locked
ID3242: The security token could not be authenticated or authorized RRS feed

  • Question

  • I'm getting the following error in my web application when it tries to authenticate to my service which uses IssuedTokenForCertificate authentication:

    "ID3242: The security token could not be authenticated or authorized"


    Here's the service configuration which specifies my Geneva STS as the token issuer:

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
        <system.serviceModel>
          <services>
            <service name="MathService.MathService"
                     behaviorConfiguration="ServiceBehavior">
              <host>
                <baseAddresses>
                  <add baseAddress="net.tcp://localhost:50000"/>
                </baseAddresses>
              </host>
              <endpoint name="MathService"
                        address="MathService.svc"
                        binding="customBinding"
                        bindingConfiguration="FederationTcpIssuedTokenForCertificateBinding"
                        contract="MathService.IMathService"/>

              <endpoint address="net.tcp://localhost:50001/mex"
                 binding="mexTcpBinding"
                 contract="IMetadataExchange"/>
            </service>
          </services>
          <extensions>
            <behaviorExtensions>
              <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
            </behaviorExtensions>
          </extensions>
          <behaviors>
            <serviceBehaviors>
                <behavior name="ServiceBehavior">
                  <serviceCredentials>
                    <serviceCertificate findValue="CN={...}"
                                        storeLocation="LocalMachine"
                                        storeName="My"/>
                  </serviceCredentials>
                  <serviceMetadata/>
                  <serviceDebug includeExceptionDetailInFaults="True"/>
               </behavior>
            </serviceBehaviors>
          </behaviors>
          <bindings>
            <customBinding>
              <binding name="FederationTcpIssuedTokenForCertificateBinding">
                <security authenticationMode="SecureConversation"
                          requireSecurityContextCancellation="true">
                  <secureConversationBootstrap authenticationMode="IssuedTokenForCertificate"
                          messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
                  <issuedTokenParameters keyType="SymmetricKey"
                                         tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
                    <issuer address="http://{...}/Trust/13/Certificate"
                            binding="ws2007HttpBinding"
                            bindingConfiguration="STS">
                      <identity>
                        <certificateReference findValue="CN={...}"
                                        storeLocation="LocalMachine"
                                        storeName="My"/>
                      </identity>
                    </issuer>
                    <claimTypeRequirements>
                      <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
                      <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
                    </claimTypeRequirements>
                    <issuerMetadata address="{...}"/>
                  </issuedTokenParameters>
                  </secureConversationBootstrap>
                </security>
                <binaryMessageEncoding/>
                <tcpTransport />
              </binding>
            </customBinding>
          </bindings>
        </system.serviceModel>
    </configuration>

    Here's the web client config:

