none
Security protocol cannot verify the incoming message RRS feed

  • Question

  • Hi,

    I am using X-509 certificates in cient side as well as service side ex:wcfserver,wcfclient.

    It worked in Wshttpbinding.Since i need SAml2.0 bearer toke for authentication In service side i used wsfederation binding.I f i run wsdl ,

    i am able to see the saml 2.0 token.But in client side if i consume this service using adding service reference.If i run just creating proxy channnels like obj.getmessage i will get error "Windows card space is not available" .

    So i added below code in client side

    ServiceReference1.Service1Client client = new ServiceReference1.Service1Client();
    // Create new credentials class
    SamlClientCredentials samlCC = new SamlClientCredentials();
    // Set the client certificate. This is the cert that will be used to sign the SAML token in the symmetric proof key case
    samlCC.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "wcfclient");
    // Set the service certificate. This is the cert that will be used to encrypt the proof key in the symmetric proof key case
    samlCC.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "wcfserver");
    // Create some claims to put in the SAML assertion
    IList<Claim> claims = new List<Claim>();
    claims.Add(Claim.CreateNameClaim(samlCC.ClientCertificate.Certificate.Subject));
    ClaimSet claimset = new DefaultClaimSet(claims);
    samlCC.Claims = claimset;
    // set new credentials
    client.ChannelFactory.Endpoint.Behaviors.Remove(typeof(ClientCredentials));
    client.ChannelFactory.Endpoint.Behaviors.Add(samlCC);

    string str_result1 = client.GetData(19);
    Response.Write(str_result1);

    [MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.]
    System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +10733331
    System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +336
    Client_HelloWorld.ServiceReference1.IService1.GetData(Int32 value) +0
    Client_HelloWorld.ServiceReference1.Service1Client.GetData(Int32 value) in c:\Users\Pshankar\Documents\Visual Studio 2012\Projects\Client-HelloWorld\Client-HelloWorld\Service References\ServiceReference1\Reference.cs:122
    Client_HelloWorld.Form_Input_Service.Button1_Click(Object sender, EventArgs e) in c:\Users\Pshankar\Documents\Visual Studio 2012\Projects\Client-HelloWorld\Client-HelloWorld\Form_Input_Service.aspx.cs:52
    System.Web.UI.WebControls.Button.OnClick(EventArgs e) +9752490
    System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +196
    System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
    System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
    System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +35
    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1724.

    Actually i tried changing identity value with dns but it did nt work
    <identity>
    <certificate encodedValue="AwAA">

    </identity>
    Wcftraceviewer -warning says "Security protocol cannot verify the incoming message".

    Part of Recieved message data
    <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_998763f7-ff67-4a1d-ab25-5fc1f2bdd6f3" Issuer="Self" IssueInstant="2014-09-15T18:04:32.452Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:Conditions NotBefore="2014-09-15T18:04:32.452Z" NotOnOrAfter="2014-09-16T04:04:32.452Z">
    <saml:AudienceRestrictionCondition>
    <saml:Audience>http://localhost:8000/servicemodelsamples/service/calc/symm</saml:Audience>
    <saml:Audience>http://localhost:8000/servicemodelsamples/service/calc/asymm</saml:Audience>
    </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:Advice></saml:Advice>
    <saml:AttributeStatement>
    <saml:Subject>
    <saml:NameIdentifier>
    <!-- Removed-->
    </saml:NameIdentifier>
    <saml:SubjectConfirmation>
    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <KeyValue>
    <RSAKeyValue>
    <Modulus>q6cxYKKPqpRRF6EPL9vSbAwxc954UKi4N0g6i8NDEWQh2kmeh+DGoqv51aAANQ5L258TmwijAe7bDVS4K9D+epH8FKWR1QsKj6YdauKoPxpHx9FsRHcSKpDaA1C6TAFvbIoF0RPA25Bkbl0tLNS1eXFTGT6bkBfxgjS2obgRY5c=</Modulus>
    <Exponent>AQAB</Exponent>
    </RSAKeyValue>
    </KeyValue>
    </KeyInfo>
    </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
    <saml:AttributeValue>
    <!-- Removed-->
    </saml:AttributeValue>
    </saml:Attribute>
    </saml:AttributeStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
    <Reference URI="#_998763f7-ff67-4a1d-ab25-5fc1f2bdd6f3">
    <Transforms>
    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
    <DigestValue>fzV5Dyl1ouYQOOIZqQ+Kg9ocSf8=</DigestValue>
    </Reference>
    </SignedInfo>
    <SignatureValue>LUdU27+CYcC4Lp/DrOquRNxb80D+ycwENkam6twkIdIgmU1b+OQVINAePfa6NL5mqjxwXu96rjVhmrdiq1yvdUxGChw6IFPiRbPCqM44elQjXxyfMZk6If2yddM3LTcFZkmJNIj4BO0Zy+/lUc9ZEWYewTFbh4vjQ2QoGBi3Ku8=</SignatureValue>
    <KeyInfo>
    <KeyValue>
    <RSAKeyValue>
    <Modulus>q6cxYKKPqpRRF6EPL9vSbAwxc954UKi4N0g6i8NDEWQh2kmeh+DGoqv51aAANQ5L258TmwijAe7bDVS4K9D+epH8FKWR1QsKj6YdauKoPxpHx9FsRHcSKpDaA1C6TAFvbIoF0RPA25Bkbl0tLNS1eXFTGT6bkBfxgjS2obgRY5c=</Modulus>
    <Exponent>AQAB</Exponent>
    </RSAKeyValue>
    </KeyValue>
    </KeyInfo>
    </Signature>
    </saml:Assertion>

