Claims based access platform (CBA), code-named Geneva Forum

Unable to establish trust using Microsoft Online Services Federation Utility

Tue, 25 Aug 2009 17:36:39 Z

I have a "Geneva" Server on windows 2008 machine. I have done nothing with the "Geneva" server. When i start it, it says Required: Add a trusted relying party. But i have not completed those steps yet, because im not sure how to proceed.

Also, the default website on the same server has Thawte Web Server SSL installed.

After installing Microsoft Online Services Federation Utility, this is what happens:

A green light is there on Local STS, and i select the SSL certificate configured on default website in the dropdown.
A green light is also there on Windows Live. Here i hit connect.

After clicking Federation Trust, and Establish Trust button, I see two lines while progress bar moves.:
Creating policy in local STS
Registering with Windows live

after 2-3 seconds, it stops and nothing happens. no error message. and no light on Federation Trust. I tried various selections in Windows Live: Production, Internal, PPE...no effect

What am I missing?

Thanks in advance!

Calling Active STS endpoint from Passive STS

Mon, 23 Nov 2009 15:59:59 Z

Hi,

I am working on Claims aware website implementation. I have Passive STS in place. Also I have another Active STS in place with UserName and Windows modes. I want to call Active STS from within Passive STS.
When client tries to access my RP, it should be redirected to Passive STS and Passive STS in turn should forward the request to Active STS. Token issued by Active STS (RSTR) will be passed back to Passive STS and from Passive STS back to RP.

How can I implement this scenario?

Thanks in advance!

Cannot login Liveid with Federation Trust

Tue, 17 Nov 2009 13:02:14 Z

I've followed the manual of How to Configure "Geneva" Server to Provide SSO Access to Microsoft Online Services.

I've a federation trust but i can't login.
I'm using the url: http://spaces.live-int.com and when i'm using my active directory login i get the error the login doesn't exist.
Also i didn't see the possiblity to slect a partner id.

I hope someone can help

Multi-Company Federation Scenario ... ADFS v2 or just WIF or Azure ACS or ... ?

Tue, 24 Nov 2009 21:18:02 Z

I'm sure this is a ridiculously typical example but I'll run it by you anyway to make sure that I'm thinking about it the right way.

We've got CorpA, CorpB, and CorpC. Each of these people are partners with HomeCorp. HomeCorp has a truckload of line of business applications and we've been doing a good job internally making sure they're all authenticating in a claims-based fashion using WIF - we've got our own custom STS that is giving us tokens containing an Active Directory identity and a bunch of roles that come from a custom ability database.

Now we want users from CorpA, CorpB, and CorpC to be able to access web apps that we've got hosted in the cloud (on Azure). These users will come up to our apps with identity tokens that their own internal enterprises will have produced (either through custom STS or through ADFS v2).

What does the process look like (using both Azure and on-premise STS) for on-boarding these companies to federation and what aspects of WIF and/or Azure ACS would we be using in the cloud? Administrators from CorpA, CorpB, and CorpC should be able to come to our site in the cloud and set up permissions for users to allow fine-grained control over who can do what.

I've read this particular scenario before, but only in bits and pieces and some of it in Azure documents and some of it in WIF documents. If I'm asking a completely ridiculous question, I'd appreciate an appropriate link to the relevant documentation bits that contain the solution to my problem :)

Thanks,
Kevin

The .NET Addict - http://dotnetaddict.dotnetdevelopersjournal.com

CryptographicException - Object identifier (OID) is unknown

Fri, 25 Sep 2009 23:38:22 Z

I am having a problem with my certificates and creating a RSTR as string. The line of code is failing is,

string responseAsString = federationSerializer.GetResponseAsString(response, new WSTrustSerializationContext());

and the exception that is being thrown is (mapping the OID in the certificate to algorithm),

Object identifier (OID) is unknown.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: Object identifier (OID) is unknown.

[CryptographicException: Object identifier (OID) is unknown.]
   System.Security.Cryptography.X509Certificates.X509Utils._GetAlgIdFromOid(String oid) +0
   System.Security.Cryptography.X509Certificates.X509Utils.OidToAlgId(String oid) +37
   System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] rgbHash, String str) +61
   System.Security.Cryptography.RSAPKCS1SignatureFormatter.CreateSignature(Byte[] rgbHash) +105
   System.Security.Cryptography.AsymmetricSignatureFormatter.CreateSignature(HashAlgorithm hash) +48
   Microsoft.IdentityModel.Protocols.XmlSignature.SignedXml.ComputeSignature(HashAlgorithm hash, AsymmetricSignatureFormatter formatter) +44
   Microsoft.IdentityModel.Protocols.XmlSignature.SignedXml.ComputeSignature(SecurityKey signingKey) +362
   Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureWriter.ComputeSignature() +135
   Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureWriter.OnEndRootElement() +150
   Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureWriter.WriteEndElement() +33
   Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.WriteAssertion(XmlWriter writer, SamlAssertion assertion) +577
   Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +44
   Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +225
   Microsoft.IdentityModel.Tokens.SecurityTokenSerializerAdapter.WriteTokenCore(XmlWriter writer, SecurityToken token) +200
   System.IdentityModel.Selectors.SecurityTokenSerializer.WriteToken(XmlWriter writer, SecurityToken token) +33
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.WriteRSTRXml(XmlWriter writer, String elementName, Object elementValue, WSTrustSerializationContext context, WSTrustConstantsAdapter trustConstants) +714
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustFeb2005ResponseSerializer.WriteXmlElement(XmlWriter writer, String elementName, Object elementValue, RequestSecurityTokenResponse rstr, WSTrustSerializationContext context) +71
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.WriteKnownResponseElement(RequestSecurityTokenResponse rstr, XmlWriter writer, WSTrustSerializationContext context, WSTrustResponseSerializer responseSerializer, WSTrustConstantsAdapter trustConstants) +278
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustFeb2005ResponseSerializer.WriteKnownResponseElement(RequestSecurityTokenResponse rstr, XmlWriter writer, WSTrustSerializationContext context) +42
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.WriteResponse(RequestSecurityTokenResponse response, XmlWriter writer, WSTrustSerializationContext context, WSTrustResponseSerializer responseSerializer, WSTrustConstantsAdapter trustConstants) +195
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustFeb2005ResponseSerializer.WriteXml(RequestSecurityTokenResponse response, XmlWriter writer, WSTrustSerializationContext context) +42
   Microsoft.IdentityModel.Protocols.WSFederation.WSFederationSerializer.GetResponseAsString(RequestSecurityTokenResponse response, WSTrustSerializationContext context) +181
   FederationPassiveSecureTokenService._Default.ProcessSignInRequest(SignInRequestMessage requestMessage) in Default.aspx.cs:109
   FederationPassiveSecureTokenService._Default.Page_PreRender(Object sender, EventArgs e) in Default.aspx.cs:42
   System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +14
   System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +35
   System.Web.UI.Control.OnPreRender(EventArgs e) +8682870
   System.Web.UI.Control.PreRenderRecursiveInternal() +80
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +842

