none
Active Federation problems with WCF/ADFS/WIF over SSL

    Question

  • I'm having a terrible time with this configuration. I had everything working without SSL but switching it over to SSL has given me some issues and I'm pulling my hair out. Where is my mismatch? These config files are so convoluted with so many things going on in there that I'm not really sure where to start.

    The error(s) I'm seeing:

    1. The client gets an exception: System.ServiceModel.Security.SecurityNegotiationException: Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.
    2. So I turn on logging on the server. The server log then shows: System.ServiceModel.Security.MessageSecurityException: Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security.

    WIF/WCF Client .config:

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
      <system.serviceModel>
        <client>
          <endpoint address="https://mydevbox.dev1.mydomain.com/AdfsWcfHelloWorld/SayHelloService.svc"
                    binding="customBinding"
                    bindingConfiguration="WS2007FederationHttpBinding_ISayHelloService"
                    contract="ActiveFederationHelpers.Tests.ISayHelloService"
                    name="WS2007FederationHttpBinding_ISayHelloService">
            <identity>
              <certificateReference findValue="22909537C6356E15C20C93A5F652FB0C6AA8A282"
                                    storeLocation="LocalMachine"
                                    storeName="My"
                                    x509FindType="FindByThumbprint" />
            </identity>
          </endpoint>
        </client>
        <bindings>
          <customBinding>
            <binding name="WS2007FederationHttpBinding_ISayHelloService">
              <security defaultAlgorithmSuite="Default"
                        authenticationMode="SecureConversation"
                        requireDerivedKeys="true"
                        securityHeaderLayout="Strict"
                        includeTimestamp="true"
                        keyEntropyMode="CombinedEntropy"
                        messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
                        messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                        requireSecurityContextCancellation="true"
                        requireSignatureConfirmation="false">
                <localClientSettings cacheCookies="true"
                                     detectReplays="true"
                                     replayCacheSize="900000"
                                     maxClockSkew="00:05:00"
                                     maxCookieCachingTime="Infinite"
                                     replayWindow="00:05:00"
                                     sessionKeyRenewalInterval="10:00:00"
                                     sessionKeyRolloverInterval="00:05:00"
                                     reconnectTransportOnFailure="true"
                                     timestampValidityDuration="00:05:00"
                                     cookieRenewalThresholdPercentage="60" />
                <localServiceSettings detectReplays="true"
                                      issuedCookieLifetime="10:00:00"
                                      maxStatefulNegotiations="128"
                                      replayCacheSize="900000"
                                      maxClockSkew="00:05:00"
                                      negotiationTimeout="00:01:00"
                                      replayWindow="00:05:00"
                                      inactivityTimeout="00:02:00"
                                      sessionKeyRenewalInterval="15:00:00"
                                      sessionKeyRolloverInterval="00:05:00"
                                      reconnectTransportOnFailure="true"
                                      maxPendingSessions="128"
                                      maxCachedCookies="1000"
                                      timestampValidityDuration="00:05:00" />
                <secureConversationBootstrap defaultAlgorithmSuite="Default"
                                             authenticationMode="IssuedTokenForSslNegotiated"
                                             requireDerivedKeys="true"
                                             securityHeaderLayout="Strict"
                                             includeTimestamp="true"
                                             keyEntropyMode="CombinedEntropy"
                                             messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
                                             messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                                             requireSecurityContextCancellation="true"
                                             requireSignatureConfirmation="true">
                  <issuedTokenParameters keySize="256"
                                         keyType="SymmetricKey"
                                         tokenType="">
                    <additionalRequestParameters>
                      <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                        <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
                        <trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
                        <trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
                                      xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                          <wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
                                          Optional="true"
                                          xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
                          <wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
                                          Optional="true"
                                          xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
                          <wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
                                          Optional="true"
                                          xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
                          <wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
                                          Optional="true"
                                          xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
                        </trust:Claims>
                        <trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
                        <trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
