ACS20001 generic error while logging in

Question

Hi,

I have the following configuration: one RP, one custom STS, both connected through Azure ACS. Both components shall one day be deployed to Azure but are currently only being hosted locally on the Compute Emulator.

I tried to build the components based on the (unfortunately rare) HowTo's, but IMO they either skip over important stuff or showed different scenarios.

Unfortunately I now hit a wall and, even after hours of experimenting, can't seem to pinpoint the source of the problem. When I run my app, I am being redirected to my STS to login (so far so good). But when I enter my credentials, I get the following error:

An error occurred while processing your request.

HTTP Error Code:	403
Message:	ACS20001: An error occurred while processing a WS-Federation sign-in response.
Trace ID:	f9cdc767-5c1e-41fc-93d6-1a6d76db39b3
Timestamp:	2012-04-05 19:31:49Z

My appSettings on the STS

  <appSettings>
    <add key="IssuerName" value="localhost" />
    <add key="SigningCertificateName" value="CN=localhost" />
    <add key="EncryptingCertificateName" value="CN=mynamespace.accesscontrol.windows.net" />
  </appSettings>

The certificate for mynamespace.accesscontrol.windows.net is uploaded to the ACS Management Portal and imported into the local computer certificate store, the certificate for localhost is only in the local computer certificate store.

Both certificates are in the "Trusted Root Certification Authorities" and in the "Personal" category of the certificate store.

For the STS Reference generation I used the WS-Federation Metadata url from the ACS Management Portal. One of the HowTo's described how to directly use the FederationMetadata.xml, but that would create a direct binding between the RP and the STS and that just doesn't seem right.

Most of the google results for the mentioned error message seem to point to a problem with the Issuer Name, but I can't find anything wrong with them. Doesn't make it any easier that the error message is that generic.

I hope I included all necessary infos :)

Regards,
Pharao2k

PS: I had to comment out one of the mentions of the ClaimsPrincipalHttpModule in the web.config, otherwise the Azure Compute Emulator wouldn't let me start the role. Could that be related to my problem? I'd hoped that the redundant mentioning was for compatibility reasons for an older IIS version which isn't necessary in Azure projects.

    <!--<httpModules>
      <add name="ClaimsPrincipalHttpModule" type="Microsoft.IdentityModel.Web.ClaimsPrincipalHttpModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </httpModules>-->
  </system.web>
  <system.webServer>
    <modules>
      <add name="ClaimsPrincipalHttpModule" type="Microsoft.IdentityModel.Web.ClaimsPrincipalHttpModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
    </modules>
  </system.webServer>

Answer 1

It sounds like there is a configuration problem with ACS. How did you configure ACS to accept tokens from your local STS?

---

Developer Security MVP | www.syfuhs.net

Answer 2

In the ACS Management Portal..

under Identity providers: http://localhost:6225 as Type "WS-Federation" and another one of type "Windows Live ID" (which I can't seem to be able to delete, but it's not being used for any RP so it shouldn't matter).

My Identity Provider "http://localhost:6225" has the same address as its Realm and under "Used By" has my RP checked.

The RP has "https://localhost:444/" as Realm + Return URL, SAML 2.0 as Token format, Token encryption policy = None and 14400sec as Token lifetime.
Token Signing Certificates has the one for mynamespace.accesscontrol.windows.net as primary certificate and no Token Encryption Certificates.

Do I need a certificate under "Token Decryption" under "Certificates and keys" ? If yes, which one? The one for http://localhost:6225 (STS address / certificate) or for mynamespace.accesscontrol.windows.net (ACS) ? I just tried both (didn't occur to me inserting these until I wrote this paragraph), which didn't make it work but changed the error message to:

An error occurred while processing your request.

HTTP Error Code:	401
Message:	ACS20001: An error occurred while processing a WS-Federation sign-in response.
Inner Message:	ACS50008: SAML token is invalid.
Trace ID:	881c8f01-79ee-4a7f-95e3-89aeb39d028d
Timestamp:	2012-04-05 22:56:38Z

But I don't know if that's better or worse. Having an inner message is good but it doesn't really help me ^^

Answer 3

Your earlier error was a decryption error. Your identity provider is encrypting tokens to ACS, which means that ACS needs a key to decrypt.

Now that you've fixed that issue, your second problem is that your identity provider isn't returning the expected value. Your token is signed by a provider called "localhost". This needs to be an exact match to the configured name of the identity provider in ACS. If you used fed metadata to import your provider, this value came from your fed metadata EntityID.

Answer 4

Under "Token Decryption" under "Certificates and keys", do I need the certificate for http://localhost:6225 (STS address / certificate) or for mynamespace.accesscontrol.windows.net (ACS)? (Don't want to have to switch constantly to test ^^) I would've said localhost. Or should I clear the EncryptingCertificateName field in the web.config for the time being?

I'm not really sure which of the values are wrong or rather which of them I would need to change

The FederationMetadata has "http://localhost:6225" as entityID and as passive requestor endpoint.

The (localhost-)certificate has "CN=localhost" as Subject and "localhost" as Issuer.

The web.config values can be seen in my first post (except the third variable which value depends on the first question in this reply)

The ACS Management Portal shows "http://localhost:6225" as Display name and Realm.

Does the custom port cause these problems?

Answer 5

Hi,

From my experience, if the certificate is issued to localhost, it may not work for localhost:6225. Please try to host the STS under the default port 443, so you can remove the port number. Once you move to production, you’re unlikely to use a custom port anyway.

Best Regards,

Ming Xu.

---

Please mark the replies as answers if they help or unmark if not.
If you have any feedback about my replies, please contact msdnmg@microsoft.com.
Microsoft One Code Framework

Answer 6

I changed it so that the STS has the default port 443 (including updating the Metadata file etc.), but the problem is still the same so that was not the cause.

Answer 7

Can you post the latest Trace ID and timestamp? I will check it

Leo Lin

Answer 8

An error occurred while processing your request.

HTTP Error Code:	401
Message:	ACS20001: An error occurred while processing a WS-Federation sign-in response.
Inner Message:	ACS50008: SAML token is invalid.
Trace ID:	42c73e6e-a8fc-4a81-8888-cf707fecba9b
Timestamp:	2012-04-12 08:37:06Z

Answer 9

Sorry I forget to ask the ACS namespace? Can you give the namespace fo your ACS and I will help check the details error for you.

Leo Lin

Answer 10

You also can use http watch tools to check the detail http stream.

http://www.httpwatch.com/

Do you use the self trusted certiifcate? We need import it into trust root and ensure the certificate is valid.

Leo Lin