locked
ADFS 2.0 and the MSIS7004 Exception

    Question

  • Hi guys!. I am trying to get work a federated server but i end with the next error and a cannot find a solution out there.

    I think is related with WCF, but i dont know really where is the config file for the WCF in the ADFS 2.0.

    I appreciate some help on this.

    Best Regards,

    Javier.

     

    Encountered error during federation passive request.

    Additional Data

    Exception details:
    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> Microsoft.IdentityServer.Protocols.WSTrust.StsConnectionException: MSIS7004: An exception occurred while connecting to the federation service. The service endpoint URL 'net.tcp://localhost:1501/adfs/services/trusttcp/windows' may be incorrect or the service is not running. ---> System.ServiceModel.CommunicationException: Could not connect to net.tcp://localhost:1501/adfs/services/trusttcp/windows. The connection attempt lasted for a time span of 00:00:00. TCP error code 10013: An attempt was made to access a socket in a way forbidden by its access permissions 127.0.0.1:1501.  ---> System.Net.Sockets.SocketException: An attempt was made to access a socket in a way forbidden by its access permissions 127.0.0.1:1501
       at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
       at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
       at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
       --- End of inner exception stack trace ---

    Server stack trace:
       at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
       at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
       at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
       at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(Message message)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

    Microsoft.IdentityServer.Protocols.WSTrust.StsConnectionException: MSIS7004: An exception occurred while connecting to the federation service. The service endpoint URL 'net.tcp://localhost:1501/adfs/services/trusttcp/windows' may be incorrect or the service is not running. ---> System.ServiceModel.CommunicationException: Could not connect to net.tcp://localhost:1501/adfs/services/trusttcp/windows. The connection attempt lasted for a time span of 00:00:00. TCP error code 10013: An attempt was made to access a socket in a way forbidden by its access permissions 127.0.0.1:1501.  ---> System.Net.Sockets.SocketException: An attempt was made to access a socket in a way forbidden by its access permissions 127.0.0.1:1501
       at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
       at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
       at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
       --- End of inner exception stack trace ---

    Server stack trace:
       at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
       at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
       at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
       at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(Message message)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

    System.ServiceModel.CommunicationException: Could not connect to net.tcp://localhost:1501/adfs/services/trusttcp/windows. The connection attempt lasted for a time span of 00:00:00. TCP error code 10013: An attempt was made to access a socket in a way forbidden by its access permissions 127.0.0.1:1501.  ---> System.Net.Sockets.SocketException: An attempt was made to access a socket in a way forbidden by its access permissions 127.0.0.1:1501
       at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
       at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
       at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
       --- End of inner exception stack trace ---

    Server stack trace:
       at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
       at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
       at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
       at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(Message message)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)

    System.Net.Sockets.SocketException: An attempt was made to access a socket in a way forbidden by its access permissions 127.0.0.1:1501
       at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
       at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
       at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)


    and previously i had this one

     

    Exception details:
    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> Microsoft.IdentityServer.Protocols.WSTrust.StsConnectionException: MSIS7004: An exception occurred while connecting to the federation service. The service endpoint URL 'net.tcp://localhost:1501/adfs/services/trusttcp/windows' may be incorrect or the service is not running. ---> System.ServiceModel.EndpointNotFoundException: No DNS entries exist for host localhost.

     

    Thursday, April 14, 2011 12:22 PM

All replies

  • Is the trusttcp endpoint enabled in ADFS?

    This is not the error I usually get when an endpoint is not enabled but I am wondering if maybe this error is different because most of the ADFS endpoints are over http rather than tcp. For http I usually get a message that the server endpoint is busy.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Thursday, April 14, 2011 1:39 PM
  • Hi. thanks for the response.

    What do you mean enabling the trusttcp?

    Is this, or I missing something?

      <microsoft.identityServer.web>
        <localAuthenticationTypes>
          <add name="Integrated" page="auth/integrated/" />
          <add name="Forms" page="FormsSignIn.aspx" />
          <add name="TlsClient" page="auth/sslclient/" />
          <add name="Basic" page="auth/basic/" />
        </localAuthenticationTypes>
        <commonDomainCookie writer="" reader="" />
        <context hidden="true" />
        <error page="Error.aspx" />
        <acceptedFederationProtocols saml="true" wsFederation="true" />
        <homeRealmDiscovery page="HomeRealmDiscovery.aspx" />
        <persistIdentityProviderInformation enabled="true" lifetimeInDays="30" />
        <securityTokenService samlProtocolEndpoint="net.tcp://localhost/samlprotocol"
          wsTrustEndpoint="net.tcp://localhost/adfs/services/trusttcp/windows" />
        <singleSignOn enabled="true" />
      </microsoft.identityServer.web>

    Thursday, April 14, 2011 7:54 PM
  • In the ADFS 2.0 MMC is the endpoint you are trying to hit enabled? On my ADFS VM the endpoint is enabled by default.

    Maybe this is a Windows Firewall issue and it is blocking your port 1501. Do you have Windows Firewall enabled?

