locked
WCF + AD FS Active Federation Question RRS feed

  • Question

  • Hi, i'm having some troubles while trying to configure active federation on a WCF service, i will explain my environment configuration:

    WINSERVER2012 (VM) Windows Server 2012 + AD + AD FS 2.0

    WIN-DEV1 (VM) (WCF Host + WCF Consumer)

    WIN-DEV1 has joined the domain hosted by WINSERVER2012 called FMTemporary.fm.

    Following i describe my requirements:

    Since the WCF service is hosted by a machine which is into FMTemporary.fm domain, all clients that belongs to the same domain should be allowed to call the service without the need of Username and Password (SSO).

    I've configured AD FS and everything is working fine using the endpoint /services/trust/13/usernamemixed in conjunction with username + password, but i cannot get the endpoint  /services/trust/13/windowsmixed with windows authentication working.

    The error i get on the client is the following:

    Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'host/winserver2012'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.

    Using Event viewer on client i get following error:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server Administrator. The target name used was host/winserver2012. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (FMTEMPORARY.FM) is different from the client domain (FMTEMPORARY.FM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    WCF Host config:

    <system.serviceModel>   
        <services>
          <service name="WebApplication.Service">
            <endpoint binding="ws2007FederationHttpBinding" contract="WebApplication.IService" address="" />
          </service>
        </services>
        
        <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true">
          <serviceActivations>
            <add service="WebApplication.Service" relativeAddress="~/Service.svc" />
          </serviceActivations>
        </serviceHostingEnvironment>
        
        <behaviors>
          <serviceBehaviors>
            <behavior name="">
              <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="true" />
              <serviceAuthorization principalPermissionMode="Always" />
              <serviceCredentials useIdentityConfiguration="true">
                <!--Certificate added by Identity and Access Tool for Visual Studio.-->
                <serviceCertificate findValue="ServicesCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
                <clientCertificate>
                    <authentication revocationMode="NoCheck" certificateValidationMode="None"/>
                </clientCertificate>
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>
    	
        <protocolMapping>
          <add scheme="http" binding="ws2007FederationHttpBinding" />
        </protocolMapping>
        
        <bindings>
          <ws2007FederationHttpBinding>
            <binding name="">
              <security>
                <message>
                  <issuer address="https://winserver2012/adfs/services/trust/13/windowsmixed"
                          binding="ws2007HttpBinding" 
                          bindingConfiguration="ADFSConfiguration" />
                </message>
              </security>
            </binding>
          </ws2007FederationHttpBinding>
          
          <ws2007HttpBinding>
            <binding name="ADFSConfiguration">
              <security mode="TransportWithMessageCredential">
                <message clientCredentialType="Windows" 
                         establishSecurityContext="false" />
              </security>
            </binding>
          </ws2007HttpBinding>
        </bindings>
      </system.serviceModel>
      
      <system.identityModel>
        <identityConfiguration>
          <audienceUris>
            <add value="http://localhost:33169/Service1.svc" />
          </audienceUris>
          <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
            <authority name="http://WINSERVER2012.FMTemporary.fm/adfs/services/trust">
              <keys>
                <add thumbprint="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />
              </keys>
              <validIssuers>
                <add name="http://WINSERVER2012.FMTemporary.fm/adfs/services/trust" />
              </validIssuers>
            </authority>
          </issuerNameRegistry>
          <certificateValidation certificateValidationMode="None" revocationMode="NoCheck" />
          <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
        </identityConfiguration>
      </system.identityModel>

    WCF Consumer config:

    <system.serviceModel>
    	<bindings>
    	  <ws2007FederationHttpBinding>
    		<binding name="ServiceConfiguration">
    		  <security>
    			<message>
    			  <issuer binding="ws2007HttpBinding"
    					  bindingConfiguration="ADFSConfiguration"
    					  address="https://winserver2012/adfs/services/trust/13/windowsmixed" />
    			</message>
    		  </security>
    		</binding>
    	  </ws2007FederationHttpBinding>
    	  
    	  <ws2007HttpBinding>
    		<binding name="ADFSConfiguration">
    		  <security mode="TransportWithMessageCredential">
    			<message establishSecurityContext="false"
    					 clientCredentialType="Windows"/>
    		  </security>
    		</binding>
    	  </ws2007HttpBinding>
    	</bindings>
    	<client>
    	  <endpoint address="http://localhost:33169/Service.svc" binding="ws2007FederationHttpBinding"
    		bindingConfiguration="ServiceConfiguration"
    		contract="ServiceReference1.IService" name="WS2007FederationHttpBinding_IService">
    		<identity>
    		  <certificateReference storeLocation="LocalMachine"
    								storeName="My"
    								x509FindType="FindBySubjectName"
    								findValue="ServicesCert"/>
    		</identity>
    	  </endpoint>
    	</client>
    </system.serviceModel>

    P.S AD FS endpoint (/services/trust/13/windowsmixed) is enabled  and I've added the Relying Party to AD FS, I'm pretty sure AD FS is configured fine because switching to /services/trust/13/usernamemixed endpoint gives no error.

    Any help is greatly appreciated.

    Massimiliano.


    Tuesday, April 16, 2013 3:44 PM

All replies

  • No one? let me know if more infos are needed.

    Thanks, Massimiliano

    Wednesday, April 17, 2013 1:22 PM