I assume it is the way I have used makecert.exe for my signing certificate. I am using makecert.exe. I have created my own root CA certificate which is the issue of my signing certificate. The command line I used to create my certificate is shown below (parameters are split onto new lines for ease of reading)

makecert.exe
-pe
-n "CN=RP STS"
-b 01/01/2009 -e 01/01/2036
-ss My
-sr localMachine
-sky exchange
-eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3
-iv CA-root.pvk
-ic CA-root.cer

I have granted the service account (Network Service) read access to the private key. I have also configured geneva as follows

    <microsoft.identityModel>
        <service>
            <serviceCertificate>
                <certificateReference x509FindType="FindBySubjectName"
                                      findValue="RP STS"
                                      storeLocation="LocalMachine"
                                      storeName="My" />
            </serviceCertificate>

I assume the options I used to create the certificate are incorrect. I had tried to use the

-sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

options, but same result. If someone could give me some suggestions, it would be much appreciated.

Phil Bolduc
Vancouver, BC

How i can pass the SAML token from an original caller to a WCF service through asp.net app?

Wed, 21 Oct 2009 09:23:33 Z

Dear community, please, clarify what happened when we invoke the following code:

// I'm trying to invoke some WCF service from webapp,
// 'callerToken' is a token than had been issued by an external STS(Geneva Server)
ISomeService channel = factory.CreateChannelWithIssuedToken(callerToken);
channel.GetSomeData();

I have the following exception:
PolicyValidationException: The incoming policy could not be validated. For more information, please see the event log

And in the event log have the following message:
Incoming policy failed validation. No valid claim elements were found in the policy XML. Additional Information: at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo) at System.Environment.get_StackTrace() at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException ie) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception e) at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception e) at Microsoft.InfoCards.InfoCardPolicy.Validate() at Microsoft.InfoCards.GetTokenRequest.OnMarshalInArgs() at Microsoft.InfoCards.Request.PreProcessRequest() at Microsoft.InfoCards.ClientUIRequest.PreProcessRequest() at Microsoft.InfoCards.Request.DoProcessRequest(String& extendedMessage) at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle, IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

I've really confused about the last message cause i don't use CardSpace at all.
And I dont undrrstand what the policy could not be validated. Can somebody explain me?
Thank at all?
PS Let me know if i provided not enough information.

any reason not supporting WIF on WinXP

Fri, 13 Nov 2009 18:20:57 Z

Hello,

is there any reason not supporting WIF an WinXP?
The assemblies from WIF RC currently work also on WinXP to build a STS for WinForm-Clients.

thanks
Harald K.

Adding a custom token handler

Mon, 23 Nov 2009 04:40:16 Z

I have read many of the examples and threads with regards to adding a custom handler.

But I have trouble with my configuration with this in my web.config:

<microsoft.identityModel>

<remove type="Microsoft.IdentityModel.Tokens.UserNameSecurityTokenHandler,

Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />

</securityTokenHandlers>

</service>

</microsoft.identityModel>

With this in my configuration, I am getting this error:

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: ID1024: The configuration property value is not valid.
Property name: ''
Error: 'An item with the same key has already been added.'

Source Error:


Line 93:   </system.serviceModel>
Line 94:   <microsoft.identityModel>
Line 95:     <service>
Line 96:       <securityTokenHandlers>
Line 97:         <remove type="Microsoft.IdentityModel.Tokens.UserNameSecurityTokenHandler,

I have tried removing the <add type... /> section but I am using my own custom user name token handler.

Cheers,

Windows XP Support

Thu, 04 Dec 2008 03:10:38 Z

Will the final version of Geneva support Windows XP?

Thanks!

WIF appears to be installed, but Training Kit says not?

Sun, 22 Nov 2009 02:59:54 Z

I downloaded WIF RTW for Win7 x64, and it installed without error. In the Control Panel, I see "Windows Identity Foundation (KB974405)" installed. I have rebooted for good measure, but the Identity Developer Training Kit (Nov '09) still says WIF isn't installed when I run Labs\WebSitesAndIdentity\Source\Setup\SetupLab.cmd. Any ideas?

Under Microsoft Windows Identify Foundation SDK in SetupLab.cmd, it says "Identity Developer Training Kit requires Windows Identity Foundation SDK". I'm then shown a Download link to the URL I linked to above for WIF RTW. Running the installer again says "Update for Windows (KB974405) is already installed on this computer."