    <system.serviceModel>
      <bindings>
       <customBinding>
        <binding name="MathService">
         <security defaultAlgorithmSuite="Default" authenticationMode="SecureConversation"
          requireDerivedKeys="true" securityHeaderLayout="Strict" includeTimestamp="true"
          keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
          messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
          requireSecurityContextCancellation="true" requireSignatureConfirmation="false">
          <localClientSettings cacheCookies="true" detectReplays="true"
           replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
           replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
           sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
           timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
          <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
           maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
           negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
           sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
           reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000"
           timestampValidityDuration="00:05:00" />
          <secureConversationBootstrap defaultAlgorithmSuite="Default"
           authenticationMode="IssuedTokenForCertificate" requireDerivedKeys="true"
           securityHeaderLayout="Strict" includeTimestamp="true" keyEntropyMode="CombinedEntropy"
           messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
           messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
           requireSignatureConfirmation="true">
           <issuedTokenParameters keyType="SymmetricKey" tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
            <additionalRequestParameters>
             <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
              <trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
              <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
              <trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
               xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
               <wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
                Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity">
               </wsid:ClaimType>
               <wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
                Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity">
               </wsid:ClaimType>
              </trust:Claims>
             </trust:SecondaryParameters>
            </additionalRequestParameters>
             <issuer address="http://{...}/Trust/13/Certificate"
                     binding="ws2007HttpBinding"
                     bindingConfiguration="STS">
               <identity>
                 <certificate encodedValue="{...}"/>
               </identity>
             </issuer>
            <issuerMetadata address="https://{...}/Trust/Mex" />
           </issuedTokenParameters>
           <localClientSettings cacheCookies="true" detectReplays="true"
            replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
            replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
            sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
            timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
           <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
            maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
            negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
            sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
            reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000"
            timestampValidityDuration="00:05:00" />
          </secureConversationBootstrap>
         </security>
         <binaryMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
          maxSessionSize="2048">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
           maxBytesPerRead="4096" maxNameTableCharCount="16384" />
         </binaryMessageEncoding>
         <tcpTransport manualAddressing="false" maxBufferPoolSize="524288"
          maxReceivedMessageSize="65536" connectionBufferSize="8192" hostNameComparisonMode="StrongWildcard"
          channelInitializationTimeout="00:00:05" maxBufferSize="65536"
          maxPendingConnections="10" maxOutputDelay="00:00:00.2000000"
          maxPendingAccepts="1" transferMode="Buffered" listenBacklog="10"
          portSharingEnabled="false" teredoEnabled="false">
          <connectionPoolSettings groupName="default" leaseTimeout="00:05:00"
           idleTimeout="00:02:00" maxOutboundConnectionsPerEndpoint="10" />
         </tcpTransport>
        </binding>
       </customBinding>
        <ws2007HttpBinding>
          <binding name="STS" closeTimeout="00:01:00"
               openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
               bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
               maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
               messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
               allowCookies="false">
            <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                maxBytesPerRead="4096" maxNameTableCharCount="16384" />
            <reliableSession ordered="true" inactivityTimeout="00:10:00"
                enabled="false" />
            <security mode="Message">
              <message clientCredentialType="Certificate"
                       negotiateServiceCredential="false"
                       algorithmSuite="Default"
                       establishSecurityContext="false"/>
            </security>
          </binding>
        </ws2007HttpBinding>
      </bindings>
      <client>
       <endpoint address="net.tcp://localhost:50000/MathService.svc"
                 binding="customBinding"
                 bindingConfiguration="MathService"
                 contract="MathService.IMathService"
                 name="MathService">
        <identity>
          <certificate encodedValue="{...}"/>
        </identity>
       </endpoint>
      </client>
     </system.serviceModel>

    Here's the web client code to setup the service proxy:

    serviceProxy.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint,

     

    "{...}");
    serviceProxy.ClientCredentials.ServiceCertificate.SetDefaultCertificate(
    "CN={...}", StoreLocation.LocalMachine, StoreName.My);
    serviceProxy.ClientCredentials.ServiceCertificate.SetScopedCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint,
    "{...}", new Uri("http://{...}/Trust/13/Certificate"));

     

    The web client is passing a certificate credential that has been mapped to a domain user in AD. 

    Please let me know if anyone has an idea of how to determine why authentication is failing.  I have Geneva STS tracing on verbose, but it's not giving me any messages about why the certificate isn't being authenticated.  Also, the AD PDC's windows security log doesn't show any audit failures.

    Thanks in advance.

    Wednesday, September 9, 2009 11:25 PM

All replies

  • Hello,
       Do you have a stack trace? Is the exception at the STS or the Service?

    Thanks,
    Govind


    http://blogs.msdn.com/govindr
    Tuesday, September 15, 2009 8:59 PM
  • The exception is in the web app which consumes the service.  Here's the stack trace:

    Thanks in advance!


