none
Setting the maxIssuedTokenCachingTime or issuedTokenRenewalThresholdPercentage doesn't have any effect RRS feed

  • Question

  • We have a Apache CXF WS-Trust based service running and the following WCF client config connects just fine, but never renews the SAML token upon expiration.  I tried adding maxIssuedTokenCachingTime and/or issuedTokenRenewalThresholdPercentage but these appear to have no effect.  If I set cacheIssuedTokens to false on the same element as the other properties it does change the behavior and calls the STS on every call (which is not the desired effect either).  What am I doing wrong?

                <issuedToken cacheIssuedTokens="true" maxIssuedTokenCachingTime="0.00:00:10.0000000"  issuedTokenRenewalThresholdPercentage="50" >

    <configuration>
      <system.serviceModel>
        <!-- configure endpoint behavior to specify the client cert that should be passed to STS -->
        <behaviors>
          <endpointBehaviors>
            <behavior name="clientCredentialBehavior">
              <clientCredentials>
                <clientCertificate findValue="XXXXXXXXXXX" storeLocation="CurrentUser" storeName="My" x509FindType="FindByIssuerName" />

    line above inserted here           

                </issuedToken>
              </clientCredentials>
            </behavior>
          </endpointBehaviors>
        </behaviors>

        <!-- 2 bindings are defined: one to access the service, the other to access the STS -->
        <bindings>
          <customBinding>
            <binding name="MyStsBinding">
              <security defaultAlgorithmSuite="Basic128" authenticationMode="CertificateOverTransport"
                  requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true"
                  messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
                <localClientSettings cacheCookies="true" detectReplays="false"
                    replayCacheSize="900000" maxClockSkew="00:05:00" replayWindow="00:05:00"
                    sessionKeyRenewalInterval="10:00:00" sessionKeyRolloverInterval="00:05:00"
                    reconnectTransportOnFailure="true" timestampValidityDuration="00:05:00"
                    cookieRenewalThresholdPercentage="60" />
                <localServiceSettings detectReplays="false" issuedCookieLifetime="10:00:00"
                    maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
                    negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
                    sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
                    reconnectTransportOnFailure="true" maxPendingSessions="128"
                    maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
                <secureConversationBootstrap />
              </security>
              <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                  messageVersion="Soap11WSAddressing10" writeEncoding="utf-8">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                    maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              </textMessageEncoding>
              <httpsTransport manualAddressing="false" maxBufferPoolSize="524288"
                  maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
                  bypassProxyOnLocal="false" decompressionEnabled="true" hostNameComparisonMode="StrongWildcard"
                  keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
                  realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
                  useDefaultWebProxy="true" requireClientCertificate="false" />
            </binding>
            <binding name="SoapBinding1">
              <security defaultAlgorithmSuite="Basic128" authenticationMode="IssuedTokenOverTransport"
                  requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="false"
                  messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
                <issuedTokenParameters keySize="256" keyType="BearerKey" tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
                  <issuer address="https://xxxxxx/SecurityTokenService"
                      binding="customBinding" bindingConfiguration="MyStsBinding" />
                </issuedTokenParameters>
                <localClientSettings cacheCookies="true" detectReplays="false"
                    replayCacheSize="900000" maxClockSkew="00:05:00" replayWindow="00:05:00"
                    sessionKeyRenewalInterval="10:00:00" sessionKeyRolloverInterval="00:05:00"
                    reconnectTransportOnFailure="true" timestampValidityDuration="00:05:00"
                    cookieRenewalThresholdPercentage="60" />
                <localServiceSettings detectReplays="false" issuedCookieLifetime="10:00:00"
                    maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
                    negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
                    sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
                    reconnectTransportOnFailure="true" maxPendingSessions="128"
                    maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
                <secureConversationBootstrap />
              </security>
              <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                  messageVersion="Soap11" writeEncoding="utf-8">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="32768"
                    maxBytesPerRead="4096" maxNameTableCharCount="32768" />
              </textMessageEncoding>
              <httpsTransport manualAddressing="false" maxBufferPoolSize="524288"
                  maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
                  bypassProxyOnLocal="false" decompressionEnabled="true" hostNameComparisonMode="StrongWildcard"
                  keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
                  realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
                  useDefaultWebProxy="true" requireClientCertificate="false" />
            </binding>
          </customBinding>
        </bindings>
        <client>
          <endpoint address="https://xxxxx/Service1"
              behaviorConfiguration="clientCredentialBehavior" binding="customBinding"
              bindingConfiguration="SoapBinding1"
              contract="ServiceReference1.Service1" name="Service1" />
        </client>
      </system.serviceModel>
    </configuration>


