Error requesting SAML2 token from Azure Security Token Service using WS-Trust

Question

I have built my own security token service for test purposes. I now wish to use Azure to issue SAML2 tokens under WS-Trust. For simplicity I'm using the Microsoft ACS Samples to illustrate my issue.

I have set up a Relying Party in ACS and configured ALL of the associated token signing and encrypting certificates. When I request a token using the following standard code:

                                        

static void GetTokenFromAzure2() {

            string acsCertificateEndpoint = String.Format("https://{0}.{1}/v2/wstrust/13/certificate", SamplesConfiguration.ServiceNamespace, SamplesConfiguration.AcsHostUrl);
            var address = new EndpointAddress(new Uri(acsCertificateEndpoint), EndpointIdentity.CreateDnsIdentity(GetServiceCertificateSubjectName()));            

            WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(new CertificateWSTrustBinding(SecurityMode.Transport), address);
            trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;
            trustChannelFactory.Credentials.ServiceCertificate.DefaultCertificate = GetServiceCertificate();
            trustChannelFactory.Credentials.ClientCertificate.Certificate = GetClientCertificateWithPrivateKey();
            trustChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
            trustChannelFactory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
            trustChannelFactory.Endpoint.Behaviors.Add(new InspectorBehavior());

            //trustChannelFactory.ConfigureChannelFactory();

            try {
                var request = new RequestSecurityToken(RequestTypes.Issue) {
                    AppliesTo = new EndpointReference(ServiceAddress),
                    TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"                   


                };

                WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel();
                RequestSecurityTokenResponse rstr = null;
                SecurityToken token = channel.Issue(request, out rstr);

            }
            finally {
                trustChannelFactory.Close();
            }

        }

I keep getting the following error: ACS10001: An error occurred while processing the SOAP header. I have wrote message inspectors so that I can view the outgoing RST request and all is fine. I have even tried with different clients using Ruby and NodeJS and I get the same error from Azure. I have checked and my code works with other configured Security Token Servers. I can't understand why this will not work with Azure and Google does show that a few people also have this error but no solution. Please can anybody help me. 

Answer 1

Hi Millward,

ACS returns this error code when decryption certificate has expired.

To renew a decryption certificate:
1. Go to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com), sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available) 

2. To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.) 

3. Click Certificates and Keys.

4. Use the Certificates and Keys section in the ACS Management Portal to manage certificates or keys related to Access Control namespaces and relying party applications.

5. Select a certificate with a status of Near expired or Expired. 

In the Certificates and Keys section, certificates and keys for the Access Control namespace are labeled Service Namespace.

6. Enter or browse to the new certificate file then enter the password for that file.

7. Click Save to complete.

Please refer to following MSDN article for more details

Hope this helps

Please mark as answered if it helped

---

Vishal Narayan Saxena

http://twitter.com/vishalishere

http://www.ogleogle.com/vishal/

Answer 2

I forgot to mention that my Token Decryption certificate is already installed in ACS and is valid. Thank for your response but this is the same response I got googling and my issue still remains:

Answer 3

Hello,

Thank you for your post.

We would request you to create a Technical Support Ticket for us to help you on the same. We would need Fiddler traces, ACS Details, Subscription and Tenant details as well which are sensitive information and is beyond the purview of the Forums Support.

Regards,

Neelesh.

Answer 4

Thanks Neelesh,

We actually have timestamps with the ACS error eg:

"ACS10001: An error occurred while processing the SOAP header.\nTrace ID: 26c154e2-7227-4c15-b73d-8165e6fb5e0a\nTimestamp: 2015-09-15 14:13:27Z".

We will create the technical support ticket with the information you require above.

Cheers

Steve Willmoth

Answer 5

Sorry for wasting peoples time - it's actually my fault.

The error is in the code above: SecurityMode.Transport should be SecurityMode.TransportWithMessageCredential

Now it all works fine.