Quantcast
Channel: Claims based access platform (CBA), code-named Geneva forum
Viewing all 2535 articles
Browse latest View live

SecurID and ADFS proxy: is it global setting that applies to all the ADFS trusts?

September 12, 2013, 1:27 pm
$
0
0

I see from this link (http://technet.microsoft.com/en-us/library/hh344805(WS.10).aspx) that setting up SecurID 2-factor authentication in conjunction with an ADFS proxy solution is possible.  From the documentation, it appears that you enable RSA SecurID authentication on the proxy's default web site.  I'm assuming that this then forces all ADFS trusts that are accessible through the proxy to then use the SecurID 2-factor authentication?  In other words, you couldn't have relying part trust A using the SecurID 2-factor authentication, while relying party trust B did not use SecurID.

Thanks for clarification.

Search

SharePoint and CBA

August 1, 2013, 5:12 am
$
0
0

Hi,

We are trying to setup an SPS 2013-ADFS architecture with  an external IP-STS. The claim that is returned from the IP-STS only contains to numbers (companyID and siteNr). I want to authorize some of the combinations in SharePoint for readers access. So I do not have a unique user, I just now that all users of ComanyID 17 and siteNr 11,13 and 16 are allowed to enter sharepoint.

I am not sure if this the right forum, but I am wondering where I can combine these two attributes to be able to authorize people in SPS based on a combination of these two. Should we configure ADFS somehow to combine these to attrbutes and map it to one outgoing attribute? Or can I somehow configure SPS to use both attributes as identification..

Thnx for any help..

Identity Developer Training Kit errors

September 14, 2013, 12:26 pm
$
0
0
OK - As expected, the Identity Developer Training kit blows up immediately with all sorts of errors. (July 2012) Can anyone tell me if it has been abandoned and if so, are there are new labs? (Preferably ones that work.)


FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event not firing

September 15, 2013, 7:21 pm
$
0
0

FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event not firing in .NET framework 4.5

indentity framework 4.0

Event is wired up in asp.net web api project global.asax application_start

below lines are added to config file

<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"  />   

Connecting Java (web) with WIF STS (Ws-Federation)

January 4, 2012, 8:45 am
$
0
0

Hi.

I have a STS Site. It has a FederationMetadata folder and the client I have is currently signing in using WS-Federation (the STS connects to LDAP).

Here you have the code that I'm currently using:

 

 

The issue comes when I try to connect using Java.

Has somebody connected to a WS-Federation STS using Java?

Should I add / Change something into the STS so a Java (web) page or app can authenticate in this STS?

 

Thanks in advance!.. 

 

PnP

How to configure a different Saml2SecurityTokenHandler for passive federation in ADFS 2.0 .net 3.5

September 17, 2013, 5:28 am
$
0
0

How do I configure an other Saml2SecurityTokenHandler (Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler) class for my passive federation on my ADFS 2.0 server?

Right now: i'm trying the folowing configuration:

<configuration><configSections><section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
   ...</configSections><microsoft.identityModel><service>       <securityTokenHandlers><remove type="Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/><remove type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/><add type="ClassLibrary1.Class1, ClassLibrary1" /></securityTokenHandlers></service></microsoft.identityModel>
  ...</configuration>

Removing the <remove> elements result in an exception on ADFS 2.0 Windows Service startup (an item with the same key has already been added) so we know for sure our configuration is succesfully loaded. But when using passive federation we see that the default MSISSaml2TokenHandler is still used:

System.IdentityModel.Tokens.SecurityTokenException: MSIS3120: SubjectConfirmationData had wrong recipient. Expected 'https://secure.mydomain.com/adfs/ls/' but received : 'https://secure.proxy.mydomain.com/adfs/ls/'. at Microsoft.IdentityServer.Service.Tokens.MSISSaml2TokenHandler.ValidateConfirmationData(Saml2SubjectConfirmationData confirmationData)

When reading the msdn documentation (http://msdn.microsoft.com/en-us/library/gg638730.aspx) it seems to be configured as it should be. <service> element without a name is a default configuration and is to be used in passive federation scenario's.