    Tuesday, May 20, 2014 5:23 PM

All replies

  • Hi,

    Yes, when set the CacheIssuedTokens property to true, the client will reuse an existing token whenever it must re-authenticate itself to the federated service (as long as the token has not expired). But setting the maxIssuedTokenCachingTime or issuedTokenRenewalThresholdPercentage should work in your thread. Maybe you have done some wrong on the configuration of the client.

    So please try to check the following article to see if it helps:
    #How to: Create a Federated Client:
    http://msdn.microsoft.com/en-us/library/ms731690(v=vs.110).aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, May 21, 2014 5:41 AM
    Moderator
  • Hi Amy, thank you for your reply.  I read the Federated Client article about a dozen times prior to posting my question to try and figure out what I was doing wrong, but I can't seem to figure it out.  If I turn the cacheIssuedTokens to false, this works in the sense that it will now make a request to the STS on every call.  If I set it to true, it correctly caches the token, but never refreshes it when it comes close to expiration and in fact continues to use the cached token even after expiration resulting in an error from the service.  The description of the two properties mentioned above look like exactly what I want, but they don't seem to have any effect.  I agree with you that I may have something misconfigured, which is why I posted here.  I have included my entire app.config in hopes that someone could point me in the right direction.

    I have stripped out all of the unnecessary elements and this is the smallest app.config that still demonstrates the issue.  Is there more to it than the configuration?  Does the service proxy have to be created in a certain way?

    <configuration>
      <system.serviceModel>
        <behaviors>
          <endpointBehaviors>
            <behavior name="clientCredentialBehavior">
              <clientCredentials>
                <clientCertificate findValue="XXXXXXXXXXXXX" storeLocation="CurrentUser" storeName="My" x509FindType="FindByIssuerName" />
                <issuedToken cacheIssuedTokens="true" maxIssuedTokenCachingTime="0.00:00:10.0000000"  issuedTokenRenewalThresholdPercentage="50" />
              </clientCredentials>
            </behavior>
          </endpointBehaviors>
        </behaviors>

        <bindings>
          <customBinding>
            <binding name="MyStsBinding">
              <security authenticationMode="CertificateOverTransport"
                  securityHeaderLayout="Lax" includeTimestamp="true"
                  messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
              </security>
              <textMessageEncoding messageVersion="Soap11WSAddressing10" />
              <httpsTransport />
            </binding>
            <binding name="ServiceBinding">
              <security authenticationMode="IssuedTokenOverTransport" securityHeaderLayout="Lax" includeTimestamp="false"
                        messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
                <issuedTokenParameters keySize="256" keyType="BearerKey" tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
                  <issuer address="https://xxxxxxxxxxxxx/SecurityTokenService" binding="customBinding" bindingConfiguration="MyStsBinding" />
                </issuedTokenParameters>
              </security>
              <textMessageEncoding messageVersion="Soap11" />
              <httpsTransport />
            </binding>
          </customBinding>
        </bindings>
        <client>
          <endpoint address="https://xxxxxxxxxxxxx/Service"
              behaviorConfiguration="clientCredentialBehavior" binding="customBinding"
              bindingConfiguration="ServiceBinding"
              contract="ServiceReference.Service" name="Service1" />
        </client>
      </system.serviceModel>
    </configuration>




    Wednesday, May 21, 2014 6:38 PM