    Server stack trace:
       at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
       at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Request(Message message, TimeSpan timeout)

    Exception rethrown at [0]:
       at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
       at System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout)
       at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
       at System.ServiceModel.Security.Tokens.IssuedSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
       at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
       at System.ServiceModel.Security.SecurityProtocol.TryGetSupportingTokens(SecurityProtocolFactory factory, EndpointAddress target, Uri via, Message message, TimeSpan timeout, Boolean isBlockingCall, IList`1& supportingTokens)
       at System.ServiceModel.Security.SymmetricSecurityProtocol.TryGetTokenSynchronouslyForOutgoingSecurity(Message message, SecurityProtocolCorrelationState correlationState, Boolean isBlockingCall, TimeSpan timeout, SecurityToken& token, SecurityTokenParameters& tokenParameters, SecurityToken& prerequisiteWrappingToken, IList`1& supportingTokens, SecurityProtocolCorrelationState& newCorrelationState)
       at System.ServiceModel.Security.SymmetricSecurityProtocol.SecureOutgoingMessageCore(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
       at System.ServiceModel.Security.MessageSecurityProtocol.SecureOutgoingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
       at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
       at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
       at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
       at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
       at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [1]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at MathService.IMathService.Add(Int32 value1, Int32 value2)
       at MathService.MathServiceClient.Add(Int32 value1, Int32 value2) in c:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\mathserviceconsumer\397c067c\e526c724\App_WebReferences.p2gi4nt9.0.cs:line 128
       at _Default.Add_Click(Object sender, EventArgs e) in d:\SandBox\MathService\MathServiceConsumer_Web\Default.aspx.cs:line 114

    Tuesday, September 15, 2009 11:27 PM
  • I'd rather say the exception happens in the service that your web app tries to consume.

    This could be due to missing allowed audience URIs in the service config - switch on tracing for the Microsoft.IdentityModel trace source - this should give you more information...


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    • Proposed as answer by David Totzke Tuesday, September 28, 2010 8:22 PM
    Wednesday, September 16, 2009 6:12 AM
  • I added the following audience uri to the service config, but still get the error:

    <

     

    configSections>

    <

     

    section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>

    </

     

    configSections>

    <

     

    microsoft.identityModel>

    <

     

    service>

    <

     

    audienceUris>

    <

     

    add value="net.tcp://localhost:50000/MathService.svc"/>

    </

     

    audienceUris>

    </

     

    service>

    </

     

    microsoft.identityModel>

     

     


    It looks like the exception is thrown by the STS during authentication of the certificate token provided by the web application. Here's the exception captured in the trace log of the Geneva STS.  Any thoughts on how to determine why Geneva isn't authenticating the token?   Thanks!

    <E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">

    <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">

    <EventID>131075</EventID>

    <Type>3</Type>

    <SubType Name="Error">0</SubType>

    <Level>2</Level>

    <TimeCreated SystemTime="2009-09-16T19:52:34.0210868Z" />

    <Source Name="System.ServiceModel" />

    <Correlation ActivityID="{00000000-0000-0000-0400-0080000000e2}" />

    <Execution ProcessName="Microsoft.IdentityServer.ServiceHost" ProcessID="4764" ThreadID="9" />

    <Channel />

    <Computer>{...}</Computer>

    </System>

    <ApplicationData>

    <TraceData>

    <DataItem>

    <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error">

    <TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.ThrowingException.aspx</TraceIdentifier>

    <Description>Throwing an exception.</Description>

    <AppDomain>Microsoft.IdentityServer.ServiceHost.exe</AppDomain>

    <Exception>

    <ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>

    <Message>Message security verification failed.</Message>

    <StackTrace>

    at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)

    at System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationState)

    at System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext requestContext, TimeSpan timeout)

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveRequestAndVerifySecurityAsyncResult.ProcessInnerItem(RequestContext innerItem, TimeSpan timeout)

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone()