Please help me! This is the last hurdle of weeks of work..

Relying Party Trust Errors from AD FS

September 17, 2013, 10:49 am
$
0
0

Hi,

Hi,

Hi, I'm trying to troubleshoot an error with using a claims aware web application with AD FS 2.0.

Here is an outline of the infrastructure with regards to servers, certs, and traffic. Each server is running Windows Server 2012

  1.      Web server (WS1) sits in DMZ hosting a relying party, claims aware ASP.net web application using HTTPS, port 443.
  2.      Traffic from WS1 is routed to an ADFS Proxy (PRX1) server which is located in the DMZ .
  3.      Traffic from PRX1 is routed to the ADFS Server (ADFS1) which resides in the client’s domain.

Certificates are installed in the following manner:

  1.      The relying party app (on WS1) is using a self signed cert for SSL- I will refer to it as certRP.client.com.
  2.      The ADFS server’s Certificate Store has the public key SSL cert (certRP.client.com ). There is also a certificate from a trusted authority (certADFS.client.com), where the subject name matches that of the Federation Service Name. 
  3.      The proxy server has certADFS.client.com in its Certificate Store.

Does the proxy server also need the SSL cert used by the relying party web application (certRP.client.com)?

ADFS Certificates are configured as such:

  1.      Service Certificates: The certADFS.client.com is being used for Service Communications, Token-decrypting, and Token-signing in AD FS.
  2.      Relying party trust:
    1.     Encryption certificate is configured to use certRP.client.com
    2.      The cert used for the Signature tab is configured to use certADFS.client.com

Additional Relying Party Trust Configuration:

  1.      Monitoring:  The URI for the FederationMetadata file residing with the relying party is resolving without issue
  2.      Identifiers:  This is set as www.theDomain.com/RP/default.aspx (this is the relying party)
  3.      Endpoints: Currently just have WS-Federation Passive Endpoint as www.theDomain.com/RP/default.aspx (this is the relying party)
  4.      Advanced: Secure hash algorithm is set as SHA-1

Via Home Realm Discovery, I’m currently using the AD FS hosted login page to authenticate against Active Directory. After submitting credentials, I receive a ‘the user name or password is incorrect’ message. However, I have confirmed that the authentication is successful, as I viewed the Security log from the Active Directory box for the account I’m testing against

Here are the errors that are being reported on the ADFS server:

The Federation Service encountered an error while processing the WS-Trust request.

Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

Additional Data

Exception details:

Microsoft.IdentityServer.Framework.SecurityTokenService.FailedAuthenticationException: MSIS3055: The requested relying party trust 'https://org.client.com/adfs/ls/' is unspecified or unsupported. If a relying party trust was specified, it is possible the user does not have permission to access the relying party trust. ---> Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://org.client.com/adfs/ls/' could not be located.

   --- End of inner exception stack trace ---

   at System.IdentityModel.AsyncResult.End(IAsyncResult result)

   at System.ServiceModel.Security.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)

   at System.ServiceModel.Security.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://org.client.com/adfs/ls/' could not be located.

--------------------------------------------------------------------------------------------------------------------------

Encountered error during federation passive request.

Additional Data

Exception details:

Microsoft.IdentityServer.Web.AuthenticationFailedException: MSIS8108: Authentication failed.

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSingleSignOnToken(SecurityToken securityToken, String issuer)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RedirectAdfsLsForRpTokenInSsoCase(SecurityToken securityToken, WSFederationMessage wsFederationPassiveRequestMessage, HttpRequest request, HttpResponse response)

Any assistance resolving this would be greatly appreciated!

custom STS and refresh/cancel verbs

September 17, 2013, 10:34 am
$
0
0

does a custom STS, built using WIF, need to support the refresh/cancel actions - in order to supports WCF's native wsfederation2007http binding? This is of course a pure, multi-message messaging-layer (layer7) security service, within SOAP.

at some point, the sct that was pairwise agreed (as supported by the saml token) will expire (or the supporting saml token will expire). In one or both cases, presumably a new sct-agreeing handshake will occur - which will include having the client proxy talk to the STS, again - when the saml token expires (at least).

