locked
Error (ID3037: The specified request failed.) RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,

    I am trying to use Geneva Server STS and for that, I created a WCF service and configured it using the FedUtil tool. Here is the config file for my WCF service:

     <system.serviceModel>
    <services>
      <service name="Service" behaviorConfiguration="ServiceBehavior">
        <endpoint address="http://localhost/GenevaTestService/Service.svc" binding="ws2007FederationHttpBinding" contract="IService" bindingConfiguration="IService_ws2007FederationHttpBinding" />
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="ServiceBehavior">
          <federatedServiceHostConfiguration name="Service" />
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceCredentials>
            <serviceCertificate findValue="C137DF009207406B6F262010A87457BB3592E13E" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <extensions>
      <behaviorExtensions>
        <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      </behaviorExtensions>
    </extensions>
    <bindings>
      <ws2007FederationHttpBinding>
        <binding name="IService_ws2007FederationHttpBinding">
          <security mode="Message">
            <message>
              <issuerMetadata address="https://localhost/Trust/Mex" />
              <claimTypeRequirements>
                <!--Following are the claims offered by STS 'http://localhost/Trust', and added at 5/26/2009 4:16:46 PM. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
                <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
                <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
              </claimTypeRequirements>
            </message>
          </security>
        </binding>
      </ws2007FederationHttpBinding>
    </bindings>
  </system.serviceModel>
  <microsoft.identityModel>
    <service name="Service">
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="2C3EA842F32619D6897AD832A78D7459B281F930" name="CN=Geneva Signing Certificate - BF224X43" />
        </trustedIssuers>
      </issuerNameRegistry>
    </service>
  </microsoft.identityModel>

    I created a client app and added a service reference to the above mentioned service. Below is my client config:

    <system.serviceModel>
        <bindings>
            <ws2007FederationHttpBinding>
                <binding name="WS2007FederationHttpBinding_IService" closeTimeout="00:01:00"
                    openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                    bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                    messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <reliableSession ordered="true" inactivityTimeout="00:10:00"
                        enabled="false" />
                    <security mode="Message">
                        <message algorithmSuite="Default" issuedKeyType="SymmetricKey"
                            negotiateServiceCredential="true">
                            <issuer address="http://localhost/Trust/13/Windows" binding="ws2007HttpBinding"
                                bindingConfiguration="http://localhost/Trust/13/Windows" />
                            <issuerMetadata address="https://localhost/Trust/Mex" />
                            <tokenRequestParameters>
                                <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                                    <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
                                    <trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
                                    <trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
                                        xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                                        <wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
                                            Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
                                        <wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
                                            Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
                                    </trust:Claims>
                                    <trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
                                    <trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
                                    <trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
                                    <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
                                    <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
                                </trust:SecondaryParameters>
                            </tokenRequestParameters>
                        </message>
                    </security>
                </binding>
            </ws2007FederationHttpBinding>
            <ws2007HttpBinding>
                <binding name="http://localhost/Trust/13/Windows" closeTimeout="00:01:00"
                    openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                    bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                    messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
                    allowCookies="false">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <reliableSession ordered="true" inactivityTimeout="00:10:00"
                        enabled="false" />
                    <security mode="Message">
                        <transport clientCredentialType="Windows" proxyCredentialType="None"
                            realm="" />
                        <message clientCredentialType="Windows" negotiateServiceCredential="true"
                            algorithmSuite="Default" establishSecurityContext="false" />
                    </security>
                </binding>
            </ws2007HttpBinding>
        </bindings>
        <client>
            <endpoint address="http://localhost/GenevaTestService/Service.svc"
                binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FederationHttpBinding_IService"
                contract="ServiceReference1.IService" name="WS2007FederationHttpBinding_IService">
                <identity>
                    <certificate encodedValue="AwAAAAEAAAAUAAAAwTffAJIHQGtvJiAQqHRXuzWS4T4gAAAAAQAAAPoBAAAwggH2MIIBX6ADAgECAhBuXgRL5w7nsUxD/WCrv5guMA0GCSqGSIb3DQEBBAUAMBQxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0wNjA4MDEwNTE3MTlaFw0zOTEyMzEyMzU5NTlaMBQxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5icgnSJ6kRmqpGZzifceoN3pIanvm6Op8X1bRwbmGn0UcgERXZfQsXZpku76ejtuJJebKkZ3Eu+1IvMIovdtr3U/h5qqg0zTrW62jij3yCz7MmVP/jRdndNpxEy+SroH34xbCGsUUNOnc+w4MZHaKpbbJWeBjriVMqiCyDxKJ0cCAwEAAaNJMEcwRQYDVR0BBD4wPIAQwLyraaPWQY9Y0CobhQZ0kaEWMBQxEjAQBgNVBAMTCWxvY2FsaG9zdIIQbl4ES+cO57FMQ/1gq7+YLjANBgkqhkiG9w0BAQQFAAOBgQBX++OU6hUvhojeRD6mUBDYFso0Qxr/hAYeTIBaWjpKOEpgdDLsCZ8BLWZCyVrx+A/3H5o1LwGXrRRdxbiAq9fF9qSY607EsHuibDr81vx2bq460lq6K3nisNEf0of/9EnZt7zILytP+QSDqSmy8hcvBLlOcGN2VAdcmud7Nv9a6A==" />
                </identity>
            </endpoint>
        </client>
    </system.serviceModel>