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)

    at System.ServiceModel.Diagnostics.Utility.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)

    at System.ServiceModel.AsyncResult.Complete(Boolean completedSynchronously)

    at System.ServiceModel.Channels.InputQueue`1.AsyncQueueReader.Set(Item item)

    at System.ServiceModel.Channels.InputQueue`1.EnqueueAndDispatch(Item item, Boolean canDispatchOnThisThread)

    at System.ServiceModel.Channels.InputQueue`1.EnqueueAndDispatch(T item, ItemDequeuedCallback dequeuedCallback, Boolean canDispatchOnThisThread)

    at System.ServiceModel.Channels.InputQueueChannel`1.EnqueueAndDispatch(TDisposable item, ItemDequeuedCallback dequeuedCallback, Boolean canDispatchOnThisThread)

    at System.ServiceModel.Channels.SingletonChannelAcceptor`3.Enqueue(QueueItemType item, ItemDequeuedCallback dequeuedCallback, Boolean canDispatchOnThisThread)

    at System.ServiceModel.Channels.SingletonChannelAcceptor`3.Enqueue(QueueItemType item, ItemDequeuedCallback dequeuedCallback)

    at System.ServiceModel.Channels.HttpChannelListener.HttpContextReceived(HttpRequestContext context, ItemDequeuedCallback callback)

    at System.ServiceModel.Channels.SharedHttpTransportManager.OnGetContextCore(IAsyncResult result)

    at System.ServiceModel.Diagnostics.Utility.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)

    at System.Net.LazyAsyncResult.Complete(IntPtr userToken)

    at System.Net.LazyAsyncResult.ProtectedInvokeCallback(Object result, IntPtr userToken)

    at System.Net.ListenerAsyncResult.WaitCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)

    at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)

    </StackTrace>

    <ExceptionString>System.ServiceModel.Security.MessageSecurityException: Message security verification failed. ---&gt; Microsoft.IdentityModel.Tokens.FailedAuthenticationFaultException: ID3242: The security token could not be authenticated or authorized.

    at Microsoft.IdentityModel.ExceptionMapper.HandleSecurityTokenProcessingException(Exception ex)

    at Microsoft.IdentityModel.Tokens.WrappedX509SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)

    at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)

    at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout)

    at System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message&amp; message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)

    at System.ServiceModel.Security.SymmetricSecurityProtocol.VerifyIncomingMessageCore(Message&amp; message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)

    at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)

    --- End of inner exception stack trace ---</ExceptionString>

    <InnerException>

    <ExceptionType>Microsoft.IdentityModel.Tokens.FailedAuthenticationFaultException, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35</ExceptionType>

    <Message>ID3242: The security token could not be authenticated or authorized.</Message>

    <StackTrace>

    at Microsoft.IdentityModel.ExceptionMapper.HandleSecurityTokenProcessingException(Exception ex)

    at Microsoft.IdentityModel.Tokens.WrappedX509SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)

    at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)

    at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout)

    at System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message&amp; message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)

    at System.ServiceModel.Security.SymmetricSecurityProtocol.VerifyIncomingMessageCore(Message&amp; message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)

    at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)

    </StackTrace>

    <ExceptionString>Microsoft.IdentityModel.Tokens.FailedAuthenticationFaultException: ID3242: The security token could not be authenticated or authorized.

    at Microsoft.IdentityModel.ExceptionMapper.HandleSecurityTokenProcessingException(Exception ex)

    at Microsoft.IdentityModel.Tokens.WrappedX509SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)

    at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)

    at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)

    at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout)

    at System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message&amp; message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)

    at System.ServiceModel.Security.SymmetricSecurityProtocol.VerifyIncomingMessageCore(Message&amp; message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)

    at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)</ExceptionString>

    </InnerException>

    </Exception>

    </TraceRecord>

    </DataItem>

    </TraceData>

    <System.Diagnostics xmlns="http://schemas.microsoft.com/2004/08/System.Diagnostics">