                        <trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
                        <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
                        <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
                      </trust:SecondaryParameters>
                    </additionalRequestParameters>
                    <issuer address="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/13/usernamemixed"
                            bindingConfiguration="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/13/usernamemixed"
                            binding="ws2007HttpBinding" />
                    <issuerMetadata address="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/mex" />
                  </issuedTokenParameters>
                  <localClientSettings cacheCookies="true"
                                       detectReplays="true"
                                       replayCacheSize="900000"
                                       maxClockSkew="00:05:00"
                                       maxCookieCachingTime="Infinite"
                                       replayWindow="00:05:00"
                                       sessionKeyRenewalInterval="10:00:00"
                                       sessionKeyRolloverInterval="00:05:00"
                                       reconnectTransportOnFailure="true"
                                       timestampValidityDuration="00:05:00"
                                       cookieRenewalThresholdPercentage="60" />
                  <localServiceSettings detectReplays="true"
                                        issuedCookieLifetime="10:00:00"
                                        maxStatefulNegotiations="128"
                                        replayCacheSize="900000"
                                        maxClockSkew="00:05:00"
                                        negotiationTimeout="00:01:00"
                                        replayWindow="00:05:00"
                                        inactivityTimeout="00:02:00"
                                        sessionKeyRenewalInterval="15:00:00"
                                        sessionKeyRolloverInterval="00:05:00"
                                        reconnectTransportOnFailure="true"
                                        maxPendingSessions="128"
                                        maxCachedCookies="1000"
                                        timestampValidityDuration="00:05:00" />
                </secureConversationBootstrap>
              </security>
              <textMessageEncoding maxReadPoolSize="64"
                                   maxWritePoolSize="16"
                                   messageVersion="Default"
                                   writeEncoding="utf-8">
                <readerQuotas maxDepth="32"
                              maxStringContentLength="8192"
                              maxArrayLength="16384"
                              maxBytesPerRead="4096"
                              maxNameTableCharCount="16384" />
              </textMessageEncoding>
              <httpsTransport manualAddressing="false"
                              maxBufferPoolSize="524288"
                              maxReceivedMessageSize="65536"
                              allowCookies="false"
                              authenticationScheme="Negotiate"
                              bypassProxyOnLocal="false"
                              decompressionEnabled="true"
                              hostNameComparisonMode="StrongWildcard"
                              keepAliveEnabled="true"
                              maxBufferSize="65536"
                              proxyAuthenticationScheme="Anonymous"
                              realm=""
                              transferMode="Buffered"
                              unsafeConnectionNtlmAuthentication="false"
                              useDefaultWebProxy="true" />
            </binding>
          </customBinding>
          <ws2007HttpBinding>
            <binding name="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/13/usernamemixed"
                     closeTimeout="00:01:00"
                     openTimeout="00:01:00"
                     receiveTimeout="00:10:00"
                     sendTimeout="00:01:00"
                     bypassProxyOnLocal="false"
                     transactionFlow="false"
                     hostNameComparisonMode="StrongWildcard"
                     maxBufferPoolSize="524288"
                     maxReceivedMessageSize="65536"
                     messageEncoding="Text"
                     textEncoding="utf-8"
                     useDefaultWebProxy="true"
                     allowCookies="false">
              <readerQuotas maxDepth="32"
                            maxStringContentLength="8192"
                            maxArrayLength="16384"
                            maxBytesPerRead="4096"
                            maxNameTableCharCount="16384" />
              <reliableSession ordered="true"
                               inactivityTimeout="00:10:00"
                               enabled="false" />
              <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="None"
                           proxyCredentialType="None"
                           realm="" />
                <message clientCredentialType="UserName"
                         negotiateServiceCredential="true"
                         algorithmSuite="Default"
                         establishSecurityContext="false" />
              </security>
            </binding>
          </ws2007HttpBinding>
        </bindings>
      </system.serviceModel>
      <system.diagnostics>
        <sources>
          <source name="System.ServiceModel"
                  switchValue="Information, ActivityTracing"
                  propagateActivity="true">
            <listeners>
              <add name="xml" />
            </listeners>
          </source>
          <source name="System.ServiceModel.MessageLogging">
            <listeners>
              <add name="xml" />
            </listeners>
          </source>
          <source name="myUserTraceSource"
                  switchValue="Information, ActivityTracing">
            <listeners>
              <add name="xml" />
            </listeners>
          </source>
        </sources>
        <sharedListeners>
          <add name="xml"
               type="System.Diagnostics.XmlWriterTraceListener"
               initializeData="ClientErrors.svclog" />
        </sharedListeners>
      </system.diagnostics>
    </configuration>