    Please Please Suggest.
    Thanks,



    priyanka


    • Edited by Shankarbs Monday, September 15, 2014 7:00 PM
    Monday, September 15, 2014 6:59 PM

All replies

  • Hi,

    >>Windows cardspace is not available

    For the above error information, please try to make sure that you have set SupportInteractive to false to suppress the Windows Cardspace.

    For more detailed information, please try to check the following article:
    #SAML Token:
    http://msdn.microsoft.com/en-us/library/aa355062(v=vs.110).aspx .


    Best Regards,
    Amy Peng

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, September 18, 2014 2:13 AM
    Moderator
  • Hi Amy,

    Thanks a lot for your reply.

    I was waiting reply from you.Thank you.

    As you know you have guided me for X-509 certification

    So far what i have done is installed wcf server and wcfclient certificates and in "trusted folder used wshttpbinding.It worked fine.Thank for answer for my previous post.

    But now i am using "wsFederationHttpBinding"

    Currently i am developing Hellowrld service and client (both).So I need saml 2.0 bearer token soapheader for authentication.

    Previous error was solved using below code.Since i set audienceUrimode as never its working.

    1.What is audienceurimode?Should i need to enable in future?

                 

     <issuedTokenAuthentication allowUntrustedRsaIssuers="true"   audienceUriMode="Never" >

                    <allowedAudienceUris>
                    <add allowedAudienceUri="http://localhost:54852/Service_WsFederation.svc"/>
                  </allowedAudienceUris>

    2.I want to see the sam2.0 token soap header here is my service config.

    3.In service we need two certificates(WCFServer,WCFSAML).Am i right?.

    4.Can we use same WCFSERVER certificate for samltoken also?

    5.Is it WCFSAML certificate is used to create a Token   ??    Setting key type is asymmetric,symmetric,bearer.What is the importance of Bearer token(SAML 2.0).                                  6.how to check my service and client is following these security:in order to move process a request, a message must contain a SAML2 Bearer Token representing the credentials on behalf of which the request is made (Principal), must be digitally signed by a key representing the (web) application issuing the request (Requestor), must be encrypted with the service certificate. Responses are in turn signed with the Service key, and encrypted with the Requestor certificate    .Please Help AMy                           

    <services>(service.config)
          <service behaviorConfiguration="CalculatorServiceBehavior" name="WebService_Ws20007Federadtion.Service_WsFederation">
            <endpoint address="" binding="wsFederationHttpBinding" bindingConfiguration="Binding2"
              contract="WebService_Ws20007Federadtion.IService1" />
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
            <host>
              <baseAddresses>
                <add baseAddress="http://localhost:54852/Service_WsFederation" />
              </baseAddresses>
            </host>
          </service>
        </services>

