Multiple Authentication Endpoints on STS

Question

I'm trying to setup an STS with multiple endpoints for authentication (one for Windows and another for Username) but when I enable the second endpoint the STS goes unresponsive -- nothing in the trace log for the STS and a CommunicationsError on the client ("Security negotiation failed because the remote party did not send back a reply in a timely manner. This may be because the underlying transport connection was aborted."). Simply disabling the second endpoint (by commenting out the endpoiint definition for Username) in the STS's config re-enables successful authentication.

This is for an active client implementation if that helps.

The client is currently setup for using the Windows auth endpoint and works just fine as long as the STS is configured with just the Windows auth endpoint. Here's how I have the endpoints and bindings defined in the STS:

		<services>
			<service name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract" behaviorConfiguration="ServiceBehavior">
				<clear />
				<endpoint address="Windows/IWSTrust13"
									binding="ws2007HttpBinding" 
									bindingConfiguration="ws2007HttpBindingWindowsConfiguration"
									contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract"  
									/>
				<endpoint address="User/IWSTrust13"
									binding="ws2007HttpBinding" 
									bindingConfiguration="ws2007HttpBindingUserConfiguration"
									contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract"  
									/>
				<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
				<host>
					<baseAddresses>
						<add baseAddress="http://localhost/My.Security.AuthService_STS/Service.svc" />
					</baseAddresses>
				</host>
			</service>
		</services>
		<bindings>
			<ws2007HttpBinding>
				<!-- Auth for integrated security -->
				<binding name="ws2007HttpBindingWindowsConfiguration">
					<security mode="Message">
						<message establishSecurityContext="false" clientCredentialType="Windows" />
					</security>
				</binding>
				<!-- Auth for username/password -->
				<binding name="ws2007HttpBindingUserConfiguration">
					<security mode="Message">
						<message establishSecurityContext="false" clientCredentialType="UserName" />
					</security>
				</binding>
			</ws2007HttpBinding>
		</bindings>

My implementation comes from this post.

It's also my understanding that with a passive client implementation such a multi-endpoint configuration would be unsupported. In that case should I just go ahead and implement two services each with their own endpoint as illustrated in this post?

Thanks for the help.

Answer 1

This should definitely work in a single service. Try removing the /IWSTrust.

I have a sample STS here that has multiple endoints, but i use a factory.

https://github.com/thinktecture/Thinktecture.IdentityServer

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 2

Thanks Dominic. I tried removing /IWSTrust on both the STS and client and got the same results. I've been studying your identity server for a few days now so I guess I'll take another look at your implementation. Quite impressive I must say.

Answer 3

Thanks.

Here's the factory: https://github.com/thinktecture/Thinktecture.IdentityServer/blob/master/Libraries/Thinktecture.IdentityServer.Core/TokenService/TokenServiceHostFactory.cs

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 4

Well it looks like it's just the Username endpoint that's the problem. If it alone is enabled I get the same error. Looking at your factory the only difference I see (and yes I'm blind) is that you're using TransportWithMessageCredential for the security mode and I'm just using Message. I'd rather not go to the trouble of setting up SSL for the transport if I can help it at this stage of development (assuming that it's the problem).

My client bindings and endpoint look like this:

		<bindings>
			<ws2007FederationHttpBinding>
				<binding name="WS2007FederationHttpBinding_IMyAuthService"
				 closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00"
				 sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false"
				 hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288"
				 maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8"
				 useDefaultWebProxy="true">
					<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
					 maxBytesPerRead="4096" maxNameTableCharCount="16384" />
					<reliableSession ordered="true" inactivityTimeout="00:10:00"
					 enabled="false" />
					<security mode="Message">
						<message algorithmSuite="Default" issuedKeyType="SymmetricKey"
						 negotiateServiceCredential="true" establishSecurityContext="false">
							<issuer address="http://localhost:33831/My.Security.AuthService_STS/Service.svc/User/IWSTrust13"
							 binding="ws2007HttpBinding" bindingConfiguration="STS_UserAuth">
								<identity>
									<userPrincipalName value="me@my.com" />
								</identity>
							</issuer>
							<issuerMetadata address="http://localhost:33831/My.Security.AuthService_STS/Service.svc/mex" />
							<tokenRequestParameters>
								<trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
									<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
									<trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
									<trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
									 xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
										<wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
										 Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
										<wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
										 Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
									</trust:Claims>
									<trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
									<trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
									<trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
									<trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
									<trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
								</trust:SecondaryParameters>
							</tokenRequestParameters>
						</message>
					</security>
				</binding>
			</ws2007FederationHttpBinding>
			<ws2007HttpBinding>
				<clear />
				<binding name="STS_UserAuth"
				 closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00"
				 sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false"
				 hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288"
				 maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8"
				 useDefaultWebProxy="true" allowCookies="false">
					<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
					 maxBytesPerRead="4096" maxNameTableCharCount="16384" />
					<reliableSession ordered="true" inactivityTimeout="00:10:00"
					 enabled="false" />
					<security mode="Message">
						<message establishSecurityContext="false" clientCredentialType="UserName" />
					</security>
				</binding>
			</ws2007HttpBinding>
		</bindings>
		<client>
			<endpoint address="http://localhost:8732/My.Security.AuthService/MyAuthService/"
			 binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FederationHttpBinding_IMyAuthService"
			 contract="MyAuthService.IMyAuthService" name="WS2007FederationHttpBinding_IMyAuthService">
				<identity>
					<certificate encodedValue="AwAAAAEAAAAUAAAAJ86QAKMrcOvNLSlso0scSgKpQnEgAAAAAQAAAAwDAAAwggMIMIIB8KADAgECAhA2UEZiZYJchk/TmV7Eo/2PMA0GCSqGSIb3DQEBBQUAMCgxJjAkBgNVBAMTHURlZmF1bHRBcHBsaWNhdGlvbkNlcnRpZmljYXRlMB4XDTEyMDMzMDAwMjYwMFoXDTEzMDMzMDA2MjYwMFowKDEmMCQGA1UEAxMdRGVmYXVsdEFwcGxpY2F0aW9uQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCttggR2/jtKDOmQgOvuPdNVX+MiMSUWs8XZzU+aWWTklJ5RC3mAlKI7Xg+fWpJ6V+/ZEC7dhgiWih9xZrhgH3Wu/We0yBIp8ZRUhU0ZaXeURTYC7kzgjCiI6wm0vzE6s71AJOlb+ZBR9gwRq2TjpBUDhexbls8ux1VL9G/nzaGHg0oVolvLMJHT7pTC7zeUqAigx4sXwRCmYJU9nHHh3jicb52lzgKc6ob9lt9w68Uoh6CDXZ55QpPocsuxlChPbDbzTCQWQSZItotVcEPgv1eNkKbrhS/LF1E2AHNl963z9SUC0H62XrcK6daIW1BLglaV9KG9z6lLmexqTHCJ0V5AgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUGKWtcE0cwn8P1cqgzpNYj797KIIwDQYJKoZIhvcNAQEFBQADggEBAJO7PSOvxsH7Wa5TCW7ywUc7Vko05QfRnxzSep1KdcP87lX4ZVKUKgob3E7VsIm8klSDhlPAlU8T2VgsBJmoXdr3zrzluDQk4avo8CMwdUOq0onyabUm82qyXOSvnLVl+ksWALUWZ3nbTqsEPMDma1tcBaijMiI7d4FA7hZd785qak6tfgpNPr6z2GFlTavZJs16zDZ1Xmzboaux/iEq1G2WOqotYyf+xV2mBPgZCYayAGaG3YLRIZ02LPsozLlCWV4lhZCFmCgwgo9ICUu3XNmi4VnsMqrYyTJ0/38TBSkSBxurIIDISCptwjofCi7WMe0kjkkpEwSC2+8oEElaKjw=" />
				</identity>
			</endpoint>
		</client>

Is there some specific requirements for implementing UserName authentication that I'm missing here? I am setting the username in code before I open the channel:

_appService = new AppServiceClient();
if (_appService.ClientCredentials != null)
{
	_appService.ClientCredentials.UserName.UserName = "domain\\user";
	_appService.ClientCredentials.UserName.Password = "password";
}
var claims = _appService.GetClaims();

Thanks again for all of your help.