    WCF Service .config:

    <?xml version="1.0"?>
    <configuration>
        <configSections>
            <section name="microsoft.identityModel"
                     type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        </configSections>
        <location path="FederationMetadata">
            <system.web>
                <authorization>
                    <allow users="*" />
                </authorization>
            </system.web>
        </location>
        <system.web>
            <compilation debug="true"
                         targetFramework="4.0">
                <assemblies>
                    <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
                </assemblies>
            </compilation>
        </system.web>
        <system.serviceModel>
            <services>
                <service name="AdfsWcfHelloWorldServices.SayHelloService">
                    <endpoint address="https://mydevbox.dev1.mydomain.com/AdfsWcfHelloWorld/SayHelloService.svc"
                              binding="ws2007FederationHttpBinding"
                              contract="AdfsWcfHelloWorldServices.ISayHelloService" />
                </service>
            </services>
            <behaviors>
                <serviceBehaviors>
                    <behavior>
                        <serviceMetadata httpsGetEnabled="true" />
                        <federatedServiceHostConfiguration />
                        <serviceDebug includeExceptionDetailInFaults="true" />
                    </behavior>
                </serviceBehaviors>
            </behaviors>
            <serviceHostingEnvironment multipleSiteBindingsEnabled="false" />
            <extensions>
                <behaviorExtensions>
                    <add name="federatedServiceHostConfiguration"
                         type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
                </behaviorExtensions>
            </extensions>
            <protocolMapping>
                <add scheme="http"
                     binding="ws2007FederationHttpBinding" />
            </protocolMapping>
            <bindings>
                <ws2007FederationHttpBinding>
                    <binding>
                        <security mode="TransportWithMessageCredential">
                            <message establishSecurityContext="false">
                                <issuerMetadata address="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/mex" />
                                <claimTypeRequirements>
                                    <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
                                         isOptional="true" />
                                    <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
                                         isOptional="true" />
                                    <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
                                         isOptional="true" />
                                    <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
                                         isOptional="true" />
                                </claimTypeRequirements>
                            </message>
                        </security>
                    </binding>
                </ws2007FederationHttpBinding>
            </bindings>
        </system.serviceModel>
        <system.webServer>
            <modules runAllManagedModulesForAllRequests="true" />
        </system.webServer>
        <microsoft.identityModel>
            <service>
                <audienceUris>
                    <add value="https://mydevbox.dev1.mydomain.com/AdfsWcfHelloWorld" />
                </audienceUris>
                <serviceCertificate>
                    <certificateReference findValue="22909537C6356E15C20C93A5F652FB0C6AA8A282"
                                          storeLocation="LocalMachine"
                                          storeName="My"
                                          x509FindType="FindByThumbprint" />
                </serviceCertificate>
                <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
                    <trustedIssuers>
                        <add thumbprint="E9C32071573CB4D52005EA2E7825A310D6C26B73"
                             name="http://DEV1DC2.Dev1.mydomain.com/adfs/services/trust" />
                    </trustedIssuers>
                </issuerNameRegistry>
            </service>
        </microsoft.identityModel>
        <appSettings>
            <add key="FederationMetadataLocation"
                 value="https://dev1dc2.dev1.mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml" />
        </appSettings>
      <system.diagnostics>
        <sources>
          <source name="System.ServiceModel"
                  switchValue="Information, ActivityTracing"
                  propagateActivity="true" >
            <listeners>
              <add name="xml"/>
            </listeners>
          </source>
          <source name="System.ServiceModel.MessageLogging">
            <listeners>
              <add name="xml"/>
            </listeners>
          </source>
          <source name="myUserTraceSource"
                  switchValue="Information, ActivityTracing">
            <listeners>
              <add name="xml"/>
            </listeners>
          </source>
        </sources>
        <sharedListeners>
          <add name="xml"
               type="System.Diagnostics.XmlWriterTraceListener"
               initializeData="ServerErrors.svclog" />
        </sharedListeners>
      </system.diagnostics>
    </configuration>