    <LogicalOperationStack></LogicalOperationStack>

    <Timestamp>166499188233</Timestamp>

    <Callstack>

    at System.Environment.get_StackTrace()

    at System.Diagnostics.TraceEventCache.get_Callstack()

    at System.Diagnostics.XmlWriterTraceListener.WriteFooter(TraceEventCache eventCache)

    at System.Diagnostics.TraceSource.TraceData(TraceEventType eventType, Int32 id, Object data)

    at System.ServiceModel.Diagnostics.DiagnosticTrace.TraceEvent(TraceEventType type, TraceCode code, String description, TraceRecord trace, Exception exception, Object source)

    at System.ServiceModel.Diagnostics.ExceptionUtility.ThrowHelper(Exception exception, TraceEventType eventType, TraceRecord extendedData)

    at System.ServiceModel.Diagnostics.ExceptionUtility.ThrowHelperError(Exception exception)

    at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)

    at System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationState)

    at System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext requestContext, TimeSpan timeout)

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveRequestAndVerifySecurityAsyncResult.ProcessInnerItem(RequestContext innerItem, TimeSpan timeout)

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone()

    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)

    at System.ServiceModel.Diagnostics.Utility.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)

    at System.ServiceModel.AsyncResult.Complete(Boolean completedSynchronously)

    at System.ServiceModel.Channels.InputQueue`1.AsyncQueueReader.Set(Item item)

    at System.ServiceModel.Channels.InputQueue`1.EnqueueAndDispatch(Item item, Boolean canDispatchOnThisThread)

    at System.ServiceModel.Channels.InputQueue`1.EnqueueAndDispatch(T item, ItemDequeuedCallback dequeuedCallback, Boolean canDispatchOnThisThread)

    at System.ServiceModel.Channels.InputQueueChannel`1.EnqueueAndDispatch(TDisposable item, ItemDequeuedCallback dequeuedCallback, Boolean canDispatchOnThisThread)

    at System.ServiceModel.Channels.SingletonChannelAcceptor`3.Enqueue(QueueItemType item, ItemDequeuedCallback dequeuedCallback, Boolean canDispatchOnThisThread)

    at System.ServiceModel.Channels.SingletonChannelAcceptor`3.Enqueue(QueueItemType item, ItemDequeuedCallback dequeuedCallback)

    at System.ServiceModel.Channels.HttpChannelListener.HttpContextReceived(HttpRequestContext context, ItemDequeuedCallback callback)

    at System.ServiceModel.Channels.SharedHttpTransportManager.OnGetContextCore(IAsyncResult result)

    at System.ServiceModel.Diagnostics.Utility.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)

    at System.Net.LazyAsyncResult.Complete(IntPtr userToken)

    at System.Net.LazyAsyncResult.ProtectedInvokeCallback(Object result, IntPtr userToken)

    at System.Net.ListenerAsyncResult.WaitCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)

    at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)

    </Callstack>

    </System.Diagnostics>

    </ApplicationData>

    </E2ETraceEvent>

    Wednesday, September 16, 2009 8:34 PM
  • On the STS binding what are the rules for validating the Client Cert?  By default 'chain building' is applied.  I suspect the client cert is failing validation at the STS.  The error being reported is wrapped around the WCF call.  It may be helpful to turn on WCF tracing.


    Here is a link that shows how to control the validation of the clients certificate.

    http://msdn.microsoft.com/en-us/library/aa347699(VS.85).aspx
    Monday, January 4, 2010 5:49 PM
  • I'd rather say the exception happens in the service that your web app tries to consume.

    This could be due to missing allowed audience URIs in the service config - switch on tracing for the Microsoft.IdentityModel trace source - this should give you more information...


    Dominick Baier | thinktecture | http://www.leastprivilege.com


    I was experiencing this error and this fixed it for me.  I had the wrong audience URIs in my service config.

    Thanks Dominick! 


    Regards, David Totzke
    Tuesday, September 28, 2010 8:24 PM
  • I spent a week on this error so I'd like to participate :

    I was calling a WCF service authenticating via a starter STS server hosted on azure. I was receiving the laconic erros you might know...

