ID3266: The FederatedSecurityTokenProvider cannot support the FederatedClientCredentialsParameters. The FederatedClientCredentialsParameters has already provided the ActAs parameter.

or

The token provider cannot get tokens for target <my STS url>

here's my client code:

 const string endpointName = "IssuedTokenEndpoint";


        var principal = Thread.CurrentPrincipal as IClaimsPrincipal;
        ReadOnlyCollection<SecurityToken> callerTokens = principal.GetBootstrapTokens();
        var factory = new ChannelFactory<IShoppingCartService>(endpointName);
        factory.ConfigureChannelFactory();
        var proxy = factory.CreateChannelActingAs(callerTokens[0]);
        try
        {
            lblProductDescription.Text = proxy.GetProductDescription("Weather Station");
        }
        catch (Exception ex)
        {
            lblProductDescription.Text = ex.ToString();
        }
        try
        {
            lblOrderTotal.Text = "$" + proxy.GetOrderTotal("1234").ToString("N2");
        }
        catch (Exception ex)
        {
            lblOrderTotal.Text = ex.ToString();
        }

I don't understand where I'm issuing a second set of credentials.

Any help would be GREATLY appreciated.   I didn't find anything useful when googling the error message.

Thanks.

Answer 1

THe problem with "The token provider cannot get tokens for target" was because the endpoint is secured with Username, and as you can see from the above snippet, I wasn't supplying the username cred.

Now however, I'm getting this exception

System.ServiceModel.FaultException: An error occurred when verifying security for the message

This usually happens when the issue system clock is off from the client system clock.  But in my case, all the RP's and STS are on the same machine.  what else would generate this message?

Answer 2

I think the above is a red herring.. Buried in the error stack is this message again: (see red text)

System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message. --- End of inner exception stack trace --- Server stack trace: at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Request(Message message, TimeSpan timeout) Exception rethrown at [0]: at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout) at System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout) at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) at System.ServiceModel.Security.Tokens.IssuedSecurityTokenProvider.GetTokenCore(TimeSpan timeout) at Microsoft.IdentityModel.Protocols.WSTrust.FederatedSecurityTokenProvider.GetTokenCore(TimeSpan timeout) at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) at System.ServiceModel.Security.SecurityProtocol.GetToken(SecurityTokenProvider provider, EndpointAddress target, TimeSpan timeout) at System.ServiceModel.Security.MessageSecurityProtocol.GetTokenAndEnsureOutgoingIdentity(SecurityTokenProvider provider, Boolean isEncryptionOn, TimeSpan timeout, SecurityTokenAuthenticator authenticator) at System.ServiceModel.Security.SymmetricSecurityProtocol.TryGetTokenSynchronouslyForOutgoingSecurity(Message message, SecurityProtocolCorrelationState correlationState, Boolean isBlockingCall, TimeSpan timeout, SecurityToken& token, SecurityTokenParameters& tokenParameters, SecurityToken& prerequisiteWrappingToken, IList`1& supportingTokens, SecurityProtocolCorrelationState& newCorrelationState) at System.ServiceModel.Security.SymmetricSecurityProtocol.SecureOutgoingMessageCore(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState) at System.ServiceModel.Security.MessageSecurityProtocol.SecureOutgoingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState) at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [1]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at ShoppingServices.IShoppingCartService.GetProductDescription(String productID) at ASP.default_aspx.DelegateBtn_Click(Object sender, EventArgs e) in c:\cSharpApps\Projects\Temp\MySTS\Websites\ClearTextPassiveRP\Default.aspx:line 58 System.InvalidOperationException: ID3266: The FederatedSecurityTokenProvider cannot support the FederatedClientCredentialsParameters. The FederatedClientCredentialsParameters has already provided the ActAs parameter. Server stack trace: at Microsoft.IdentityModel.Protocols.WSTrust.FederatedSecurityTokenProvider.SetupParameters() at Microsoft.IdentityModel.Protocols.WSTrust.FederatedSecurityTokenProvider.GetTokenCore(TimeSpan timeout) at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) at System.ServiceModel.Security.SecurityProtocol.GetToken(SecurityTokenProvider provider, EndpointAddress target, TimeSpan timeout) at System.ServiceModel.Security.MessageSecurityProtocol.GetTokenAndEnsureOutgoingIdentity(SecurityTokenProvider provider, Boolean isEncryptionOn, TimeSpan timeout, SecurityTokenAuthenticator authenticator) at System.ServiceModel.Security.SymmetricSecurityProtocol.TryGetTokenSynchronouslyForOutgoingSecurity(Message message, SecurityProtocolCorrelationState correlationState, Boolean isBlockingCall, TimeSpan timeout, SecurityToken& token, SecurityTokenParameters& tokenParameters, SecurityToken& prerequisiteWrappingToken, IList`1& supportingTokens, SecurityProtocolCorrelationState& newCorrelationState) at System.ServiceModel.Security.SymmetricSecurityProtocol.SecureOutgoingMessageCore(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState) at System.ServiceModel.Security.MessageSecurityProtocol.SecureOutgoingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState) at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at ShoppingServices.IShoppingCartService.GetOrderTotal(String orderID) at ASP.default_aspx.DelegateBtn_Click(Object sender, EventArgs e) in c:\cSharpApps\Projects\Temp\MySTS\Websites\ClearTextPassiveRP\Default.aspx:line 66

