Using WSTrustServiceHost RRS feed

  • Question

  • Sorry for the rudimentary nature of this post, but I've been down several paths trying to get this to work and stared tons of samples (all of them passive....ActiveSTS samples in WIF 4.5 seem hard to come by), so I'm having difficulty getting even basic WCF configuration working. I have a simple app - a WCF service with two services - TestService.svc and TokenService.svc - along with a client application. I want to be able to call TestService.GetData(4) but have it call TokenService.Issue in order to provide a token. I'm trying to do as much as possible in config with Add Service Reference. Where I'm getting confused is getting TokenService to get called prior to GetData. I've got services and endpoints declared for both services, but I don't see how to connect the two services (right now, GetData just goes straight to TestService without TokenService).

    My services aren't even listed in the service's config, as they're just .svc's, and mu TokenServiceFactory creates the service like so:

    var config = new TokenServiceConfiguration();
    var host = new WSTrustServiceHost(config, baseAddresses);
    host.AddServiceEndpoint(typeof(IWSTrustFeb2005SyncContract), new WSHttpBinding(), (String) "");
    //var host = base.CreateServiceHost(serviceType, baseAddresses);
    var serviceBehavior = host.Description.Behaviors.Find<ServiceBehaviorAttribute>();
    serviceBehavior.AddressFilterMode = AddressFilterMode.Any;
    return host;

    Thursday, February 27, 2014 4:58 PM

All replies

  • Took a break, had some lunch, and I was able to think some of it through. The answer is to make sure the primary service (TestService in this case) uses a federated binding whose message issuer points to the TokenService:

        <binding name="MyWCFServiceWS2007FederationHttpBinding"
            <security mode="Message">
                    <issuer address="http://localhost:63168/TokenService.svc/http/feb05"
                    <issuerMetadata address="http://localhost:63168/TokenService.svc/http/mex"/>

    I'm still stuck, however, as I'm getting a CardSpace error ('Incoming policy failed validation.') that I've gotten before in one of the WIF samples. My corporate network has CardSpace disabled (or otherwise restricted), so I need to come up with a way to bypass it.

    Thursday, February 27, 2014 6:58 PM
  • Hi Keith,

    Glad to find the original issue was resolved. For CardSpace error, did you try disable Cardspace by setting: ChannelFactory.Credentials.SupportInteractive = false? CardSpace error also might be misleading, e.g. some mistake in WIF configuration, the error shown.

    Hope this helps.

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, February 28, 2014 2:51 AM
  • I think that ended the CardSpace error, but in typical fashion, I'm getting *another* error once I get rid of the last one. In this case, now it's "The binding to use to communicate to the federation service at 'http://localhost:63168/TokenService.svc' is not specified.". I've tried putting different HTTP bindings on the <issuer/>element on the server side as well as on the client side, but all that does is cause SocketExceptions ('No connection could be made because the target machine actively refused it'). I don't even know how to approach this any more...I've literally spent a full work week just trying to have a simple Active STS POC handling a single method call, but it's error after error.

    Friday, February 28, 2014 4:42 PM
  • Took better part of a(nother) day, but I got it. Yesterday when I was cleaning out my server-side config, I stripped the /mex suffix off my <issuerMetadata/> element, so it was the same as <issuer/>. As a result, whenever I'd generate my client side proxies, the config file wouldn't assign a binding (and forcing one caused socket errors). I added the /mex, and my bindings were being populated, but I still had socket errors. That was caused by the wrong binding type on the server-side issuer (I had wsHttpBinding at the time I found the mex problem, but it should really be ws2007HttpBinding)

    As of right now, calling my GetData method sends me to my TokenService's Issue method, as I have been wanting to do.

    Friday, February 28, 2014 11:01 PM
  • Kind of weird, but I was moving code & config over from my test app to my actual service, and I got the CardSpace error screen again. So I went into my test app to grab the config for that, and I didn't have it anywhere! I somehow got that app to stop prompting for CardSpace identity without setting SupportInteractive to false (although I did set it at some point, I recall getting errors due to having both servicecredentials and clientcredentials).

    I'm trying to step through my test app to see where it is supposed to check for CS, but right now, I'm baffled; I can't think of anything else I did that would have turned off CardSpace. Guess that's what I get for taking the weekend off :)

    Monday, March 3, 2014 7:49 PM