Jaxidian
Reputation: 13511
WCF, SSL, and ADFS2.0 Active Federation problems
I'm having a terrible time with this configuration. I had everything working without SSL but switching it over to SSL has given me some issues and I'm pulling my hair out. Where is my mismatch? These config files are so convoluted with so many things going on in there that I'm not really sure where to start.
The error(s) I'm seeing:
- The client gets an exception: System.ServiceModel.Security.SecurityNegotiationException: Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.
- So I turn on logging on the server. The server log then shows: System.ServiceModel.Security.MessageSecurityException: Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security.
WIF/WCF Client .config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<client>
<endpoint address="https://mydevbox.dev1.mydomain.com/AdfsWcfHelloWorld/SayHelloService.svc"
binding="customBinding"
bindingConfiguration="WS2007FederationHttpBinding_ISayHelloService"
contract="ActiveFederationHelpers.Tests.ISayHelloService"
name="WS2007FederationHttpBinding_ISayHelloService">
<identity>
<certificateReference findValue="22909537C6356E15C20C93A5F652FB0C6AA8A282"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindByThumbprint" />
</identity>
</endpoint>
</client>
<bindings>
<customBinding>
<binding name="WS2007FederationHttpBinding_ISayHelloService">
<security defaultAlgorithmSuite="Default"
authenticationMode="SecureConversation"
requireDerivedKeys="true"
securityHeaderLayout="Strict"
includeTimestamp="true"
keyEntropyMode="CombinedEntropy"
messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSecurityContextCancellation="true"
requireSignatureConfirmation="false">
<localClientSettings cacheCookies="true"
detectReplays="true"
replayCacheSize="900000"
maxClockSkew="00:05:00"
maxCookieCachingTime="Infinite"
replayWindow="00:05:00"
sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00"
cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true"
issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128"
replayCacheSize="900000"
maxClockSkew="00:05:00"
negotiationTimeout="00:01:00"
replayWindow="00:05:00"
inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
maxPendingSessions="128"
maxCachedCookies="1000"
timestampValidityDuration="00:05:00" />
<secureConversationBootstrap defaultAlgorithmSuite="Default"
authenticationMode="IssuedTokenForSslNegotiated"
requireDerivedKeys="true"
securityHeaderLayout="Strict"
includeTimestamp="true"
keyEntropyMode="CombinedEntropy"
messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSecurityContextCancellation="true"
requireSignatureConfirmation="true">
<issuedTokenParameters keySize="256"
keyType="SymmetricKey"
tokenType="">
<additionalRequestParameters>
<trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
<trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
<trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
Optional="true"
xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
<wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
Optional="true"
xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
<wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
Optional="true"
xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
<wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
Optional="true"
xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
</trust:Claims>
<trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
<trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
<trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
<trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
<trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
</trust:SecondaryParameters>
</additionalRequestParameters>
<issuer address="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/13/usernamemixed"
bindingConfiguration="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/13/usernamemixed"
binding="ws2007HttpBinding" />
<issuerMetadata address="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/mex" />
</issuedTokenParameters>
<localClientSettings cacheCookies="true"
detectReplays="true"
replayCacheSize="900000"
maxClockSkew="00:05:00"
maxCookieCachingTime="Infinite"
replayWindow="00:05:00"
sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00"
cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true"
issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128"
replayCacheSize="900000"
maxClockSkew="00:05:00"
negotiationTimeout="00:01:00"
replayWindow="00:05:00"
inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
maxPendingSessions="128"
maxCachedCookies="1000"
timestampValidityDuration="00:05:00" />
</secureConversationBootstrap>
</security>
<textMessageEncoding maxReadPoolSize="64"
maxWritePoolSize="16"
messageVersion="Default"
writeEncoding="utf-8">
<readerQuotas maxDepth="32"
maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpsTransport manualAddressing="false"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536"
allowCookies="false"
authenticationScheme="Negotiate"
bypassProxyOnLocal="false"
decompressionEnabled="true"
hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true"
maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm=""
transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
</binding>
</customBinding>
<ws2007HttpBinding>
<binding name="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/13/usernamemixed"
closeTimeout="00:01:00"
openTimeout="00:01:00"
receiveTimeout="00:10:00"
sendTimeout="00:01:00"
bypassProxyOnLocal="false"
transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536"
messageEncoding="Text"
textEncoding="utf-8"
useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32"
maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<reliableSession ordered="true"
inactivityTimeout="00:10:00"
enabled="false" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
</system.serviceModel>
<system.diagnostics>
<sources>