Will the wstrust-proxy - built into the svcutil-auto-generated client proxy - THEN use refresh, or issue(final)?

if the sct expires, but the saml token is still good, is there ever a case that the sct will be renewed (pairwise), but some cached saml token in the client credentials will be reused in support?

Search

wfresh parameter causing ADFS login to fail

September 17, 2013, 3:05 pm
$
0
0

I am using ADFS to do federated logins with a number of different RPs, including our own custom web app, Office 365 and some other third-party services. I have run into a problem where logins silently fail when the wfresh=0 is specified in the URL. It just keeps asking for my password over and over again. When I click the "Login" button, it doesn't log you in and redirect you to back to the RP, nor does it fail and give you an error message. Instead, it redirects you back to the STS login page, so it looks to the user like it's silently failing.

I found this question: wfresh not working with WS-Federation via ADFS, which seems to be on the right track. However, while I am definitely seeing issues with integrated logins, I am getting similar issues with Forms logins as well. The outward symptoms are different, but the behavior seems to be the same: If you specify wfresh=0, it sends you directly to /adfs/ls.

I looked at the event log on my ADFS server, and I found an Information entry that says "Unable to use SSO token due to wfresh requirements." followed by an Error that says:

Encountered error during federation passive sign-in using SSO token.
Exception details:
Microsoft.IdentityServer.Web.SingleSignOnTokenException: MSIS7006: The single sign on token is not valid.
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

So it seems that wfresh causes ADFS to reject the login every time, and users cannot log in. Does anyone have any idea what might be causing this? Or is there at least some setting we can turn on that will let ADFS ignore the wfresh parameter?

ADFS IDP

September 16, 2013, 11:04 am
$
0
0

Good Afternoon everyone,

I have a question about ADFS IDP Urls. I have an application that works well when I am internal on the network and prompts me for a domain login when Im on the DMZ but when I am trying to connect from the internet I get ADFS errors with no login boxes or anything. Is there anything in particular that I would need to do to make the IDP site from ADFS accessible from the outside or is that a no no? sorry pretty new to ADFS.

Thanks,

Tim

HTTP Error 405.0 - Method Not Allowed

January 24, 2012, 1:05 pm
$
0
0

I have an issue where I know the code and most of the config is correct as it's working in another environment.

I have a Silverlight application that fails when ADFS completes the authentication process and redirects back to the application.  I get HTTP error 405.  Specifically, IIS and fiddler show the POST to the /application.web/ failing with the 405.

Here's Fiddlers details on the error

<div id="header"><h1>Server Error in Application "DEFAULT WEB SITE/SILVERLIGHTIDENTITY.WEB"</h1></div> <div id="server_version"><p>Internet Information Services 7.5</p></div> <div id="content"> <div class="content-container"> <fieldset><legend>Error Summary</legend> <h2>HTTP Error 405.0 - Method Not Allowed</h2> <h3>The page you are looking for cannot be displayed because an invalid method (HTTP verb) is being used.</h3> </fieldset> </div> <div class="content-container"> <fieldset><legend>Detailed Error Information</legend> <div id="details-left"> <table border="0" cellpadding="0" cellspacing="0"> <tr class="alt"><th>Module</th><td>DirectoryListingModule</td></tr> <tr><th>Notification</th><td>ExecuteRequestHandler</td></tr> <tr class="alt"><th>Handler</th><td>StaticFile</td></tr> <tr><th>Error Code</th><td>0x80070001</td></tr> </table> </div> <div id="details-right"> <table border="0" cellpadding="0" cellspacing="0"> <tr class="alt"><th>Requested URL</th><td>https://sp2010server.sp2010.local:443/SilverlightIdentity.Web/</td></tr> <tr><th>Physical Path</th><td>C:\Projects\SilverlightIdentity\SilverlightIdentity.Web\</td></tr> <tr class="alt"><th>Logon Method</th><td>Anonymous</td></tr> <tr><th>Logon User</th><td>Anonymous</td></tr> </table> <div class="clear"></div> </div> </fieldset> </div>

Strange is says logon method and user is anonymous, that's not the case....a clue maybe?