Change Microsoft.IdentityModel configuration

Tue, 24 Nov 2009 13:32:21 Z

Hello,
I want to add the configuration of Microsoft.IdentityModel which is located in the web.conf file programmatically and delete it from the web.conf file because it's not static.
What class must I implement to do that?
Thanks.

Visual Studio 2010 - Add STS Reference - FedUtil - "Access is denied"

Mon, 23 Nov 2009 07:22:42 Z

I am using Visual Studio 2010 Beta on Windows 7 and have installed WIF SDK.

I have tried to run the Add STS Reference wizard (FedUtil) but I get an error message (Access is denied) during the creation of a new STS Web Site.

I can browse the new STS Web Site and get a login page, but pressing submit gets the following error back: The action '<EMPTY>' (Request.QueryString['wa']) is unexpected. Expected actions are: 'wsignin1.0' or 'wsignout1.0'.

Any ideas?
Cheers Harry

Where is ADFS V2?

Fri, 20 Nov 2009 10:22:49 Z

Hello,
I have downloaded and installed WIF RC, now i want to federate authentication from my entereprise using ADFS V2.

Where do I get ADFS V2? Any link to follow ADFS V2 related activities?

Please mark if reply answers your query.

MSI and Win 7

Mon, 23 Nov 2009 21:59:28 Z

I've seen a bunch of other sites that troubleshoot his, bu I am still having trouble. I am helping a friend who is trying to install your VZAccess modem software on his computer through his Blackberry Storm. He is running 64-bit Windows 7 and an error keeps appearing "error 2738. Could not access VBScript run time for custom action" I have checked the registry and made sure VBscript wasn't registered in the wrong place and ran the regsvr32 on the vbscript.dll as described in the article http://www.jakeludington.com/windows_7/20091115_error_2738_could_not_access_vbscript_run_time_for_custom_action.html The file given to him by the Verizon store is named VZAM_7.0.14_2397a_RIM_8530_Curve2 given when the CD software didn't work. It says its supposed to work with 64 bit Win 7, but its not. Is there something further we can try. Maybe an older version of the software? How can I fix this?

Error when using session tokens with windows authentication

Wed, 03 Jun 2009 17:07:48 Z

Edited: replaced "authorization" by "authentication".

I've the following scenario:
1) ASP.NET app with Windows Authentication enabled
2) The following Geneva modules are registered: ClaimsAuthorizationModule , ClaimsPrincipalHttpModule and SessionAuthenticationModule
3) I have a AuthorizationManager that creates a session token and writes it to a cookie [see http://www.leastprivilege.com/UseGenevaSessionManagementForYourOwnNeeds.aspx]

The behavior is the following:
1) The first request works correctly, namely the authentication manager is called and some derived claims are added to the claims principal.
2) The second request also works correctly. In this case, the authentication manager is NOT called. The claims principal contains the claims added in the first request.
3) The third request throws a "safe handle has been closed" exception with the following trace, while validating the session token

Thanks
Pedro

[ObjectDisposedException: Safe handle has been closed]
System.StubHelpers.StubHelpers.SafeHandleC2NHelper(Object pThis, IntPtr pCleanupWorkList) +0
Microsoft.Win32.Win32Native.GetTokenInformation(SafeTokenHandle TokenHandle, UInt32 TokenInformationClass, SafeLocalAllocHandle TokenInformation, UInt32 TokenInformationLength, UInt32& ReturnLength) +0
System.Security.Principal.WindowsIdentity.GetTokenInformation(SafeTokenHandle tokenHandle, TokenInformationClass tokenInformationClass, UInt32& dwLength) +118 System.Security.Principal.WindowsIdentity.get_User() +110
System.Security.Principal.WindowsIdentity.GetName() +124
System.Security.Principal.WindowsIdentity.get_Name() +42
System.Web.Hosting.IIS7WorkerRequest.SetPrincipal(IPrincipal user, IntPtr pManagedPrincipal) +139
System.Web.HttpContext.SetPrincipalNoDemand(IPrincipal principal, Boolean needToSetNativePrincipal) +11136171
System.Web.HttpContext.set_User(IPrincipal value) +52
Microsoft.IdentityModel.Web.SessionAuthenticationModule.SetPrincipalFromSessionToken (SessionSecurityToken sessionSecurityToken) +35 Microsoft.IdentityModel.Web.SessionAuthenticationModule.AuthenticateSessionSecurityToken (SessionSecurityToken sessionToken, Boolean writeCookie) +43 Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest (Object sender, EventArgs eventArgs) +262 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171

http://pfelix.wordpress.com

Installing WIF RC on Win. Server 2008 R2

Sun, 08 Nov 2009 22:37:51 Z

I have tried to install WIF RC update on clean install of Windows Server 2008 R2, but it failed with error "The update is not applicable to your computer". Package I used was named "Windows6.1-KB974405-x64.msu".

Is this a known issue, or is some dependency missing?

initial config wizard + Microsoft.IdentityServer.ConfigWizard Warning Error retrieving SQL Instances:

Mon, 23 Nov 2009 17:26:37 Z

Hi,

I have a Win2k8 box (x64) in a domain where i want to have ADFS v2 on.. All updates are installed, when running the initial config i get an error.. running the config wizard with the -logfile option i see in the logs:

Fix the error and re-run the "Geneva" Server Initial Configuration wizard.

Microsoft.IdentityServer.ConfigWizard Information: 936 : 1 [ 35423023107 ]: DebugLog initialized

Microsoft.IdentityServer.ConfigWizard Warning: 936 : 1 [ 35429325357 ]: Error retrieving SQL Instances: System.Management.ManagementException: Invalid namespace

at System.Management.ManagementScope.Initialize()

at System.Management.ManagementObjectSearcher.Initialize()

at System.Management.ManagementObjectSearcher.Get()

at Microsoft.IdentityServer.Mmc.Administration.Providers.SqlConfigProvider.RetrieveInstances(String hostName, String wmiNamespace)

Microsoft.IdentityServer.ConfigWizard Error: 936 : 5 [ 38020726943 ]: SqlReinstallTask execution gave exception.

