WCF: security token could not be satisfied because authentication failed.

Question

Hi,

I am newbie to WCF.... Please bare me..I have WCF service and client on the same machine with certificates(trusted root authority). Please find Client and server config below.

Below exception resulted when client tries to call service.

NOTE: This exception resulted when revocationMode= Online. But this is working fine when revocationMode= NoCheck.

<authentication certificateValidationMode="ChainTrust" revocationMode="Online"/>

But this should work in Online revocation mode for me.

 

Server Error in '/WCFClient' Application.
--------------------------------------------------------------------------------

The request for security token could not be satisfied because authentication failed.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.

Source Error:

Line 58:     }
Line 59:
Line 60:     public string Ping(string inParam) { return base.Channel.Ping(inParam); }
Line 61: }

 

Source File: c:\Documents and Settings\localuser\Desktop\WCF\WCFClient\App_Code\Proxy.cs    Line: 60

Stack Trace:

[FaultException: The request for security token could not be satisfied because authentication failed.]
   System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target) +845
   System.ServiceModel.Security.IssuanceTokenProviderBase`1.ThrowIfFault(Message message, EndpointAddress target) +37
   System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState) +201

[SecurityNegotiationException: The caller was not authenticated by the service.]
   System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout) +2203
   System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout) +275
   System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) +55
   System.ServiceModel.Security.SecurityProtocol.GetToken(SecurityTokenProvider provider, EndpointAddress target, TimeSpan timeout) +282

[SecurityNegotiationException: The token provider cannot get tokens for target 'http://localhost:1144/WCFService/ICCService.svc'.]
   System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +7594687
   System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +275
   IICCService.Ping(String inParam) +0
   ICCServiceClient.Ping(String inParam) in c:\Documents and Settings\localuser\Desktop\WCF\WCFClient\App_Code\Proxy.cs:60
   _Default.btnSubmit_Click(Object sender, EventArgs e) in c:\Documents and Settings\localuser\Desktop\WCF\WCFClient\Default.aspx.cs:17
   System.Web.UI.WebControls.Button.OnClick(EventArgs e) +126
   System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +135
   System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +39
   System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +37
   System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +87
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +4178

 

Client confog file :

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ICCService" maxReceivedMessageSize="9965536">
<security mode="Message">
<message establishSecurityContext="false" clientCredentialType="Certificate" negotiateServiceCredential="true"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost/WCFService/ICCService.svc"binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ICCService"
contract="IICCService" name="WSHttpBinding_ICCService" behaviorConfiguration="ICCServiceBehavior">
<identity>
<certificate encodedValue="AwAAAAEAAAAUAAAAIHplh3BzyGVRMTRjlPKJN/jWqxEgAAAAAQAAAPEBAAAwggHtMIIBVqADAgECAhA/HQHISqdCqk4YyOz1J9LMMA0GCSqGSIb3DQEBBAUAMBExDzANBgNVBAMTBlJvb3RDQTAeFw0xMDAzMTQwOTMxMThaFw0zOTEyMzEyMzU5NTlaMBExDzANBgNVBAMTBk15Q2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4dfNBfnMPSnExQRYCigWXCOxzsETdBts+ynv7ifMLAElKK+DHcoDG2A7tO9TxwCLQOsc3UF6LtIg7WjlOPTgHQxOXDILdQmdPReVRGQ30wZJ1ZhQhdnE8NY62VQcNNDgXZP+rPPOg2tz1jkcX3w9fcnuVCMuCDbKgqB9RgK50KkCAwEAAaNGMEQwQgYDVR0BBDswOYAQhbHRgDHiEDFvLpdMPtEll6ETMBExDzANBgNVBAMTBlJvb3RDQYIQ2Da8x8XVh41HHCR2V0D8GzANBgkqhkiG9w0BAQQFAAOBgQBWDlU01R2/5i5d4vurN1e1ksvKJSkd3FJriMPBm1hRoIS7t+DmamHmk139Vv9sLOEz7yvVGn71msT6vuqOWQo8cVoQ0T1xhzq7y7rYIaPsxza+sapi/eLB+l/Estl/l0u4HfMA7SvEab0dsMGeuNVpp2LPQwMZ2iwzBPW39ujrrQ==" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ICCServiceBehavior">
<clientCredentials>
<clientCertificate findValue="MyCert" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My"/>
<serviceCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="Online"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
<system.web>
<compilation debug="true"/>
</system.web>
</configuration>

 

Server config file:

<?xml version="1.0"?>
<configuration>
<startup>
<supportedRuntime version="v2.0.50727"/>
</startup>
<system.serviceModel>
<services>
<service behaviorConfiguration="ICCServiceBehavior" name="WCFService.ICCService">
 <endpoint address="http://localhost/WCFService/ICCService.svc" binding="wsHttpBinding" contract="WCFService.IICCService" bindingConfiguration="ICCBinding"/>
</service></services>
<bindings>
<wsHttpBinding><binding name="ICCBinding">
<security mode="Message">
<message establishSecurityContext="false" clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors><serviceBehaviors>
<behavior name="ICCServiceBehavior" >
<serviceMetadata httpGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceCredentials>
<serviceCertificate findValue="MyCert"storeLocation="LocalMachine"storeName="My"x509FindType="FindBySubjectName" />
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="Online"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel><system.web>
<customErrors mode="Off"/>
<compilation debug="true">
</compilation>
</system.web>
</configuration>

Any help would be appreciated!!

Thanks
Suja

 

Answer 1

Just for testing, try to change ChainTrust to None on both client and server to see if this is the only issue.

Also turn on WCF trace on client and server as it may contain additional info.

---

http://webservices20.blogspot.com/
WCF Security, Performance And Testing Blog

Answer 2

It is working very fine on both client and server for any below modes

<authentication certificateValidationMode="None" revocationMode="Online"/>

<authentication certificateValidationMode="PeerTrust" revocationMode="Online"/>

<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="Online"/>


But FAILING for

<authentication certificateValidationMode="ChainTrust" revocationMode="Online"/>

Please see the below trcaed details

System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
System.ServiceModel.Security.IssuanceTokenProviderBase`1.ThrowIfFault(Message message, EndpointAddress target)
System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetNextOutgoingMessage(Message incomingMessage, T negotiationState)
System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout)
System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
System.ServiceModel.Security.SecurityProtocol.GetToken(SecurityTokenProvider provider, EndpointAddress target, TimeSpan timeout)
System.ServiceModel.Security.MessageSecurityProtocol.GetTokenAndEnsureOutgoingIdentity(SecurityTokenProvider provider, Boolean isEncryptionOn, TimeSpan timeout, SecurityTokenAuthenticator authenticator)
System.ServiceModel.Security.SymmetricSecurityProtocol.TryGetTokenSynchronouslyForOutgoingSecurity(Message message, SecurityProtocolCorrelationState correlationState, Boolean isBlockingCall, TimeSpan timeout, SecurityToken&amp; token, SecurityTokenParameters&amp; tokenParameters, SecurityToken&amp; prerequisiteWrappingToken, IList`1&amp; supportingTokens, SecurityProtocolCorrelationState&amp; newCorrelationState)
System.ServiceModel.Security.SymmetricSecurityProtocol.SecureOutgoingMessageCore(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
System.ServiceModel.Security.MessageSecurityProtocol.SecureOutgoingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
IICCService.Ping(String inParam)
ICCServiceClient.Ping(String inParam)
_Default.btnSubmit_Click(Object sender, EventArgs e)
System.Web.UI.WebControls.Button.OnClick(EventArgs e)
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
System.Web.UI.Page.ProcessRequest()
System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
System.Web.UI.Page.ProcessRequest(HttpContext context)
ASP.default_aspx.ProcessRequest(HttpContext context)
System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)
System.Web.HttpApplication.ApplicationStepManager.ResumeSteps(Exception error)
System.Web.HttpApplication.ResumeSteps(Exception error)
System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
System.Web.HttpRuntime.ProcessRequestNow(HttpWorkerRequest wr)
System.Web.HttpRuntime.ProcessRequestNoDemand(HttpWorkerRequest wr)
System.Web.HttpRuntime.ProcessRequest(HttpWorkerRequest wr)
Microsoft.VisualStudio.WebHost.Request.Process()
Microsoft.VisualStudio.WebHost.Host.ProcessRequest(Connection conn)

Answer 3

Ok this means the issuer of the certificate is not trusted on the server machine

---

http://webservices20.blogspot.com/
WCF Security, Performance And Testing Blog

Answer 4

Ok this means the issuer of the certificate is not trusted on the server machine

---

http://webservices20.blogspot.com/
WCF Security, Performance And Testing Blog

Could you give more detailed description? Thanks very much!

Answer 5

Sure.

When client has a private certificate and it sends it to the server, the server will check in its local windows certificate store if the client certificate is trusted. There are various ways in which the server can check this, and each one may have different result. This is configurable.

One way requires the client certificate to exist in the server store. Another way requires the certificate of the client issuer (the authority which created the client certificate for the client) to exist on the server.

Such error is received when one of the conditions is not met.

---

http://webservices20.blogspot.com/
WCF Security, Interoperability And Performance Blog