    More details:

    • The service and client are both running on the same box at the moment
    • All certs are created by a CA in our domain and fully trusted by all (1) machines
    • I'm successfully getting my security token from ADFS
    • I use ChannelFactory<T>(binding).CreateChannelWithIssuedToken(myToken)(pseudocode) to connect to the service
    • The error happens upon calling the first method on the service
    • Like I said, this all worked without HTTPS and the service was able to pull validated claims from the token just fine from (Thread.CurrentPrincipal.Identity as IClaimsIdentity).Claims but I can't get a proper connection configured on both sides with SSL for some asinine reason

    I would REALLY appreciate some help. :-)

    Tuesday, August 14, 2012 3:35 PM

Answers

  • Hi,

    The value of authenticationMode was set to "IssuedTokenForSslNegotiated" in the section "<secureConversationBootstrap />" of your custom binding. Could you please try "IssuedTokenOverTransport" to see if works?

                <secureConversationBootstrap defaultAlgorithmSuite="Default"
                                             authenticationMode="IssuedTokenOverTransport"
                                             requireDerivedKeys="true"
                                             securityHeaderLayout="Strict"
                                             includeTimestamp="true"
                                             keyEntropyMode="CombinedEntropy"
                                             messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
                                             messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                                             requireSecurityContextCancellation="true"
                                             requireSignatureConfirmation="true">

    Thanks.


    Leo Tang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Edited by LeoTangModerator Thursday, August 16, 2012 6:00 AM
    • Marked as answer by Jaxidian Thursday, August 16, 2012 12:54 PM
    Thursday, August 16, 2012 5:05 AM

All replies

  • Hi,

    The value of authenticationMode was set to "IssuedTokenForSslNegotiated" in the section "<secureConversationBootstrap />" of your custom binding. Could you please try "IssuedTokenOverTransport" to see if works?

                <secureConversationBootstrap defaultAlgorithmSuite="Default"
                                             authenticationMode="IssuedTokenOverTransport"
                                             requireDerivedKeys="true"
                                             securityHeaderLayout="Strict"
                                             includeTimestamp="true"
                                             keyEntropyMode="CombinedEntropy"
                                             messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
                                             messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                                             requireSecurityContextCancellation="true"
                                             requireSignatureConfirmation="true">

    Thanks.


    Leo Tang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Edited by LeoTangModerator Thursday, August 16, 2012 6:00 AM
    • Marked as answer by Jaxidian Thursday, August 16, 2012 12:54 PM
    Thursday, August 16, 2012 5:05 AM
  • Hi,

    The value of authenticationMode was set to "IssuedTokenForSslNegotiated" in the section "<secureConversationBootstrap />" of your custom binding. Could you please try "IssuedTokenOverTransport" to see if works?

    Thanks.


    Leo Tang [MSFT]

    Leo,

    That appears to have gotten me past that problem and onto the next error. Thanks!!

    A side note:
    Do you have or know of a good resource that I can use to help me begin to truly understand these WCF Configuration files? I'm mostly managing my way through this one by googling over and over as I hit error after error but I'd like to actually do this the right way at some point. I'd like to sit down and just take a week to train myself on these things at some point in the not-too-distant future. I have Juval Lowy's book and it's been a great resource, but there must be a better way to actually learn this.

    Thanks!

    Thursday, August 16, 2012 12:57 PM