    Now when I invoke a method on the service, I am getting the following error:

    System.ServiceModel.FaultException was unhandled
  Action="http://www.w3.org/2005/08/addressing/soap/fault"
  Message="ID3037: The specified request failed."
  Source="mscorlib"
  StackTrace:
    Server stack trace: 
       at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
       at System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout)
       at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
       at System.ServiceModel.Security.Tokens.IssuedSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
       at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
       at System.ServiceModel.Security.SecurityProtocol.TryGetSupportingTokens(SecurityProtocolFactory factory, EndpointAddress target, Uri via, Message message, TimeSpan timeout, Boolean isBlockingCall, IList`1& supportingTokens)
       at System.ServiceModel.Security.SymmetricSecurityProtocol.TryGetTokenSynchronouslyForOutgoingSecurity(Message message, SecurityProtocolCorrelationState correlationState, Boolean isBlockingCall, TimeSpan timeout, SecurityToken& token, SecurityTokenParameters& tokenParameters, SecurityToken& prerequisiteWrappingToken, IList`1& supportingTokens, SecurityProtocolCorrelationState& newCorrelationState)
       at System.ServiceModel.Security.SymmetricSecurityProtocol.SecureOutgoingMessageCore(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
       at System.ServiceModel.Security.MessageSecurityProtocol.SecureOutgoingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
       at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
       at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
       at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
       at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
       at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
    Exception rethrown at [0]: 
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at ConsoleTest.ServiceReference1.IService.GetData(Int32 value)
       at ConsoleTest.ServiceReference1.ServiceClient.GetData(Int32 value) in C:\Users\vdahiya\Documents\Visual Studio 2008\Projects\GenevaTestService\ConsoleTest\Service References\ServiceReference1\Reference.vb:line 125
       at ConsoleTest.Module1.Main() in C:\Users\vdahiya\Documents\Visual Studio 2008\Projects\GenevaTestService\ConsoleTest\Module1.vb:line 10
       at System.AppDomain._nExecuteAssembly(Assembly assembly, String[] args)
       at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Threading.ThreadHelper.ThreadStart()
  InnerException:

    Below is the information I got from windows event log:

    The Federation Service encountered a serious error while processing the WS-Trust request. 
Request type: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue 

Additional Data 
Exception details: 
Microsoft.IdentityModel.SecurityTokenService.RequestFailedException: ID4007: The symmetric key inside the requested security token must be encrypted. To fix this, override the SecurityTokenService.GetScope() method to assign appropriate value to Scope.EncryptingCredentials.
   at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.WSTrustServiceContractAsyncResult.EndRST(WSTrustServiceContractAsyncResult result)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.WSTrustServiceContractAsyncResult.End(IAsyncResult ar)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)


    Any help on this will be highly appreciated.
    Thanks.

    • Edited by dahiya Thursday, May 28, 2009 2:04 PM
    Wednesday, May 27, 2009 11:15 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi dahiya,

    The error message that you are seeing typically occurs when you are requesting a token using a Symmetric Key, and the policy for your Relying Party in Geneva Server policy does not have any token encryption certificate configured.

    To overcome this you should either:

    1. Perform the RST so it requests a bearer token
    2. (Recommended) Configure a token encryption certificate for your application (This setting can be configured in the "Certificates" tab in the properties dialog of your Relying Party); configure your service with the same certificate so it can decrypt the token sent by geneva server.

    I hope this helps.

    Ramiro
    Thursday, May 28, 2009 5:59 PM
    Moderator