    "The security protocol cannot verify the incoming message"

    I turn  on tracing without success...

    and finnaly put the audience URI ion never mode and did the trick

    audienceUris mode="Never">

     I wonder now why the

     

     

    <add value="http://localhost/ " />

     didn't work ?

    This is tuff, and I thank you Dominick for the great StarterSTS !


    Monday, April 4, 2011 2:07 PM
  • @Kamouch

    Thanks for the audienceuris mode="Never" tip this seems to work for me on a demo i am trying, but did you ever work out why putting the actual uri doesn't work as I'm in the same situation as you were (Banging my head against a brick wall)

    Thanks

     

    Wednesday, June 22, 2011 7:57 AM
  • audienceuris mode="Never" we use for development only as it disables the feature.

    try adding these lines to you configuration to view te missing audienceuris:

    <system.diagnostics>
      <sharedListeners>
       <add name="EventLogListener"
          type="System.Diagnostics.EventLogTraceListener"
          initializeData="Your Evenlog Source Name Here">
        <filter type="System.Diagnostics.EventTypeFilter"
            initializeData="Warning"/>
       </add>
      </sharedListeners>
      <sources>
       <source name="Microsoft.IdentityModel"
           switchValue="Error">
        <listeners>
         <add name="EventLogListener"/>
        </listeners>
       </source>
      </sources>
     </system.diagnostics>
    

    • Proposed as answer by Maulik Patel Tuesday, August 23, 2011 12:47 PM
    Friday, July 22, 2011 8:51 AM
  • Hi,

    i don't know if this is still an issue for you, but i had the exact same problem. As it turns out, the problem was, as the exception is trying to tell, that the intended audience is wrong. I turned on diagnostics on the web service site and opend the trace file in service trace viewer.

    The first exception said: "ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris.

    Audience: 'http://localhost/earkivwebservice'"

    The endpoint i had registered in my web.config file was http://localhost/earkivwebservice/integration.svc.

    That left me with two options:

    1) Ask the STS manager to change my endpoint to http://localhost/earkivwebservice/integration.svc

    2) Change my audienceURIs to http://localhost/earkivwebservice

    I took the easy way out and changed my local URI and everything worked fine.

     

    Cheers

     

    Tuesday, August 23, 2011 10:26 AM
  • I had this problem.

    It was caused by the Encryption Certificate not beeing in trusted people (personal).  Problem solved for me, at least.

    Monday, February 18, 2013 12:18 PM
  • Try to update your service account from central admin - below location:

    This setting applies to all Search service applications in the farm. You can change this account at any time by clicking Configure service accounts in the Security section on the Central Administration home page.

    Certral Admin --> security --> general security --> configure service account --> in my case i selected 'Search service; and select account that i have used in search administration page.

    That's it. Hope that helps.

    Cheers!!


    Vaibhav Jain SharePoint Solution Architect

    Wednesday, April 10, 2013 9:58 PM
  • Sometime, a normal expired Windows Token will cause this error message. please read what follows from http://www.solutionscore.com/q/7790c1e4-07b2-4d6a-bd6b-6e91a7d56c2e .

    Here is the WCF stack trace of a WCF message that has an expired token:

    <ExceptionType>Microsoft.IdentityModel.Tokens.FailedAuthenticationFaultException, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35</ExceptionType>

    <Message>ID3242: The security token could not be authenticated or authorized.</Message>

    <StackTrace>

    at Microsoft.IdentityModel.ExceptionMapper.HandleSecurityTokenProcessingException(Exception ex)

    at Microsoft.IdentityModel.Tokens.WrappedSaml11SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)

    The thing i don't understand is that i see this error in UAT environment but not DEV environment. I wonder whether there is any configuration affect this.


    • Edited by GuYuming Friday, August 7, 2015 4:12 AM
    Thursday, August 6, 2015 9:33 AM