none
WCF-Custom Token Authentication Issue RRS feed

  • Question

  • Ok, so we have a WCF-Custom adapter consuming a web service exposed by IBM Datapower. We've got the send working and we receive a response, but it errors out in the WCF channel stack with:

    An error occurred while processing the message, refer to the details section for more information 
    Message ID: {65B1B53F-B251-4049-8365-FAA9C0BDBA7E}
    Instance ID: {760E3F89-CF86-491C-AE5F-FC595B99F085}
    Error Description: System.ServiceModel.Security.MessageSecurityException: Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.
    
    Server stack trace: 
       at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result)
       at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)
       at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
       at System.ServiceModel.Channels.ServiceChannel.EndRequest(IAsyncResult result)
    
    Exception rethrown at [0]: 
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at System.ServiceModel.Channels.IRequestChannel.EndRequest(IAsyncResult result)
       at Microsoft.BizTalk.Adapter.Wcf.Runtime.WcfClient`2.RequestCallback(IAsyncResult result)
    

    Which seems to indicate that WCF is unable to process the response. I don't see any obvious problems when viewing the request and response on the WCF trace.

    Here's our WCF bindings:

     

    <?xml version="1.0"?>
    <configuration>
      <system.serviceModel>
        <client>
          <endpoint address="https://Xxxxxxxxxxxxx" behaviorConfiguration="EndpointBehavior" binding="customBinding" bindingConfiguration="68f78aef-cd86-4f58-a6e3-6507fa8bd8fc" contract="BizTalk" name="SendMsg" />
        </client>
        <behaviors>
          <endpointBehaviors>
            <behavior name="EndpointBehavior">
              <clientCredentials>
                <clientCertificate findValue="Xxxxxxxxxxxxxxxxx" x509FindType="FindByThumbprint" />
                <serviceCertificate>
                  <defaultCertificate findValue="Xxxxxxxxxxxxxxxxxx" storeLocation="LocalMachine" storeName="AddressBook" x509FindType="FindByThumbprint" />
                </serviceCertificate>
              </clientCredentials>
            </behavior>
          </endpointBehaviors>
          <serviceBehaviors>
            <behavior name="ServiceBehavior" />
          </serviceBehaviors>
        </behaviors>
        <bindings>
          <customBinding>
            <clear />
            <binding name="68f78aef-cd86-4f58-a6e3-6507fa8bd8fc">
              <textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
              <security allowSerializedSigningTokenOnReply="true" authenticationMode="CertificateOverTransport" >
                <secureConversationBootstrap/>
              </security>
              <httpsTransport requireClientCertificate="true" />
            </binding>
          </customBinding>
        </bindings>
      </system.serviceModel>
    </configuration>


    Doing some internet research led to this Blog post by Yaron Neveh on the exact same error we're seeing. The blog post says that the issue lies with the token reference to the signing certificate being serialized in the message verses a direct reference. Unfortunately, our response already has a direct reference so setting the allowSerializedSigningTokenOnReply to true hasn't had any effect.

    Anybody else run into something similar?

    Thanks for you time.

     

    Wednesday, October 12, 2011 11:27 PM

Answers

All replies

  • How exactly did you set this value - was it as part of the receive port configuration settings? I am wondering if the workaround Yaron is suggesting is not taking effect. If you reproduce the call outside of BizTalk are you successful on the response?

    If you are successful with Yaron's workaround outside of BizTalk I would call MS Support because it sounds like the BizTalk config value for the allowSerializedSigningTokenOnReply is not taking place. Another fix would be to move the service client code out to a separate WCF service that can then interact with BizTalk too.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline

    Saturday, October 15, 2011 4:02 PM
    Moderator
  • Well, we set this value using the WCF-Custom configuration dialog in the port settings. And the allowSerializedSigningTokenOnReply value does show in the Send port configuration. I'm away from my work computer right now so I can't post the BizTalk bindings, but I'm sure the allowSerializedSigningTokenOnReply value does show up in them.

    We've actually tried moving the WCF call outside of BizTalk, but encounter the same error. I don't think the allowSerializedSigningTokenOnReply Boolean fix is working because we don't get a serialized token in the response, we get a direct reference, but Yaron's fix is for the other case, a serialized token in the response while WCF is expecting a direct reference. The error text we get is still the same though, just that WCF can't find a token authenticator for an X509 security token due to the current security settings.

    We actually have opened a ticket with MS support, but as the client is getting antsy any help from here is still appreciated.

    Thanks for your response.

    Sunday, October 16, 2011 3:58 PM
  • Sorry for the late reply. I would look into the IBM documentation to see if they provide any tips. Sometimes they do give you some interop help. This one looks promising: http://www.redbooks.ibm.com/abstracts/redp4365.html?Open. You can search the IBM Redbooks at http://www.redbooks.ibm.com/.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Friday, October 21, 2011 1:36 PM
    Moderator
  • Forgot about this thread...

    What we ended up doing was working with MS support to build a custom WCF message inspector that edited the headers on the inbound messages to allow WCF to process it.

    • Marked as answer by Nick Helms Tuesday, December 13, 2011 8:53 PM
    Tuesday, December 13, 2011 8:53 PM
  • Nick,

    Thanks for replying back about how you accomplished this.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Tuesday, December 13, 2011 10:52 PM
    Moderator