        <bindings>
          <wsFederationHttpBinding>
            <!-- Binding that expect SAML tokens with Symmetric proof keys -->
            <!--<binding name="Binding1">
              <security mode="Message">
                <message negotiateServiceCredential="false" issuedKeyType="SymmetricKey" issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"/>
              </security>
            </binding>-->
            <!-- Binding that expect SAML tokens with Asymmetric proof keys -->

            <binding name="Binding2">

              <security mode="Message">
                            <message  establishSecurityContext="true" negotiateServiceCredential="false" issuedKeyType="AsymmetricKey" issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"/>
              </security>
            </binding>
          </wsFederationHttpBinding>

        </bindings>
        <client>

        </client>

        <behaviors>
     <serviceBehaviors>
            <behavior name="CalculatorServiceBehavior">

              <!-- 
              The serviceCredentials behavior allows one to define a service certificate.
              A service certificate is used by a client to authenticate the service and provide message protection.
              This configuration references the "localhost" certificate installed during the setup instructions.
              -->
              <serviceMetadata httpGetEnabled="true" />
              <serviceCredentials>
                <!-- Set allowUntrustedRsaIssuers to true to allow self-signed, asymmetric key based SAML tokens -->
                <issuedTokenAuthentication allowUntrustedRsaIssuers="true"   audienceUriMode="Never" >

                    <allowedAudienceUris>
                    <add allowedAudienceUri="http://localhost:54852/Service_WsFederation.svc"/>
                  </allowedAudienceUris>

                  <!--Add Alice to the list of certs trusted to issue SAML tokens -->
                  <knownCertificates>
                    <add storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="WCFSAML"/>
                  </knownCertificates>
                </issuedTokenAuthentication>

                <clientCertificate>
                 <!-- <certificate />-->
                  <authentication certificateValidationMode="PeerOrChainTrust"   />

                </clientCertificate>
                <serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="WcfServer"/>
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <protocolMapping>
            <add binding="wsFederationHttpBinding" scheme="http" />
        </protocolMapping>    
        <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
      </system.serviceModel>

    3.In client side classes like "SAMLCLientCredentials,SamlSecurityTokenmanager,Samlsecuritytokenprovider,samlutility classes are downloaded from microsoft wcf samples.

    ServiceReference2.Service1Client client = new ServiceReference2.Service1Client();
                // Create new credentials class
                SamlClientCredentials samlCC = new SamlClientCredentials();
                // Set the client certificate. This is the cert that will be used to sign the SAML token in the symmetric proof key case
                samlCC.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "WCFclient");
                // Set the service certificate. This is the cert that will be used to encrypt the proof key in the symmetric proof key case
                samlCC.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "wcfserver");
                // Create some claims to put in the SAML assertion
                IList<Claim> claims = new List<Claim>();
                claims.Add(Claim.CreateNameClaim(samlCC.ClientCertificate.Certificate.Subject));
                ClaimSet claimset = new DefaultClaimSet(claims);
                samlCC.Claims = claimset;
                // set new credentials
                client.ChannelFactory.Endpoint.Behaviors.Remove(typeof(ClientCredentials));
                client.ChannelFactory.Endpoint.Behaviors.Add(samlCC);
                string str_result1 = client.GetData(19);
                Response.Write(str_result1);

    7.When i run my application(client) now it runs fine since i have set allowaudienceuri mode has never.But you know if i run fiddler i wiil not see the soap header or reuqest.How t check this.

    Please Please answer.Thanks


    priyanka

    Thursday, September 18, 2014 2:07 PM
  • Hi

    Can anyone reply my questions.

    Thanks


    priyanka

    Monday, September 22, 2014 1:37 AM
  • You are using wsHttpBinding but you havent specified the certificate it needs to use to secure your transport channel. Try to specify a certificate it needs to use. i.e. for SSL

    Also try enabling tracing on your service. See here how to enable tracing.

    Monday, September 22, 2014 2:07 AM
  • HI,

    I have used wsFederationHttpBinding not wsfederationbinding.

    Please check codeproperly and do answer my questions.

    I know WCFtracing ,have enabled wcf tracing


    priyanka

    Monday, September 22, 2014 12:48 PM