Microsoft.IdentityServer.ConfigWizard Error: 936 : 5 [ 38021349187 ]: RunTask encountered an exception.

Fix the error and re-run the "Geneva" Server Initial Configuration wizard.

any hints?

WORK FOR AVANADE!

Providing federated identity with Geneva Server and CardSpace

Mon, 31 Aug 2009 14:23:37 Z

“INTRODUCING “GENEVA” whitepaper describes situation when user in enterprise X accesses web application in enterprise Y with identity that matches this application’s requirements.

Here clearly said that Geneva CardSpace would traverse this kind of federation relationship:

0. Application determines which IP-STS it trusts.

1. CardSpace learns application token requirements,

2. Contacts STS in enterprise Y to learn his token requirements.

3. Asks user’s home realm STS to issue token to STS in enterprise Y

4. And finally, STS in enterprise Y, after verifying received token, issues token that allows this user to access the application.

The question is:

1) How to configure my web application so that it notice cardspace which IP-STS he trusts.

2) Does Geneva Server beta 2 support these interactions (according to “” we establish trust-relationship between Geneva Servers in two security realms, but in property window of added IP we have seen no active endpoint, which could receive tokens)?

3) Can Windows CardSpace traverse this kind of federation relationship?

Need guidance on multitenant strategy

Sun, 22 Nov 2009 02:04:37 Z

Imagine a multitenant blog engine written on ASP.NET MVC and hosted on Azure. It uses Windows Live ID for authentication, and doesn't use the ASP.NET Membership or Role providers. The LiveID UUID is mapped to a GUID which is used as a UserID throughout the site. For example, individual blog posts have a field which contains this GUID to identify a poster. Each blog has its own hostname, as in http://myblog.example.com.

It works fine, but how could one plan now for eventually supporting customers who want to authenticate with their own ADFS2 servers or something else? I know this is where WIF comes in. I have quite a bit to learn, but what I'd like to know now is if I need to change my database schema to support this down the road. Is it fine to launch now using a GUID as a UserID? Any advice on this would be welcomed.

My real app isn't a blog engine, but it's a close enough example and one that's readily understood.

Any tips?

deploy geneva server proxy. error when i try to get a new token from geneva server proxy.

Sat, 21 Nov 2009 15:57:26 Z

Im trying to deploy geneva proxy server. I've passed through "Checklist: Setting Up a "Geneva" Server Proxy" and met all of requirements.
But anyway when i'm trying to request a new security token i have the folloing exception in my passive STS:

Microsoft.IdentityServer.Shared.WSFederation.RequestFailedException: MSIS7012: The request failed. Contact your administrator for details. ---> System.InvalidOperationException: Client certificate doesn't provide. Please specify client certificate in ClientCredentials. Server stack trace: в System.ServiceModel.ClientCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, Boolean disableInfoCard) в System.ServiceModel.ClientCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement) в System.ServiceModel.Channels.TransportSecurityHelpers.GetCertificateTokenProvider(SecurityTokenManager tokenManager, EndpointAddress target, Uri via, String transportScheme, ChannelParameterCollection channelParameters) в System.ServiceModel.Channels.HttpsChannelFactory.CreateAndOpenCertificateTokenProvider(EndpointAddress target, Uri via, ChannelParameterCollection channelParameters, TimeSpan timeout) в System.ServiceModel.Channels.HttpsChannelFactory.HttpsRequestChannel.CreateAndOpenTokenProvider(TimeSpan timeout) в System.ServiceModel.Channels.HttpsChannelFactory.HttpsRequestChannel.OnOpen(TimeSpan timeout) в System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) в System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) в System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) в System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout) в System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) в System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout) в System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) в System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs) в System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) в System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.IdentityServer.Shared.Protocols.WSTrust.IWSTrustFeb2005ContractAsync.IssueAsync(Message request) at Microsoft.IdentityServer.Shared.Protocols.WSTrust.WSTrustFeb2005ContractAsyncClientManager.IssueAsyncWorker(Message request, Boolean firstTry) at Microsoft.IdentityServer.Shared.Protocols.WSTrust.WSTrustFeb2005ContractAsyncClientManager.IssueAsyncWorker(Message request, Boolean firstTry) at Microsoft.IdentityServer.Shared.Protocols.WSTrust.WSTrustFeb2005ContractAsyncClientManager.IssueAsync(Message request) at Microsoft.IdentityServer.Shared.Protocols.WSTrust.WSTrustFeb2005Client.Issue(RequestSecurityToken rst) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request) --- End of inner exception stack trace --- at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.BuildSignInResponseCoreWithOnBehalfOf(SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, Boolean isIssuedToken, WSFederationMessage incomingMessage) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, Boolean isIssuedToken, WSFederationMessage incomingMessage) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(WSFederationPassiveContext federationPassiveContext, SecurityToken securityToken, Boolean isIssuedToken) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.BuildSignInResponse(WSFederationPassiveContext federationPassiveContext, SecurityToken securityToken, Boolean isIssuedToken) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.SignIn(HttpContext context, WSFederationPassiveContext federationPassiveContext, SecurityToken securityToken, Boolean isIssuedToken) at FaultHandlingWSFederationPassiveAuthentication.SignIn(SecurityToken token, Boolean isIssuedToken)

I've checked the proxy certifiacte many times, and i think it's OK.
But anyway i dont know what to do. Please clarify and comment this exception.
Thanks a lot, guys!