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Thursday, April 14, 2011 7:57 PM
  • Yes, I can see that the endpoint is enabled in the ADFS MMC.

    I also disabled the firewall to isolate this issue. Regarding to this, i also try to change the port to 1601 and i still in the same place.

    Still looking for a solutions.

    Can I provide some extra information to you?

    Thanks a lot!

     

    Friday, April 15, 2011 4:34 PM
  • Yes, if you want to send an email, joeymaloney2 [at] gmail

    I have not tried before to call ADFS over a net.tcp endpoint, only http at this point.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Friday, April 15, 2011 4:35 PM
  • Well . I partially find a solution.

    First, I forget to add the ADFS account to the Local Administrator Group.

    Then, I had to install the WCF feature from .NET 3.0 in my Windows 2008 server box. This is the HTTP Activation and the HTTP-no activation. (Both features can be founded when you go to the Server Manager -> Add Features -> .NET 3.0 Framework)

    Finally i had added the "net.tcp" protocol to the "Enabled Protocols" into my IIS console from the ADFS and LS application node. (Right click and then Advanced Setting and then Enabled Protocols)

    But I still have errors. I have this one, that is new, and may be it is about some thing wrong configurated in the Rules. Or simple the ADFS is not working, even the Services is Up and Running and the Certificates are working fine.

    Encountered error during federation passive request.

    Additional Data

    Exception details:
    Microsoft.IdentityServer.Protocols.WSTrust.StsConnectionException: MSIS7004: An exception occurred while connecting to the federation service. The service endpoint URL 'net.tcp://localhost/samlprotocol' may be incorrect or the service is not running. ---> System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.tcp://localhost/samlprotocol that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.

    Server stack trace:
       at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper& timeoutHelper)

     

    Hope some can help. Thanks a lot!

    Tuesday, April 19, 2011 12:18 PM
  • Well . I partially find a solution.

    First, I forget to add the ADFS account to the Local Administrator Group.

    Then, I had to install the WCF feature from .NET 3.0 in my Windows 2008 server box. This is the HTTP Activation and the HTTP-no activation. (Both features can be founded when you go to the Server Manager -> Add Features -> .NET 3.0 Framework)

    Finally i had added the "net.tcp" protocol to the "Enabled Protocols" into my IIS console from the ADFS and LS application node. (Right click and then Advanced Setting and then Enabled Protocols)

    But I still have errors. I have this one, that is new, and may be it is about some thing wrong configurated in the Rules. Or simple the ADFS is not working, even the Services is Up and Running and the Certificates are working fine.

    Encountered error during federation passive request.

    Additional Data

    Exception details:
    Microsoft.IdentityServer.Protocols.WSTrust.StsConnectionException: MSIS7004: An exception occurred while connecting to the federation service. The service endpoint URL 'net.tcp://localhost/samlprotocol' may be incorrect or the service is not running. ---> System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.tcp://localhost/samlprotocol that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.

    Server stack trace:
       at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper& timeoutHelper)

     

    Hope some can help. Thanks a lot!


    You fixed my problem - thank you!!!

    Same errors as you. This was coming from my secondary ADFS server in a farm.

    Added the service  account to local admins and no more errors or connection issues!

    Have you tried disabling "require SSL" under SSL settings of default website, adfs and ls node?

    EDIT: Also, assuming you are using the Windows Internal Database - make sure its being run by the same account as the ADFS service account.

    The above settings for me got rid of all those errors!

    Piley


    IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.
    Saturday, May 7, 2011 4:32 PM
  • Piley,

    We still stuck. Even with the help of Microsoft Support on Latin American.

    The service account of ADFS is already member of the local admin of the box. Also we are using SQL Farm in our ADFS architecture.

    I think the problem may came from that the adfs could not resolve the net.tcp://localhost. The ADFS is myadfs.dtts.com, perhaps if I change this It will work. But I don't know where :(

    Friday, May 27, 2011 12:58 PM
  • Hi Javier,

    Just ensure that the Certificate that you are using for ADFS has permission given for Network Service Account.

     

    You can check this from Certificate Management store MMC. Right click on your ADFS certificate All Task - Manage Private Keys

     

    Cheers,
    Ravi


    Ravi
    Sunday, July 31, 2011 1:19 AM
  • Hi Javier,

    Thank you. I had to add net.tcp to the "Enabled Protocols" in the IIS settings of ADFS and LS application node! I set the value to "http,net.tcp" and now it works!

    Great job!

    David


    --- http://blog.sharepoint.ch

    Thursday, February 16, 2012 10:50 PM
  • This worked for me too - thanks so much you guys - directions I did below.

    You need to add net.tcp to the enabled protocols of your site. Go to IIS Manager, right-click on your website, go to 'Manage Web Site' or 'Manage Application', then to 'Advanced Settings...'. There you see 'Enabled Protocols'. It probably says http. Change it to http,net.tcp.

    Wednesday, October 31, 2012 10:56 PM