I've read others having this problem is due to a missing "/" in multiple places.  I've checked the web.config, metadata file and the RP in ADFS and all have the backslash.  I went ahead and added a default.aspx to the project and sure enough the post succeeds but then I run into an HttpContext.Current null issue.  Since my other setup doesn't require the default.aspx there must be something else wrong.  The HttpContext.Current = null is likely not a real issue.

I don't have much to debug this issue.  Fiddler, trace, WIF and IIS all agree that it is a 405 but I don't see anything wrong.  I did see another post about the app in IIS needing permissions added that should have already been set but the reference was a bit vague. 

Any ideas on how to solve this?  What should the web site behavior be when you POST to the root web site and there is no default document?  That's the scenario, but, this works fine on another server.

Appreciate the help,

Tim


ADFS 2.0 w/ Google Apps Logout Issue

August 5, 2012, 2:17 pm
$
0
0

I have configured ADFS 2.0 in conjunction with Google Apps (Educational Edition).  So far the login seems to work smoothly, at first I had issues with the Logout, which I then believed to have fixed with the following instructions from another thread:

Since there hasn't been an official answer to this, I'll reply for future SSO/Googley/ADFS admins...

The fix is to use the https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0 address within the Google config and setup a matching SAML Logout Endpoint in your RP trust configuration in ADFS.

Steps:

1.  Goto the Google apps control panel - advanced tools - setup SSO
2.  "Sign-out page URL" = https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0
3.  Save changes

1.  Goto ADFS manager - Trust Relationships - Relying Party Trusts - <your party trust> properties
2.  Under the Endpoints tab, click Add
3.  Endpoint Type = SAML Logout, Binding = POST, URL = https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0

You can set a response URL if you want it to redirect to another page but we like the ADFS site since it warns that you are logged off but you should still close your browser.

The logout seems to be ok now, I also get a confirmation message from ADFS 2.  However, when I click the browser's back button several times or type in the Googel Apps URL manually, I get logged in again.  Is there any solution about this behavior?  In my opinion this is a severe security flaw.

Many thanks for your feedback!

Safari cookie size limitation update in Windows Server 2012 R2 ADFS?

August 28, 2013, 12:45 am
$
0
0

Hi

As discussed in length in the "ADFS 2.0 Web SSO not working in current versions of Safari for Windows or iOS" thread, the pre-Windows Server 2012 R2 ADFS sometimes creates cookie data to track single-sign-on (e.g the MSISAuth* cookies), which exceeds the size limitations of the Safari browser.

Has there been any changes made to the Windows Server 2012 R2 ADFS cookie handling to limit the amount of data stored, as to allow SSO to work on Safari (e.g on iPads and iPhones)?

Regards
Michael

The SAML logout did not complete properly

September 18, 2013, 5:39 am
$
0
0

When sending SAML LogoutRequest from SP(RP) to partner's ADFS IdP I am getting on ADFS side error :

Microsoft.IdentityServer.Web.RequestFailedException: MSIS7054: The SAML logout did not complete properly. at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSamlLogoutResponse(HttpSamlMessage samlMessage) at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SamlLogout()

Message is according with SAML standards and it is signed. What is interesting is that same SP is properly working with our ADFS and SLO do its job.

