none
Failed to retrieve token from the identity provider. ( 0xc005080a ) Error

    Question

  • Hi,

    I have ADFS v2.0 RC installed and am using a simple card website with card object set to:

    <object type='application/x-informationCard' id='icardObj'>
          <param name='issuer' value='http://pt-geneva.geneva.com/adfs/services/trust' />
          <param name='tokenType' value='urn:oasis:names:tc:SAML:1.0:assertion' />
          <param name='requiredClaims' value='http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' />
          <param name='optionalClaims' value='http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' />
        </object>

    As soon as I click the object Windows CardSpace pops up and shows the proper managed information card. But when I click the card it says card cannot be used. Following error is shown in the event viewer:

    CardSpace failed with the following error:

    An error was encountered when creating a token.

    Details:
        Failed to retrieve token from the identity provider. ( 0xc005080a ) at c:\ida\cardspace_v2_m7\private\src\cssvc\idmgr\csidentitymanager.cpp (608).



    My Managed Information Card has the following settings:
    Federation Service Name:     PT-Geneva.geneva.com

    Issuer:         http://pt-geneva.geneva.com/adfs/services/trust

    Contact:

    WS-MetadataExchange URL:     https://pt-geneva.geneva.com/adfs/services/trust/mex

    Endpoints:     WS-Trust 1.3, Kerberos. Mixed Security Mode
                          WS-Trust 2005, Kerberos. Mixed Security Mode
                          WS-Trust 1.3, Certificate. Mixed Security Mode
                          WS-Trust 2005, Certificate. Mixed Security Mode
                          WS-Trust 1.3, Password. Mixed Security Mode
                          WS-Trust 2005, Password. Mixed Security Mode

    I have tried using following urls in the issuer parameter of Object Tag but no luck :(

    https://pt-geneva.geneva.com/adfs/services/trust/2005/certificatemixed
    https://pt-geneva.geneva.com/adfs/services/trust/2005/usernamemixed
    https:/pt-geneva.geneva.com/adfs/services/trust/2005/kerberosmixed
    https://pt-geneva.geneva.com/adfs/services/trust/13/kerberosmixed
    https://pt-geneva.geneva.com/adfs/services/trust/13/certificatemixed
    https://pt-geneva.geneva.com/adfs/services/trust/13/usernamemixed


    I have added replying party manually and kept the website url as relying party identifier. Am I missing some settings or something? Please help

    Regards,
    Piyush






    Thursday, February 04, 2010 10:50 AM

Answers

  • Hi Rakesh,

    I figured it out. In the App_Code\TrustedIssuerNameRegistry.cs the SSL ceritifcate name was checked. It was checking for "CN=localhost" whereas it should be "CN=mywebsite.mydomain.com" or the same name in Issuer property of the SSL cerfiticate. After chaning this the execption is gone.

    Since I have used a sample WIF application the TrustedIssuerNameRegistry.cs class in it gives a very basic implementation of validating issuer's SSL certificate. I'll check for what are the best methods to do this.

    Anyways Rakesh thanks for your time and response, much appreciated. I'm marking this question as answered.

    Regards,
    Piyush
    • Marked as answer by Piyush Thacker Saturday, February 06, 2010 6:28 AM
    Saturday, February 06, 2010 6:28 AM

All replies

  • Can you use the latest beta of cardspace?
    You can also check the logs on the ADFS server to see if the server rejected the request for some reason
    Thursday, February 04, 2010 8:04 PM
    Moderator
  • Hi Rakesh,

    Thanks for response. Some how I got it working :) I had kept "http" instead of "https" in the replying party identifier.

    Now I'm able to get the security token but I always keep on getting "Untrusted Issuer" exception while validating it.

    In my replying party website I'm using the following code to get claims from the security token:

    ServiceConfiguration _serviceConfiguration = FederatedAuthentication.ServiceConfiguration;

      IClaimsPrincipal AuthenticateSecurityToken( string endpoint, SecurityToken token )
        {
            try
            {
            
                ClaimsIdentityCollection claims = _serviceConfiguration.SecurityTokenHandlers.ValidateToken(token);           
                IClaimsPrincipal principal = ClaimsPrincipal.CreateFromIdentities(claims);

                //
                // the ClaimsAuthenticationManager may be provided to adjust the claims received specifically for this RP
                //
                return _serviceConfiguration.ClaimsAuthenticationManager.Authenticate(endpoint, principal);
            }
            catch (Exception exception)
            {
               
                 LoginError.Text = exception.ToString();
                 return null;
            }
        }

    Exception Details:

    System.IdentityModel.Tokens.SecurityTokenException occurred
      Message="Untrusted issuer."
      Source="App_Code.xz-zfjsb"
      StackTrace:
           at TrustedIssuerNameRegistry.GetIssuerName(SecurityToken securityToken) in c:\Program Files (x86)\Windows Identity Foundation SDK\v3.5\Samples\Quick Start\CardSpace\CustomUserNameCardStsHostFactoryWebSite\App_Code\TrustedIssuerNameRegistry.cs:line 50
      InnerException:


    Card Object I used in RP Website:

     <object type='application/x-informationCard' id='icardObj'>
          <param name='issuer' value='http://pt-geneva.geneva.com/adfs/services/trust' />
          <param name='tokenType' value='urn:oasis:names:tc:SAML:1.0:assertion' />
          <param name='requiredClaims' value='http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' />
          <param name='optionalClaims' value='http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' />
        </object>

    • Marked as answer by Piyush Thacker Saturday, February 06, 2010 5:11 AM
    • Unmarked as answer by Piyush Thacker Saturday, February 06, 2010 6:28 AM
    Friday, February 05, 2010 4:31 AM
  • Hi Rakesh,

    I figured it out. In the App_Code\TrustedIssuerNameRegistry.cs the SSL ceritifcate name was checked. It was checking for "CN=localhost" whereas it should be "CN=mywebsite.mydomain.com" or the same name in Issuer property of the SSL cerfiticate. After chaning this the execption is gone.

    Since I have used a sample WIF application the TrustedIssuerNameRegistry.cs class in it gives a very basic implementation of validating issuer's SSL certificate. I'll check for what are the best methods to do this.

    Anyways Rakesh thanks for your time and response, much appreciated. I'm marking this question as answered.

    Regards,
    Piyush
    • Marked as answer by Piyush Thacker Saturday, February 06, 2010 6:28 AM
    Saturday, February 06, 2010 6:28 AM
  • Hi Rakesh,

    I figured it out. In the App_Code\TrustedIssuerNameRegistry.cs the SSL ceritifcate name was checked. It was checking for "CN=localhost" whereas it should be "CN=mywebsite.mydomain.com" or the same name in Issuer property of the SSL cerfiticate. After chaning this the execption is gone.

    Since I have used a sample WIF application the TrustedIssuerNameRegistry.cs class in it gives a very basic implementation of validating issuer's SSL certificate. I'll check for what are the best methods to do this.

    Anyways Rakesh thanks for your time and response, much appreciated. I'm marking this question as answered.

    Regards,
    Piyush

    Thanks for the answer. I have got it worked.
    Saturday, July 24, 2010 3:21 AM