Getting a Cryptograghic error on IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest

Fri, 20 Nov 2009 16:56:46 Z

We have a claims aware ASP.Net MVC site in a web farm environment and on switches between servers we get these errors.

We don't use session within the application.

1) is it possible to switch away from the session altogether?

2) is there a quick way to get around the crypto issue as we work on #1?

Here is the stack:

[CryptographicException: Key not valid for use in specified state.

]

System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +425

Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +23

Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +107

Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.Deserialize(Byte[] encodedByteArray) +43

Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader) +366

Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token) +46

Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +84

Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +58

Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +49

System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +68

System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

Will there be Geneva templates for Web Application projects?

Thu, 04 Jun 2009 14:35:51 Z

I couldn't find the "Modify STS reference" menu item and then I realised that I was using a web application project not a website. I don't use the website feature in ASP.NET (it's horrible). So I was wondering if there will be templates for web applications at some point.

WIF Install problem - RC to RTM

Thu, 19 Nov 2009 00:29:59 Z

Hi,

I'm trying to upgrade from the WIF RC to the WIF RTM release on Windows 7. I downloaded and ran the install - Windows6.1-KB974405-x86.msu but I get the error "The update is not applicable for your computer"

What am I missing? I presume there is a change between the RC and RTM releases.

Regards Wilko31

The certificate's private key could not be accessed

Fri, 13 Nov 2009 15:41:03 Z

Hi,

I am working with the Geneva Framework and Windows Cardspace. In my STS config file I am using the following sentence:

</serviceCertificate>

When I try to access my STS from the browser it throw this error exception:

Parser Error Message: ID1024: The configuration property value is not valid.
PropertyName: serviceCertificate
Error: ID1039: The certificate's private key could not be accessed. Ensure the access control list (ACL) on the certificate's private key grants access to the application pool user.

I already tried to solve the problem with the solutions that I found on Internet but it is still not working:

§ From the MMC tool I right clicked in the certificate that I am using, All Tasks -> Manage Private Keys and gave access to IIS user, Network Service and finally to Everyone.

§ Also ran winhttpcertcfg tool and did the same, gave access to IIS user, Network Service and finally to Everyone.

I am working on Vista with IIS7.

Does anyone have any idea of what could be the problem?

Thanks!

Exception when interworking between Shibboleth IDP and Geneva Beta 2

Thu, 27 Aug 2009 17:17:37 Z

I've got a simple ASP.Net app working with a Geneva server. I'm now trying to get things working with a Shibboleth IDP.
I can choose the IDP from the list 'Select Sign In Options' and get redirected to the IDPs username and password page. Assuming I get the username and password correct I get redirected to the /FederationPassive/ page on the Geneva server which has an MSIS7012 error.

In the event log I get:

The Federation Service encountered a serious error while processing the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

Additional Data
Exception details:
System.IdentityModel.Tokens.SecurityTokenException: ID4153: A Saml2SecurityToken cannot be created from the Saml2Assertion because it contains a SubjectConfirmationData which specifies an Address value. Enforcement of this value is not supported by default. To customize SubjectConfirmationData processing, extend Saml2SecurityTokenHandler and override ValidateConfirmationData.
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConfirmationData(Saml2SubjectConfirmationData confirmationData)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ResolveSecurityKeys(Saml2Assertion assertion, SecurityTokenResolver resolver)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
   at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenElement.get_SecurityToken()
   at Microsoft.IdentityServer.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfContext(RequestSecurityToken request, IClaimsPrincipal callerPrincipal, IClaimsPrincipal& principal, AuthenticationContext& authenticationContext)
   at Microsoft.IdentityServer.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
   at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.WSTrustServiceContractAsyncResult.BeginRST(IClaimsPrincipal authContext, RequestSecurityToken request)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginCore(Message requestMessage, AsyncCallback callback, Object state, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace)

Can I reconfigure things to just ignore the SubjectConfirmationData or do I need to find a way to turn it off on the Shibboleth end?

Any ideas?

MSIS7012: The request failed

Wed, 11 Nov 2009 12:18:16 Z

Hi,

I'm establishing federation using Geneva with IBM Tivoli and using Geneva as a Service Provider and IBM Tivoli as an Identity Provider. For federation I'm using WS-Federation protocol.

After authentication on IBM side I'm getting "MSIS7012: The request failed" error in the browser and in the Geneva log getting:

ID3094: Cannot create Federation message from the given Uri 'https://con1-w2k8r264gnv.contoso1.com/adfs/ls/default.aspx'

ID3007: The element renewing with namespace http://schemas.xmlsoap.org/ws/2005/02/trust is unrecognized error.

Please provide any link if you know on this.

Thanks in advance.

Vaibhav

Geneva log:

<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"><System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>8</EventID><Type>3</Type><SubType Name="Error">0</SubType><Level>2</Level><TimeCreated SystemTime="2009-11-11T13:14:31.6532461Z" /><Source Name="Microsoft.IdentityModel" /><Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" /><Execution ProcessName="w3wp" ProcessID="2648" ThreadID="6" /><Channel/><Computer>CON1-W2K8R264GN</Computer></System><ApplicationData><TraceData><DataItem><TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Error"><Description>Handled exception.</Description><AppDomain>/LM/W3SVC/1/ROOT/adfs/ls-1-129024188713222126</AppDomain><Exception><ExceptionType>Microsoft.IdentityModel.Protocols.WSFederation.WSFederationMessageException, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35</ExceptionType><Message>ID3094: Cannot create Federation message from the given Uri 'https://con1-w2k8r264gnv.contoso1.com/adfs/ls/default.aspx'.</Message><StackTrace>   at Microsoft.IdentityModel.Protocols.WSFederation.WSFederationMessage.CreateFromUri(Uri requestUri)
   at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveContext.EnsureCurrent(HttpContext context)
   at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthenticationModule.OnEnter(Object sender, EventArgs e)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)
   at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
   at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
</StackTrace><ExceptionString>Microsoft.IdentityModel.Protocols.WSFederation.WSFederationMessageException: ID3094: Cannot create Federation message from the given Uri 'https://con1-w2k8r264gnv.contoso1.com/adfs/ls/default.aspx'.</ExceptionString></Exception></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent><E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"><System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>1</EventID><Type>3</Type><SubType Name="Information">0</SubType><Level>8</Level><TimeCreated SystemTime="2009-11-11T13:14:31.8690526Z" /><Source Name="Microsoft.IdentityModel" /><Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" /><Execution ProcessName="w3wp" ProcessID="2648" ThreadID="6" /><Channel/><Computer>CON1-W2K8R264GN</Computer></System><ApplicationData><TraceData><DataItem><TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Information"><Description>Microsoft.IdentityModel Diagnostic Trace</Description><AppDomain>/LM/W3SVC/1/ROOT/adfs/ls-1-129024188713222126</AppDomain><ChunkedCookieHandlerTraceRecord xmlns="http://schemas.microsoft.com/2009/06/IdentityModel/DeflateCookieTraceRecord" Action="Reading Cookie"><Name>MSISContextd9d66e82-2c6d-4dc1-b089-e4f330d0b7fe</Name></ChunkedCookieHandlerTraceRecord></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent><E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"><System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>1</EventID><Type>3</Type><SubType Name="Information">0</SubType><Level>8</Level><TimeCreated SystemTime="2009-11-11T13:14:31.8690526Z" /><Source Name="Microsoft.IdentityModel" /><Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" /><Execution ProcessName="w3wp" ProcessID="2648" ThreadID="6" /><Channel/><Computer>CON1-W2K8R264GN</Computer></System><ApplicationData><TraceData><DataItem><TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Information"><Description>Microsoft.IdentityModel Diagnostic Trace</Description><AppDomain>/LM/W3SVC/1/ROOT/adfs/ls-1-129024188713222126</AppDomain><ChunkedCookieHandlerTraceRecord xmlns="http://schemas.microsoft.com/2009/06/IdentityModel/DeflateCookieTraceRecord" Action="Deleting Cookie"><Name>MSISContextd9d66e82-2c6d-4dc1-b089-e4f330d0b7fe</Name><Path>/adfs/ls</Path></ChunkedCookieHandlerTraceRecord></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent><E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"><System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>8</EventID><Type>3</Type><SubType Name="Error">0</SubType><Level>2</Level><TimeCreated SystemTime="2009-11-11T13:14:31.8924886Z" /><Source Name="Microsoft.IdentityModel" /><Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" /><Execution ProcessName="w3wp" ProcessID="2648" ThreadID="6" /><Channel/><Computer>CON1-W2K8R264GN</Computer></System><ApplicationData><TraceData><DataItem><TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Error"><Description>Handled exception.</Description><AppDomain>/LM/W3SVC/1/ROOT/adfs/ls-1-129024188713222126</AppDomain><Exception><ExceptionType>Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationException, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35</ExceptionType><Message>ID3007: The element Renewing with namespace http://schemas.xmlsoap.org/ws/2005/02/trust is unrecognized.</Message><StackTrace>   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.ReadRSTRXml(XmlReader reader, RequestSecurityTokenResponse rstr, WSTrustSerializationContext context, WSTrustConstantsAdapter trustConstants)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.CreateResponse(XmlReader reader, WSTrustSerializationContext context, WSTrustResponseSerializer responseSerializer, WSTrustConstantsAdapter trustConstants)
   at Microsoft.IdentityModel.Protocols.WSFederation.WSFederationSerializer.CreateResponse(WSFederationMessage message, WSTrustSerializationContext context)
   at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.GetRstrFromSignInResponseMessage(MSISSignInResponseMessage incomingResponse)
   at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.BuildSignInResponseForProtocolResponse(WSFederationPassiveContext federationPassiveContext, Boolean isIssuedToken)
   at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken, Boolean isIssuedToken)
   at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.SignIn(SecurityToken securityToken, Boolean isIssuedToken)
   at FaultHandlingWSFederationPassiveAuthentication.SignIn(SecurityToken token, Boolean isIssuedToken)
   at _Default.Page_Load(Object sender, EventArgs e)
   at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
   at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
   at System.Web.UI.Control.OnLoad(EventArgs e)
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.default_aspx.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)
   at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
   at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
</StackTrace><ExceptionString>Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationException: ID3007: The element Renewing with namespace http://schemas.xmlsoap.org/ws/2005/02/trust is unrecognized.</ExceptionString></Exception></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent><E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"><System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>1</EventID><Type>3</Type><SubType Name="Information">0</SubType><Level>8</Level><TimeCreated SystemTime="2009-11-11T13:14:31.9051831Z" /><Source Name="Microsoft.IdentityModel" /><Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" /><Execution ProcessName="w3wp" ProcessID="2648" ThreadID="6" /><Channel/><Computer>CON1-W2K8R264GN</Computer></System><ApplicationData><TraceData><DataItem><TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Information"><Description>Microsoft.IdentityModel Diagnostic Trace</Description><AppDomain>/LM/W3SVC/1/ROOT/adfs/ls-1-129024188713222126</AppDomain><ChunkedCookieHandlerTraceRecord xmlns="http://schemas.microsoft.com/2009/06/IdentityModel/DeflateCookieTraceRecord" Action="Reading Cookie"><Name>MSISContextd9d66e82-2c6d-4dc1-b089-e4f330d0b7fe</Name></ChunkedCookieHandlerTraceRecord></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent><E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"><System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>1</EventID><Type>3</Type><SubType Name="Information">0</SubType><Level>8</Level><TimeCreated SystemTime="2009-11-11T13:14:31.9051831Z" /><Source Name="Microsoft.IdentityModel" /><Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" /><Execution ProcessName="w3wp" ProcessID="2648" ThreadID="6" /><Channel/><Computer>CON1-W2K8R264GN</Computer></System><ApplicationData><TraceData><DataItem><TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Information"><Description>Microsoft.IdentityModel Diagnostic Trace</Description><AppDomain>/LM/W3SVC/1/ROOT/adfs/ls-1-129024188713222126</AppDomain><ChunkedCookieHandlerTraceRecord xmlns="http://schemas.microsoft.com/2009/06/IdentityModel/DeflateCookieTraceRecord" Action="Deleting Cookie"><Name>MSISContextd9d66e82-2c6d-4dc1-b089-e4f330d0b7fe</Name><Path>/adfs/ls</Path></ChunkedCookieHandlerTraceRecord></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent>