Here is the SLO request :

<samlp:LogoutRequest ID="cb10b2e1-5a02-48ba-a1f4-5516bcc2b3ca"

                     Version="2.0"
                     IssueInstant="2013-09-18T09:42:37Z"
                     Destination="https://idp.com/adfs/ls/"
                     Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.com/</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <Reference URI="#cb10b2e1-5a02-48ba-a1f4-5516bcc2b3ca">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <DigestValue>vyE4iacROUmXsUwMGZH9HZerPbQ=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>signatureValue</SignatureValue>
        <KeyInfo>
            <X509Data><X509Certificate>certificate</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                 Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                 >user@company.com</saml:NameID>
    <samlp:SessionIndex>_231addfd-7ae4-4e91-8674-36f76227b4b2</samlp:SessionIndex>
</samlp:LogoutRequest>

What I have to look for ?


2008 rollups in 2012

September 19, 2013, 12:03 pm
$
0
0

Does anyone know if all three 2008 rollups made it into the 2012 ADFS build?

I'm wondering because in Rollup 3:

"This restriction prevents multiple relying parties from using the same signing certificate for SAML requests. AD FS 2.0 update rollup 3 removes this restriction and allows multiple relying parties to use the same signing certificate for SAML request."

But 2012 doesn't seem to allow this feature?

Search

ADFS 2.0 SQL Server Version

September 19, 2013, 12:06 pm
$
0
0
Hi everyone, our company currently has an ADFS 2.0 implementation and it's using a dedicated, domain joined, Windows 2008 R2 server running SQL Server 2008 SP3 as its back end database server. Due to some business requirements, we want to do an in-place upgrade of the SQL Server 2008 SP3 software to SQL Server 2008 R2 SP2. The questions are: Is ADFS 2.0 supported on SQL Server 2008 R2 SP2 and will ADFS 2.0 continue to run after the upgrade? Anybody tried this before with success? Any words of wisdom concerning this type of project? Any feedback appreciated. Thanks.    

Windows could not start AD FS 2.0 Windows Service service on Local Computer.

April 18, 2012, 1:57 am
$
0
0

I cannot start AD FS windows service in services.msc, it shows error:

Windows could not start AD FS 2.0 Windows Service service on Local Computer. 
Error 1064: An exception occurred in the service when handling the control request.

And i can see following error in Windows Event, what shall i do?  :


Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          4/18/2012 4:26:02 PM
Event ID:      220
Task Category: None
Level:         Error
Keywords:      AD FS
User:          NETWORK SERVICE
Computer:      WIN-CITKF3C8R0O.guyuming.com
Description:
The Federation Service configuration could not be loaded correctly from the AD FS configuration database. 

Additional Data 
Error:  
There is already a listener on IP endpoint :::1500.  Make sure that you are not trying to use this endpoint multiple times in your application and that there are no other applications listening on this endpoint.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
    <EventID>220</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000001</Keywords>
    <TimeCreated SystemTime="2012-04-18T08:26:02.097156100Z" />
    <EventRecordID>1986</EventRecordID>
    <Correlation />
    <Execution ProcessID="7256" ThreadID="7184" />
    <Channel>AD FS 2.0/Admin</Channel>
    <Computer>WIN-CITKF3C8R0O.guyuming.com</Computer>
    <Security UserID="S-1-5-20" />
  </System>
  <UserData>
    <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>
        <Data>There is already a listener on IP endpoint :::1500.  Make sure that you are not trying to use this endpoint multiple times in your application and that there are no other applications listening on this endpoint.</Data>
      </EventData>
    </Event>
  </UserData>
</Event>

Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          4/18/2012 4:26:02 PM
Event ID:      202
Task Category: None
Level:         Error
Keywords:      AD FS
User:          NETWORK SERVICE
Computer:      WIN-CITKF3C8R0O.guyuming.com
Description:
The Federation Service configuration service could not be opened. 