<source name="System.ServiceModel"
switchValue="Information, ActivityTracing"
propagateActivity="true">
<listeners>
<add name="xml" />
</listeners>
</source>
<source name="System.ServiceModel.MessageLogging">
<listeners>
<add name="xml" />
</listeners>
</source>
<source name="myUserTraceSource"
switchValue="Information, ActivityTracing">
<listeners>
<add name="xml" />
</listeners>
</source>
</sources>
<sharedListeners>
<add name="xml"
type="System.Diagnostics.XmlWriterTraceListener"
initializeData="ClientErrors.svclog" />
</sharedListeners>
</system.diagnostics>
</configuration>
WCF Service .config:
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="microsoft.identityModel"
type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true"
targetFramework="4.0">
<assemblies>
<add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
</system.web>
<system.serviceModel>
<services>
<service name="AdfsWcfHelloWorldServices.SayHelloService">
<endpoint address="https://mydevbox.dev1.mydomain.com/AdfsWcfHelloWorld/SayHelloService.svc"
binding="ws2007FederationHttpBinding"
contract="AdfsWcfHelloWorldServices.ISayHelloService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpsGetEnabled="true" />
<federatedServiceHostConfiguration />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="false" />
<extensions>
<behaviorExtensions>
<add name="federatedServiceHostConfiguration"
type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</behaviorExtensions>
</extensions>
<protocolMapping>
<add scheme="http"
binding="ws2007FederationHttpBinding" />
</protocolMapping>
<bindings>
<ws2007FederationHttpBinding>
<binding>
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false">
<issuerMetadata address="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/mex" />
<claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
isOptional="true" />
<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
isOptional="true" />
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
isOptional="true" />
<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
isOptional="true" />
</claimTypeRequirements>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<microsoft.identityModel>
<service>
<audienceUris>
<add value="https://mydevbox.dev1.mydomain.com/AdfsWcfHelloWorld" />
</audienceUris>
<serviceCertificate>
<certificateReference findValue="22909537C6356E15C20C93A5F652FB0C6AA8A282"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindByThumbprint" />
</serviceCertificate>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="E9C32071573CB4D52005EA2E7825A310D6C26B73"
name="http://DEV1DC2.Dev1.mydomain.com/adfs/services/trust" />
</trustedIssuers>
</issuerNameRegistry>
</service>
</microsoft.identityModel>
<appSettings>
<add key="FederationMetadataLocation"
value="https://dev1dc2.dev1.mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml" />
</appSettings>
<system.diagnostics>
<sources>
<source name="System.ServiceModel"
switchValue="Information, ActivityTracing"
propagateActivity="true" >
<listeners>
<add name="xml"/>
</listeners>
</source>
<source name="System.ServiceModel.MessageLogging">
<listeners>
<add name="xml"/>
</listeners>
</source>
<source name="myUserTraceSource"
switchValue="Information, ActivityTracing">
<listeners>
<add name="xml"/>
</listeners>
</source>
</sources>
<sharedListeners>
<add name="xml"
type="System.Diagnostics.XmlWriterTraceListener"
initializeData="ServerErrors.svclog" />
</sharedListeners>
</system.diagnostics>
</configuration>
More details:
- The service and client are both running on the same box at the moment
- All certs are created by a CA in our domain and fully trusted by all (1) machines
- I'm successfully getting my security token from ADFS
- I use
ChannelFactory<T>(binding).CreateChannelWithIssuedToken(myToken)(pseudocode) to connect to the service - The error happens upon calling the first method on the service
- Like I said, this all worked without HTTPS and the service was able to pull validated claims from the token just fine from
(Thread.CurrentPrincipal.Identity as IClaimsIdentity).Claimsbut I can't get a proper connection configured on both sides with SSL for some asinine reason
I would REALLY appreciate some help. :-)
Upvotes: 1
Views: 1500
Answers (2)
Kalyan Krishna
Reputation: 1714
Just came out of the authenticating a WCF service with ADFS and don't really have the stomach to read the whole config again, but in my experience, a Negotiation failure always happened if the credentials were incorrect or not provided at all by the client.
Spend some time setting up diagnostics for WCF http://msdn.microsoft.com/en-us/library/ee517292.aspx and this little caveat that I found accidently http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/.
Hope it helped
Upvotes: 1
Jaxidian
Reputation: 13511
A mod, LeoTang, over at the MSDN forums helped me with this. The problem was on the client. To quote him:
The value of authenticationMode was set to "IssuedTokenForSslNegotiated" in the section "" of your custom binding.
Another problem I had was the messageSecurityVersion - I needed to change that to WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10. Lastly, I had to turn off Replay with my server's configuration because of an error about something missing for a nonce. That wasn't an important feature to me so I disabled it rather than further investigating.
Upvotes: 1
Related Questions
- Client Side ADFS configuration for SAML based WebSSO protocol
- ADFS 3.0 cannot bind the services endpoint with default configuration
- How to secure WCF web service using ADFS in .NET 4.5?
- "An error occurred when verifying security for the message" exception when authenticating to ADFS
- Debugging ADFS 2.0 errors
- Call a WCF service protected by ACS, which uses ADFS as IDP
- ADFS 2.0 Claims Not Accessible in WCF 4.5
- Issue Contacting ADFS Endpoint When on Server
- Integrate WCF with ADFS 2.0 and ACS - Some guide needed
- WCF service with WIF AD Single sign on