How to report a Fault to RP

Thu, 19 Nov 2009 07:46:17 Z

Hi

Now when RP send the SignIn Message to the STS, we allow it add some parameters. If there is any error at the parameters we want to report fault to the applications.
How to report a fault to RP (like FaultException at WCF)

WIF RC on W2k3

Fri, 13 Nov 2009 15:19:45 Z

Any reason for not supporting that OS in the current release ?. The release note states that this operation system is not supported yet.
One of my customers is planning to implement a web sso solution using WIF, but the only option they have at the moment is to support it on top of W2k3.

Thanks
Pablo.

Pablo Cibraro - http://weblogs.asp.net/cibrax

session security token in cookie security

Wed, 18 Nov 2009 09:15:13 Z

Could someone confirm/deny whether the cookie issued by the SessionAuthenticationModule is encrypted or not?

I was looking to put some additional claims into the cookie (which are in effect keys to perform additional operatons against remote services), but if the cookie isn't encrypted then it wouldn't be that difficult to extract this information.

Thanks in advance

Jamie

WIF and SSRS 2008

Wed, 18 Nov 2009 16:34:51 Z

As a Microsoft Gold partner , I am encouraged to exploit the latest Microsoft Offerings.
Currently am looking at using WIF to provide SSO capabilities , SQL2008 and SSRS 2008 for data Storage and reporting.
Multiple UI formats, including Winforms Fat client, Silverlight.

Unfortuantely thare is a lot of effort involved in "Gluing" these technologies together. Roadmaps for the various technology streams very rarely offer hope that it will all come together in the end.

Todays headache is SSO for SQL2008 reporting services.
I note a similar thread from the past ...
http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/25bd0bad-bad5-475c-818b-8006b3cef53d/

I have Successfully implemented Forms Authenication in SSRS 2008. Any advice on where to go from here !
Does anyone on the WIF team know if the SSRS team will be supporting WIF ? or could anyone provide a sample ?

I hear Sharepoint 2010 will has WIF as a prereq, And SSRS has a sharepoint mode ..... SQL2008 R2 SSRS boasts improved SSO with SAP ! .....

ADMIN0017: An exception occurred while connecting to the policy store service. The policy administration URL 'net.pipe://localhost/policy' may be incorrect or the "Geneva" service is not running.

Mon, 02 Nov 2009 19:56:19 Z

Hi, I had successfully deployed 4 Geneva Beta 2 Labs on my organization and partners. This error happened after a couple of weeks of normal operations and ONLY on x64 systems.

Symptom: If you try to open the Geneva Server MMC, you get the message "ADMIN0017: An exception occurred while connecting to the policy store service. The policy administration URL 'net.pipe://localhost/policy' may be incorrect or the "Geneva" service is not running."

Env:

No information is logged to the event log.
The Geneva Server is running and can be restarted normally.
The Initial Configuration Wizard can be run many times that it will finish successfully.
On a Geneva Farm comprised of two nodes, a Win2k8 x86 SP2 and Win2k8 x64 SP2, only the x64 Geneva failed.
Geneva Farm db is SQL Server 2008 (without SP2)

Now I am uninstalling/reinstalling IIS7, Geneva Server and Geneva Fx. I would love some help on understanding the underlying problem or troubleshooting steps because I am blinded now,

Thanks,

Beto

IP address/subnet as claim information

Wed, 18 Nov 2009 07:34:34 Z

Hi All,

I need to provide the information of the client's ip address or subnet to the backend application as a claim value. How could this information be put into a claim with ADFS 2.0. Is there any description of such a scenario?

Regards,
Christian

IAM Consultant

Sharepoint MOSS2007 with Geneva

Fri, 13 Mar 2009 11:26:21 Z

When trying to log into a MOSS site, I get the following error:

The system cannot find the file specified.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: The system cannot find the file specified.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[CryptographicException: The system cannot find the file specified. ] 
System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) +453 
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[] value) +23 
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +44 
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.Serialize(SessionSecurityToken sessionToken) +542 
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +171 
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken) +53 
Microsoft.IdentityModel.Web.FederatedAuthenticationModuleBase.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) +163 
Microsoft.IdentityModel.Web.FederatedAuthenticationModuleBase.AuthenticationCore() +541 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.AuthenticationCore() +5 
Microsoft.IdentityModel.Web.FederatedAuthenticationModuleBase.OnAuthenticateRequest(Object sender, EventArgs args) +43 
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +68 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

I get the same error for both the FederatedPassiveSignIn and the InfoCard controls.
When a standard ASP.NET website uses the same STS and controls on the same machine, all works fine.
Must be a SP issue it seems; I already added the user under which the SP ApplicationPool runs to the MachineKeys folder's users with full control.