Answer 3

The plot thickens....

I am able to open a delegated channel to my active RP endpoint from my passive RP and generate an ActAs service proxy for my activeRP service.  The activeRP is secured by an issued token from my STS service.
The sts service issues the token, and it looks correct.

Here's the interesting part, using this proxy, I can call a method on my service proxy, ONE TIME.  If I attempt to make a second call on my proxy I get the exception:  System.InvalidOperationException: ID3266: The FederatedSecurityTokenProvider cannot support the FederatedClientCredentialsParameters. The FederatedClientCredentialsParameters has already provided the ActAs parameter

In digging through the FederatedSecurityTokenProivder source (via Reflector), it appears as this error is thrown when the GetTokenCore is called on a delegated RSTR.  I do not understand why this code (GetTokenCore())  is being invoked on the 2nd call of an already open channel.  All the examples of delegation I see show only a single method call on the delegated service. 

What's going on here?

here's my proxy client code:

        const string endpointName = "IssuedTokenEndpoint";
        var principal = Thread.CurrentPrincipal as IClaimsPrincipal;
        ReadOnlyCollection<SecurityToken> callerTokens = principal.GetBootstrapTokens();
        var factory = new ChannelFactory<IShoppingCartService>(endpointName);
          factory.Credentials.ClientCertificate.Certificate = CertificateHelper.GetCertificateFromStore("76 42 47 aa c6 be b5 4f 4d cf 18 8c 40 43 5c b5 0b 4e c3 72", X509FindType.FindByThumbprint, StoreName.My, StoreLocation.LocalMachine);
        factory.ConfigureChannelFactory();
        var proxy = factory.CreateChannelActingAs(callerTokens[0]);
        try
        {
            lblProductDescription.Text = proxy.GetProductDescription("Weather Station");
        }
        catch (Exception ex)
        {
            lblProductDescription.Text = ex.ToString();
        }
        try
        {
            lblOrderTotal.Text = proxy.GetProductDescription("Weather Station2");
        }
        catch (Exception ex)
        {
            lblOrderTotal.Text = ex.ToString();
        }

and the error info.

ID3266: The FederatedSecurityTokenProvider cannot support the FederatedClientCredentialsParameters. The FederatedClientCredentialsParameters has already provided the ActAs parameter.

Server stack trace:
   at Microsoft.IdentityModel.Protocols.WSTrust.FederatedSecurityTokenProvider.SetupParameters()
   at Microsoft.IdentityModel.Protocols.WSTrust.FederatedSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecurityProtocol.GetToken(SecurityTokenProvider provider, EndpointAddress target, TimeSpan timeout)
   at System.ServiceModel.Security.MessageSecurityProtocol.GetTokenAndEnsureOutgoingIdentity(SecurityTokenProvider provider, Boolean isEncryptionOn, TimeSpan timeout, SecurityTokenAuthenticator authenticator)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.TryGetTokenSynchronouslyForOutgoingSecurity(Message message, SecurityProtocolCorrelationState correlationState, Boolean isBlockingCall, TimeSpan timeout, SecurityToken& token, SecurityTokenParameters& tokenParameters, SecurityToken& prerequisiteWrappingToken, IList`1& supportingTokens, SecurityProtocolCorrelationState& newCorrelationState)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.SecureOutgoingMessageCore(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
   at System.ServiceModel.Security.MessageSecurityProtocol.SecureOutgoingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at ShoppingServices.IShoppingCartService.GetProductDescription(String productID)
   at ASP.default_aspx.DelegateBtn_Click(Object sender, EventArgs e) in c:\cSharpApps\Projects\Temp\MySTS\Websites\ClearTextPassiveRP\Default.aspx:line 68

Answer 4

See new thread http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/293025b3-7add-4cde-b3ae-3165f530f54b

---

Regards Wilko31