Additional Data 
Exception details: 
System.ServiceModel.AddressAlreadyInUseException: There is already a listener on IP endpoint :::1500.  Make sure that you are not trying to use this endpoint multiple times in your application and that there are no other applications listening on this endpoint. ---> System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at System.ServiceModel.Channels.SocketConnectionListener.Listen()
   --- End of inner exception stack trace ---
   at System.ServiceModel.Channels.SocketConnectionListener.Listen()
   at System.ServiceModel.Channels.BufferedConnectionListener.Listen()
   at System.ServiceModel.Channels.ExclusiveTcpTransportManager.OnOpen()
   at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
   at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
   at System.ServiceModel.Channels.ConnectionOrientedTransportChannelListener.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.TcpChannelListener`2.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at Microsoft.IdentityServer.Service.SecurityTokenService.ServiceHostManager.Open(ServiceHostEntry entry)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
    <EventID>202</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000001</Keywords>
    <TimeCreated SystemTime="2012-04-18T08:26:02.070154600Z" />
    <EventRecordID>1984</EventRecordID>
    <Correlation />
    <Execution ProcessID="7256" ThreadID="7184" />
    <Channel>AD FS 2.0/Admin</Channel>
    <Computer>WIN-CITKF3C8R0O.guyuming.com</Computer>
    <Security UserID="S-1-5-20" />
  </System>
  <UserData>
    <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>
        <Data>configuration service</Data>
        <Data>System.ServiceModel.AddressAlreadyInUseException: There is already a listener on IP endpoint :::1500.  Make sure that you are not trying to use this endpoint multiple times in your application and that there are no other applications listening on this endpoint. ---&gt; System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at System.ServiceModel.Channels.SocketConnectionListener.Listen()
   --- End of inner exception stack trace ---
   at System.ServiceModel.Channels.SocketConnectionListener.Listen()
   at System.ServiceModel.Channels.BufferedConnectionListener.Listen()
   at System.ServiceModel.Channels.ExclusiveTcpTransportManager.OnOpen()
   at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
   at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
   at System.ServiceModel.Channels.ConnectionOrientedTransportChannelListener.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.TcpChannelListener`2.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at Microsoft.IdentityServer.Service.SecurityTokenService.ServiceHostManager.Open(ServiceHostEntry entry)</Data>
      </EventData>
    </Event>
  </UserData>
</Event>

 

Site works for IE10 "InPrivate" browsing otherwise I get ID4243: Could not create a SecurityToken?

September 19, 2013, 6:50 pm
$
0
0

This is the first site I'm migrating to ADFS.  I finally got the site to work while using the IE10 InPrivate browsing option. However, if I just open IE and navigate to the site I immediately get:

[SecurityTokenException: ID4243: Could not create a SecurityToken. A token was not found in the token cache and no cookie was found in the context.].

Now, I've tried the article here http://brockallen.com/2012/10/22/dealing-with-session-token-exceptions-with-wif-in-asp-net/ but no luck.

As I understand InPrivate browsing, it uses Session or in-memory cookies so I'm guessing it a cookie security/path location issue when I'm using normal browsing?

Any ideas would be helpful. Thanks, Dave.


CryptographicException - Object identifier (OID) is unknown

September 25, 2009, 4:38 pm
$
0
0
I am having a problem with my certificates and creating a RSTR as string.  The line of code is failing is,

string responseAsString = federationSerializer.GetResponseAsString(response, new WSTrustSerializationContext());

and the exception that is being thrown is (mapping the OID in the certificate to algorithm),

Object identifier (OID) is unknown.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: Object identifier (OID) is unknown.

