WSTrustClient fails to get tokens from STS

Tuesday, January 13, 2009 8:18 PMsue275

0
Sign In to Vote
Hi,

I have an STS running with wsFederationHttpBinding with Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract.

I use the WSTrustClient to send the RST message STS.

WSTrustClient trustClient = new WSTrustClient(GetSecurityTokenServiceBinding(),
                new EndpointAddress(STSAddress));

RequestSecurityToken rst = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue);
                rst.AppliesTo = new EndpointAddress(ServiceAddress);

return trustClient.Issue(rst);

I got an error:

WebException: The remote server returned an error: (405) Method Not Allowed.]
   System.Net.HttpWebRequest.GetResponse() +5313085
   System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +54

[ProtocolException: The remote server returned an unexpected response: (405) Method Not Allowed.]
   System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +7594687
   System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +275
   Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message) +0
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustClient.Issue(Message message) +24
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) +43
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst) +25
   STSChaining.Portal.STSClient._Default.GetIssuedToken() in c:\SueFiles\STSChaining_Portal\STSClient\App_Code\Default.aspx.cs:108
   STSChaining.Portal.STSClient._Default.Page_Load(Object sender, EventArgs e) in c:\SueFiles\STSChaining_Portal\STSClient\App_Code\Default.aspx.cs:45
   System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +14
   System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +35
   System.Web.UI.Control.OnLoad(EventArgs e) +99
   System.Web.UI.Control.LoadRecursive() +50
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627

Any suggestion on what might be wrong?

thanks,
Sue
- Reply
- Quote

Answers

Wednesday, January 14, 2009 7:13 AMDominick BaierMVP

0
Sign In to Vote
Hi,

a STS is just a "normal" WCF service - you send a special (authenticated) message to that service, a so called RST - and the service returns the token for the caller in the response message. You can use any binding that supports the authentication method you want to implement between client and STS (e.g. Windows auth, client certs, username etc...). A typical choice would be ws2007HttpBinding.

The client then uses the returned token to authenticate with the relying party - this credential type is called "Issued Token" and is supported OOB by the ws2007FederationBinding.

I recommend you read the whitepaper found here first:

https://connect.microsoft.com/Downloads/DownloadDetails.aspx?SiteID=642&DownloadID=14671
Dominick Baier, thinktecture - http://www.leastprivilege.com
- Marked As Answer bysue275 Wednesday, January 14, 2009 8:02 PM
- Reply
- Quote

All Replies

Tuesday, January 13, 2009 8:29 PMDominick BaierMVP

0
Sign In to Vote
Are you sure you want to use the federation binding? Are you using an issued token to authenticate with the STS?
Dominick Baier, thinktecture - http://www.leastprivilege.com
- Reply
- Quote
Tuesday, January 13, 2009 8:38 PMsue275

0
Sign In to Vote
Dominick,

I will have a ASP.NET web app, and user logs in using certificate. Then the web app will call the STS to get more tokens.

Why I can't use FederationBinding? Is it because I am not using the issued token to authenticate with STS, so I can't use FederationBinding? Do you think the FederationBinding causes the problem?

Should I try WS2007HttpBinding?

thanks,
Sue
- Reply
- Quote
Tuesday, January 13, 2009 10:07 PMDominick BaierMVP

0
Sign In to Vote
Federation binding is for issued tokens - try ws2007HttpBinding instead. How do you authenticate with the STS?
Dominick Baier, thinktecture - http://www.leastprivilege.com
- Reply
- Quote
Wednesday, January 14, 2009 3:58 AMsue275

0
Sign In to Vote
"Federation Binding is for issued tokens" -- Do you mean after STS issues the token, then uses the Federation binding for relying party?

I tried ws2007HttpBinding also. Now the difference for me is that it complains Relying Party Address is not valid with Federation Binding, but ws2007HttpBinding doesn't have that problem.

I am not sure when to use FederationBinding and when not to use it. Can you explain more?

Now I don't authenticate with STS. I guess I can get user information for cert and pass the public cert to STS. Then STS checks the attribute store for that user to issue tokens.

Does that sound right?

thanks,
Sue
- Reply
- Quote
Wednesday, January 14, 2009 7:13 AMDominick BaierMVP

0
Sign In to Vote
Hi,

a STS is just a "normal" WCF service - you send a special (authenticated) message to that service, a so called RST - and the service returns the token for the caller in the response message. You can use any binding that supports the authentication method you want to implement between client and STS (e.g. Windows auth, client certs, username etc...). A typical choice would be ws2007HttpBinding.

The client then uses the returned token to authenticate with the relying party - this credential type is called "Issued Token" and is supported OOB by the ws2007FederationBinding.

I recommend you read the whitepaper found here first:

https://connect.microsoft.com/Downloads/DownloadDetails.aspx?SiteID=642&DownloadID=14671
Dominick Baier, thinktecture - http://www.leastprivilege.com
- Marked As Answer bysue275 Wednesday, January 14, 2009 8:02 PM
- Reply
- Quote
Thursday, October 29, 2009 9:11 PMjs80

0
Sign In to Vote
Dominick, is there an updated link for the White Paper you mentioned? When I click on that link, I get a Page Not Found...

Thanks.
- Reply
- Quote