Hi, i'm having some troubles while trying to configure active federation on a WCF service, i will explain myenvironment configuration:
WINSERVER2012 (VM) Windows Server 2012 + AD + AD FS 2.0
WIN-DEV1 (VM) (WCF Host + WCF Consumer)
WIN-DEV1 has joined the domain hosted by WINSERVER2012 called FMTemporary.fm.
Following i describe my requirements:
Since the WCF service is hosted by a machine which is into FMTemporary.fm domain, all clients that belongs to the same domain should be allowed to call the service without the need of Username and Password (SSO).
I've configured AD FS and everything is working fine using the endpoint /services/trust/13/usernamemixed in conjunction with username + password, but i cannot get the endpoint /services/trust/13/windowsmixed with windows authentication working.
The error i get on the client is the following:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server Administrator. The target name used was host/winserver2012. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (FMTEMPORARY.FM) is different from the client domain (FMTEMPORARY.FM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
WCF Host config:
<system.serviceModel> <services><service name="WebApplication.Service"><endpoint binding="ws2007FederationHttpBinding" contract="WebApplication.IService" address="" /></service></services><serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true"><serviceActivations><add service="WebApplication.Service" relativeAddress="~/Service.svc" /></serviceActivations></serviceHostingEnvironment><behaviors><serviceBehaviors><behavior name=""><serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" /><serviceDebug includeExceptionDetailInFaults="true" /><serviceAuthorization principalPermissionMode="Always" /><serviceCredentials useIdentityConfiguration="true"><!--Certificate added by Identity and Access Tool for Visual Studio.--><serviceCertificate findValue="ServicesCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /><clientCertificate><authentication revocationMode="NoCheck" certificateValidationMode="None"/></clientCertificate></serviceCredentials></behavior></serviceBehaviors></behaviors><protocolMapping><add scheme="http" binding="ws2007FederationHttpBinding" /></protocolMapping><bindings><ws2007FederationHttpBinding><binding name=""><security><message><issuer address="https://winserver2012/adfs/services/trust/13/windowsmixed"
binding="ws2007HttpBinding"
bindingConfiguration="ADFSConfiguration" /></message></security></binding></ws2007FederationHttpBinding><ws2007HttpBinding><binding name="ADFSConfiguration"><security mode="TransportWithMessageCredential"><message clientCredentialType="Windows"
establishSecurityContext="false" /></security></binding></ws2007HttpBinding></bindings></system.serviceModel><system.identityModel><identityConfiguration><audienceUris><add value="http://localhost:33169/Service1.svc" /></audienceUris><issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry"><authority name="http://WINSERVER2012.FMTemporary.fm/adfs/services/trust"><keys><add thumbprint="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" /></keys><validIssuers><add name="http://WINSERVER2012.FMTemporary.fm/adfs/services/trust" /></validIssuers></authority></issuerNameRegistry><certificateValidation certificateValidationMode="None" revocationMode="NoCheck" /><!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.--></identityConfiguration></system.identityModel>WCF Consumer config:
<system.serviceModel><bindings><ws2007FederationHttpBinding><binding name="ServiceConfiguration"><security><message><issuer binding="ws2007HttpBinding" bindingConfiguration="ADFSConfiguration" address="https://winserver2012/adfs/services/trust/13/windowsmixed" /></message></security></binding></ws2007FederationHttpBinding><ws2007HttpBinding><binding name="ADFSConfiguration"><security mode="TransportWithMessageCredential"><message establishSecurityContext="false" clientCredentialType="Windows"/></security></binding></ws2007HttpBinding></bindings><client><endpoint address="http://localhost:33169/Service.svc" binding="ws2007FederationHttpBinding" bindingConfiguration="ServiceConfiguration" contract="ServiceReference1.IService" name="WS2007FederationHttpBinding_IService"><identity><certificateReference storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="ServicesCert"/></identity></endpoint></client></system.serviceModel>
P.S AD FS endpoint (/services/trust/13/windowsmixed) is enabled and I've added the Relying Party to AD FS, I'm pretty sure AD FS is configured fine because switching to /services/trust/13/usernamemixed endpoint gives no error.
Any help is greatly appreciated.
Massimiliano.