I have an application that does active authentication against ADFS using the windowstransport endpoint. This code has and is working perfectly for 90% of our deployments. We have one domain however that it is only working from certain locations. Also note that this was working perfectly up until yesterday afternoon.
The domain being authenticated against is iso.paretoplatform.com
The domain which fails authentication is paretoplatform.com (root domain, separate forest/domain completely)
This code works perfectly fine from my development environment, and 2 other production domains we have against the iso domain. This only seems to fail on iso itself and from the root domain.
My code and the exception are as follows.
namespace Pareto.Crm2011.Shared.Authentication.ADFS
{
public static class SAMLToken
{
public static string GetSAMLToken(string rpurl, string username, string password, string domain, string adfsServer)
{
var baseUri = new Uri(rpurl);
var baseURL = baseUri.GetComponents(UriComponents.SchemeAndServer, UriFormat.Unescaped);
baseURL = baseURL.EndsWith("/") ? baseURL : baseURL + "/";
var stsServer = adfsServer.EndsWith("/") ? adfsServer : adfsServer + "/";
var stsUrl = stsServer + "adfs/services/trust/13/windowstransport";
//get token from STS
return GetResponse(stsUrl, baseURL, username, password, domain);
}
private static string GetResponse(string stsUrl, string baseUrl, string username, string password, string domain)
{
var rst = new RequestSecurityToken
{
RequestType = WSTrust13Constants.RequestTypes.Issue,
AppliesTo = new EndpointAddress(baseUrl),
KeyType = WSTrust13Constants.KeyTypes.Bearer
};
//bearer token, no encryption
var trustSerializer = new WSTrust13RequestSerializer();
var binding = new WSHttpBinding
{
Security =
{
Mode = SecurityMode.Transport,
Message =
{
ClientCredentialType = MessageCredentialType.None,
EstablishSecurityContext = false
}
}
};
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
var address = new EndpointAddress(stsUrl);
var trustClient = new WSTrust13ContractClient(binding, address);
#pragma warning disable 618
trustClient.ClientCredentials.Windows.AllowNtlm = true;
#pragma warning restore 618
trustClient.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
trustClient.ClientCredentials.Windows.ClientCredential = new NetworkCredential(username, password, domain);
var response = trustClient.EndIssue(trustClient.BeginIssue(Message.CreateMessage(MessageVersion.Default, WSTrust13Constants.Actions.Issue, new RequestBodyWriter(trustSerializer, rst)), null, null));
trustClient.Close();
var reader = response.GetReaderAtBodyContents();
response.Close();
return reader.ReadOuterXml();
}
}
}namespace Pareto.Crm2011.Shared.Authentication.ADFS
{
[ServiceContract]
public interface IWSTrust13Contract
{
[OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign, Action = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue", ReplyAction = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal", AsyncPattern = true)]
IAsyncResult BeginIssue(Message request, AsyncCallback callback, object state);
Message EndIssue(IAsyncResult asyncResult);
}
public partial class WSTrust13ContractClient : ClientBase<IWSTrust13Contract>, IWSTrust13Contract
{
public WSTrust13ContractClient(Binding binding, EndpointAddress remoteAddress)
: base(binding, remoteAddress)
{
}
public IAsyncResult BeginIssue(Message request, AsyncCallback callback, object state)
{
return base.Channel.BeginIssue(request, callback, state);
}
public Message EndIssue(IAsyncResult asyncResult)
{
return base.Channel.EndIssue(asyncResult);
}
}
}namespace Pareto.Crm2011.Shared.Authentication.ADFS
{
public class RequestBodyWriter : BodyWriter
{
readonly WSTrustRequestSerializer _serializer;
readonly RequestSecurityToken _rst;
/// <summary>
/// Constructs the Body Writer.
/// </summary>
/// <param name="serializer">Serializer to use for serializing the rst.</param>
/// <param name="rst">The RequestSecurityToken object to be serialized to the outgoing Message.</param>
public RequestBodyWriter(WSTrustRequestSerializer serializer, RequestSecurityToken rst)
: base(false)
{
if (serializer == null)
throw new ArgumentNullException("serializer");
_serializer = serializer;
_rst = rst;
}
/// <summary>
/// Override of the base class method. Serializes the rst to the outgoing stream.
/// </summary>
/// <param name="writer">Writer to which the rst should be written.</param>
protected override void OnWriteBodyContents(XmlDictionaryWriter writer)
{
_serializer.WriteXml(_rst, writer, new WSTrustSerializationContext());
}
}
}And my testing app which makes the call that fails
namespace ADFS_Transport_Tester
{
class Program
{
static void Main(string[] args)
{
try
{
Console.WriteLine("Login Check: " + SAMLToken.GetSAMLToken("https://logincheck.iso.paretoplatform.com", <USER>, <ITS A PASSWORD!>, "iso.paretoplatform.com", "https://adfs.iso.paretoplatform.com"));
Console.ReadKey();
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
}
}And the exception
[Win32Exception (0x80004005): The target principal name is incorrect] System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode) +7833059 System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob) +91 System.Net.NegotiateClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate) +7950568 System.Net.NegotiateClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials) +18 System.Net.AuthenticationManager.Authenticate(String challenge, WebRequest request, ICredentials credentials) +149 System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo) +7949942 System.Net.HttpWebRequest.CheckResubmitForAuth() +7953110 System.Net.HttpWebRequest.CheckResubmit(Exception& e) +126 [WebException: The remote server returned an error: (401) Unauthorized.] System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) +3236153 System.ServiceModel.Channels.HttpChannelAsyncRequest.CompleteGetResponse(IAsyncResult result) +216 [MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate oXQwcqADCgEBomsEaWBnBgkqhkiG9xIBAgIDAH5YMFagAwIBBaEDAgEepBEYDzIwMTMwNTAzMTcxMzQ3WqUFAgMG2vSmAwIBKakYGxZJU08uUEFSRVRPUExBVEZPUk0uQ09NqhEwD6ADAgEBoQgwBhsEZGMxJA=='.] System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +4729427 System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +1725 Pareto.Crm2011.Shared.Authentication.ADFS.IWSTrust13Contract.EndIssue(IAsyncResult asyncResult) +0 Pareto.Crm2011.Shared.Authentication.ADFS.WSTrust13ContractClient.EndIssue(IAsyncResult asyncResult) +102 Pareto.Crm2011.Shared.Authentication.ADFS.SAMLToken.GetResponse(String stsUrl, String baseUrl, String username, String password, String domain) +1488 Pareto.Crm2011.Shared.Authentication.ADFS.SAMLToken.GetSAMLToken(String rpurl, String username, String password, String domain, String adfsServer) +482
I have seen and dealt with the negotiate exception before (typically due to spn issues) but I've determined the spns are correct. I have never seen the exception accompanied by the "The target principal name is incorrect"
Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here