[CryptographicException: Object identifier (OID) is unknown.]
   System.Security.Cryptography.X509Certificates.X509Utils._GetAlgIdFromOid(String oid) +0
   System.Security.Cryptography.X509Certificates.X509Utils.OidToAlgId(String oid) +37
   System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] rgbHash, String str) +61
   System.Security.Cryptography.RSAPKCS1SignatureFormatter.CreateSignature(Byte[] rgbHash) +105
   System.Security.Cryptography.AsymmetricSignatureFormatter.CreateSignature(HashAlgorithm hash) +48
   Microsoft.IdentityModel.Protocols.XmlSignature.SignedXml.ComputeSignature(HashAlgorithm hash, AsymmetricSignatureFormatter formatter) +44
   Microsoft.IdentityModel.Protocols.XmlSignature.SignedXml.ComputeSignature(SecurityKey signingKey) +362
   Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureWriter.ComputeSignature() +135
   Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureWriter.OnEndRootElement() +150
   Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureWriter.WriteEndElement() +33
   Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.WriteAssertion(XmlWriter writer, SamlAssertion assertion) +577
   Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +44
   Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +225
   Microsoft.IdentityModel.Tokens.SecurityTokenSerializerAdapter.WriteTokenCore(XmlWriter writer, SecurityToken token) +200
   System.IdentityModel.Selectors.SecurityTokenSerializer.WriteToken(XmlWriter writer, SecurityToken token) +33
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.WriteRSTRXml(XmlWriter writer, String elementName, Object elementValue, WSTrustSerializationContext context, WSTrustConstantsAdapter trustConstants) +714
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustFeb2005ResponseSerializer.WriteXmlElement(XmlWriter writer, String elementName, Object elementValue, RequestSecurityTokenResponse rstr, WSTrustSerializationContext context) +71
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.WriteKnownResponseElement(RequestSecurityTokenResponse rstr, XmlWriter writer, WSTrustSerializationContext context, WSTrustResponseSerializer responseSerializer, WSTrustConstantsAdapter trustConstants) +278
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustFeb2005ResponseSerializer.WriteKnownResponseElement(RequestSecurityTokenResponse rstr, XmlWriter writer, WSTrustSerializationContext context) +42
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.WriteResponse(RequestSecurityTokenResponse response, XmlWriter writer, WSTrustSerializationContext context, WSTrustResponseSerializer responseSerializer, WSTrustConstantsAdapter trustConstants) +195
   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustFeb2005ResponseSerializer.WriteXml(RequestSecurityTokenResponse response, XmlWriter writer, WSTrustSerializationContext context) +42
   Microsoft.IdentityModel.Protocols.WSFederation.WSFederationSerializer.GetResponseAsString(RequestSecurityTokenResponse response, WSTrustSerializationContext context) +181
   FederationPassiveSecureTokenService._Default.ProcessSignInRequest(SignInRequestMessage requestMessage) in Default.aspx.cs:109
   FederationPassiveSecureTokenService._Default.Page_PreRender(Object sender, EventArgs e) in Default.aspx.cs:42
   System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +14
   System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +35
   System.Web.UI.Control.OnPreRender(EventArgs e) +8682870
   System.Web.UI.Control.PreRenderRecursiveInternal() +80
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +842


I assume it is the way I have used makecert.exe for my signing certificate.  I am using makecert.exe. I have created my own root CA certificate which is the issue of my signing certificate.  The command line I used to create my certificate is shown below (parameters are split onto new lines for ease of reading)


makecert.exe
  -pe
  -n "CN=RP STS"
  -b 01/01/2009 -e 01/01/2036
  -ss My
  -sr localMachine
  -sky exchange
  -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3
  -iv CA-root.pvk
  -ic CA-root.cer

I have granted the service account (Network Service) read access to the private key.  I have also configured geneva as follows

    <microsoft.identityModel>
        <service>
            <serviceCertificate>
                <certificateReference x509FindType="FindBySubjectName"
                                      findValue="RP STS"
                                      storeLocation="LocalMachine"
                                      storeName="My" />
            </serviceCertificate>

I assume the options I used to create the certificate are incorrect.  I had tried to use the

  -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

options, but same result.  If someone could give me some suggestions, it would be much appreciated.

Phil Bolduc
Vancouver, BC

bsb

September 22, 2013, 12:07 pm
$
0
0

  2. this is andoried
  3. ghvchdhvgbjd
  4. v fbhdbvjfbvjf
Viewing all 2535 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>