IIS 8.5 vs 7.5 FederationHttpBinding tokenRequestParameters Namespace Error

Question

User-226860733 posted

Hello and sorry for the cryptic subject,

The issue is quickly explained:

1. The tokenrequestparameters (see: https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/wcf/tokenrequestparameters) allow the definition of xmlElements, that are used in the token request.
2. In our company we have old servers with IIS 8.5 and 7.5
3. We deployed the same software to these servers, and in the Web.Config of one of the deployed portals we set the tokenrequestparameters to something along the lines of (highlighting the issue in bold):
     <tokenRequestParameters>
       <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
         <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
         <trust:CanonicalizationAlgorithm>http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
         <trust:EncryptionAlgorithm>http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
       </trust:SecondaryParameters>
     </tokenRequestParameters>
4. In IIS 7.5 it works and the for example the authentication setting "Anonymous" can be toggled in the IIS Manager
5. In IIS 8.5 it does not work and on trying to toggle the Anonymous Authentication in the IIS Manager we receive the error:
   
   
   This problem is entirely resolved when we change the namespacing to:   <tokenRequestParameters>
       <SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
         <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
         <trust:CanonicalizationAlgorithm>http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
         <trust:EncryptionAlgorithm>http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
       </SecondaryParameters>
     </tokenRequestParameters>

a similar issue is documented here:
https://zzz.buzz/2018/02/09/c00cef03-assemblybinding-and-iis-8-or-10/

When one checks W3C it claims using the namespace in the same tag that declares the namespace is fine.
<h:table xmlns:h="http://www.w3.org/TR/html4/">
  <h:tr>
    <h:td>Apples</h:td>
    <h:td>Bananas</h:td>
  </h:tr>
</h:table>
 (source: https://www.w3schools.com/xml/xml_namespaces.asp)
but it does not work in IIS 8.5 web.configs

Now my questions:

1. Is it intentional, that this behaviour changed between IIS 7.5 and IIS 8.5?
2. Will there be an update showing a better error message when such an XML Schema-Validation Error prevents writing of the Web.Config? (This Issue cost a lot of time, finding that this legal namespace declaration was causing a cryptic error in one version of the IIS and not another)

Answer 1

User690216013 posted

Is it intentional, that this behaviour changed between IIS 7.5 and IIS 8.5?

IIS Manager source code is almost the same, except that IIS Manager on IIS 7.5 uses .NET Framework 3.5 while on iIS 8.5 uses .NET Framework 4.x. So I assume the XML validation difference comes from .NET Framework itself.

Will there be an update

Not likely. Windows Server 2012 R2 is out of mainstream support (since 2018), so only security related issues will be fixed.

Answer 2

User1771714573 posted

Hi Stefan Bruhn,

All versions after IIS 7 have the same architecture and no major changes. I am not sure what caused your problem, but I have reported this problem.

Currently, the latest version of IIS is 10. There may be no more updates for 8.5. It is recommended that you use IIS10. If this problem persists, Microsoft will fix it in IIS10.

Best regards,

Brucz