I hope you can help me out!
Thanks in advance!

Cardspace Geneva not showing any cards

Wed, 18 Nov 2009 00:01:34 Z

Hi,

I am trying to use Geneva Cardsapce with a wcf client to authenticate to a wcf service (hosted in IIS7) using the stock standard Geneva Server as the RP-STS.

An earlier test using a passively federated ASP.NET web site is working quite alright using the same Geneva Server RP-STS. I used the card provisioning site (installed with the Geneva Server) to acquire a managed card. This all works well with the browser based application.

I am not getting any success with the wcf client configured to source the token from the RP-STS using Geneva Cardspace. The Cardspace application starts up, and informs that the application has requested a managed card, but when I click "yes" to supply a card, I get no cards displayed. I would have thought that the card I had already acquired, and used ok with the asp.net web application, would have appeared for selection.

Is any body able to shed light on what settings I should be trying to concentrate on for solving this?

Thanks.

Single Sign Out from Geneva Server

Mon, 21 Sep 2009 11:08:22 Z

Hi all,
Our application needs to clean up Geneva Server cookies during sign out and returns back to web application page.
In our case Geneva Server is acting as an identity provider, web aplication is trusted RP.
Currently the only way to clean up the cookies is to send sign out message to Geneva Server.
Unfortunatly sending such message leads to "Sign Out Result" page and we are not redirected to our application page.
It looks like Geneva Server doesn't understand wsignoutcleanup message.
The question is very simple how can we sign out from Geneva Server and return to page
sent in wreply parameter (or to the registered RP endpoint)?

Regards, Igor

Live ID problem in site

Mon, 16 Nov 2009 22:25:06 Z

Hi,
I dont know if this is the place to ask. But are you having problems to manage the site created in https://msm.live-int.com?
When I go to "Manage your site" I get

System Error

A system error has occurred. Any unsaved data has been lost and will have to be re-entered. Please try again later.

This is a huge problem because I am developing the Live ID integration and I cant change the site properties. So I am stucked :(
Do you have the same problem?

Regards,
Juan Andrés

Error creating a ASP.NET Security Token Service Web Site

Sat, 23 May 2009 15:04:22 Z

Hi there,

When I try to create a new ASP.NET Security Token Service Web Site, I'm getting a message box with the following:

Value cannot be null
Parameter name: certificate

Can anyone tell me the posible source of this error? How can I trace the project creation process so I can get more detail of what is going on?

Thanks,

JC

Saml2SecurityToken' does not support 'SamlAssertionKeyIdentifierClause' creation fixed in RC?

Fri, 13 Nov 2009 18:34:21 Z

I just wanted to check that the bug in the Beta 2 release of Geneva that raised the following exception:
Saml2SecurityToken' does not support 'SamlAssertionKeyIdentifierClause' creation

when creating a WS-Security SecurityTokenReference using a SAML 2.0 token, had been fixed.

Does anyone know if it has been? I haven't had a chance to look at the RC yet.

Thanks.

YoY

Warning ID8024 Element name='KeyInfo' with Windows Identity Framework RC

Tue, 10 Nov 2009 17:51:19 Z

I'm very glad to see the better diagnostics of the Windows Identity Framework RC
But, if I turn on the diagnostics at relaying party side there are two warnings:

<TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Warning">
<Description>ID8024: Element: name='KeyInfo' namespace='http://www.w3.org/2000/09/xmldsig#' was encountered in an <EncryptionMethod> element: '<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:e="http://www.w3.org/2001/04/xmlenc#"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"></DigestMethod></e:EncryptionMethod>' and was not processed. </Description>
<AppDomain>ClaimsAwareWebService.exe</AppDomain>

and
<TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Warning">
<Description>ID8024: Element: name='KeyInfo' namespace='http://www.w3.org/2000/09/xmldsig#' was encountered in an <EncryptionMethod> element: '<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:e="http://www.w3.org/2001/04/xmlenc#"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#" /></e:EncryptionMethod>' and was not processed. </Description>
<AppDomain>ClaimsAwareWebService.exe</AppDomain>

The application works, but could someone explain me these warnings?

I have tested with
\Samples\Quick Start\Web Service\ClaimsAwareWebService

that is the app.config

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.serviceModel>
...
   <diagnostics >
      <messageLogging logMalformedMessages="true"
                      logMessagesAtTransportLevel="true"
                      logEntireMessage="true"
                      logMessagesAtServiceLevel="true"/>
    </diagnostics>
  </system.serviceModel>
  <system.diagnostics>
    <sources>
      <source name="System.ServiceModel.MessageLogging" switchValue="Warning, ActivityTracing">
        <listeners>
          <add type="System.Diagnostics.DefaultTraceListener" name="Default">
            <filter type="" />
          </add>
          <add name="ServiceModelMessageLoggingListener">
            <filter type="" />
          </add>
        </listeners>
      </source>
      <source name="Microsoft.IdentityModel" switchValue="Verbose">
        <listeners>
          <add name="ServiceModelMessageLoggingListener" />
        </listeners>
      </source>
    </sources>
    <sharedListeners>
      <add initializeData="Service_Messages.e2e"
           type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
           name="ServiceModelMessageLoggingListener"
           traceOutputOptions="Timestamp">
        <filter type="" />
      </add>
    </sharedListeners>

    <trace autoflush="true" />
  </system.diagnostics>

</configuration>

Configuring Active RP's in code

Fri, 13 Nov 2009 18:37:37 Z

I am trying to write a custom servicehost for my active RP's.

There's many examples of setting up the service behaviors and bindings via config, but I haven't found any for configuring the service via custom service hosts.

Can someone either post a code example or share a link to a code-based example of setting up a RP via code.

Thanks.