.NET Framework Bookmark and Share   
 index > Claims based access platform (CBA), code-named Geneva > Error "MSIS3046" using PassiveFederation
 

Error "MSIS3046" using PassiveFederation

Hi

I'm trying to setup the simplest possible "Geneva" scenario:
- a passive RP (ASP.NET application)
- a Geneva Server providing claims

but I’m stuck. After sign in on the PassifeFederation website, I’m getting this error in IE:
"An error has occurred while processing the request.
MSIS7012: The request failed. Contact your administrator for details. (...) MSIS7006: The single sign on token is not valid (...)"

The following message can be found in the EventLog:
"System.UnauthorizedAccessException: MSIS3046: The caller is not authorized to request tokens on behalf of other callers."

The Geneva Server, SQL-DB and the claims aware web application are installed on one single machine.

What I’ve done so far:
1. Installed Geneva Server (using a domain admin user as service account)
2. Used FedUtil to config the RP
3. Configured the RP in Geneva Server (using the Metadata generated by FedUtil)

The Windows Integrated authentication didn't work in the beginning.
I had to change the Geneva AppPool identity to "NetworkService" to get the authentication working.

Regards,
Kantiran

Kantiran
Hi Kantiran,

Geneva Server will only accept call from passive federation website if it's running as identity configured when running Geneva Server Initial Configuration Wizard. If you want to run Geneva as Network Service you can rerun Initial Configuration Wizard to reconfigure Geneva Server servoce identity.

Why you had to change GenevaAppPool identity? Can you provide more information about why Windows authentication didn't work for you? Is that some environmental issue, IIS not configured for Windows integrated, IIS error?

Thanks
Mieszko
  • Marked As Answer byKantiran Wednesday, September 02, 2009 9:03 AM
  •  
Mieszko Matkowski

Running under domain account is required if you plan to setup Geneva Server farm. If you have standalone Geneva Server - running as Network Service should be fine.

Regarding the Windows authentication failure - are you running Geneva on the same machine as Domain Controller? If you look into eventvwr -> Security log are you seeing any authentication failures once you try to login? Have you configured SPN for your machine?

If you want to start on Geneva Server in farm - there is technet article on that subject (http://technet.microsoft.com/en-us/library/dd807078(WS.10).aspx).

  • Marked As Answer byKantiran Wednesday, September 02, 2009 9:03 AM
  •  
Mieszko Matkowski
Hi Kantiran,

Geneva Server will only accept call from passive federation website if it's running as identity configured when running Geneva Server Initial Configuration Wizard. If you want to run Geneva as Network Service you can rerun Initial Configuration Wizard to reconfigure Geneva Server servoce identity.

Why you had to change GenevaAppPool identity? Can you provide more information about why Windows authentication didn't work for you? Is that some environmental issue, IIS not configured for Windows integrated, IIS error?

Thanks
Mieszko
  • Marked As Answer byKantiran Wednesday, September 02, 2009 9:03 AM
  •  
Mieszko Matkowski

Hi

Are there any restrictions when using the Network Service as Geneva Service identity?
I thought only an AD account would be able to get data from the LDAP store...

I wasn't able to log in with any of our AD accounts. The authentication prompt showed up but refused any (valid) credentials.
After three login attempts I've eventually go a HTTP access denied response.

I've only set the AppPool identity to NS, without any other changes. At last I wasnow able to log in...
I'll try to rerun the Wizart using the Network Service identity.

Regards,
Kantiran

Kantiran

Running under domain account is required if you plan to setup Geneva Server farm. If you have standalone Geneva Server - running as Network Service should be fine.

Regarding the Windows authentication failure - are you running Geneva on the same machine as Domain Controller? If you look into eventvwr -> Security log are you seeing any authentication failures once you try to login? Have you configured SPN for your machine?

If you want to start on Geneva Server in farm - there is technet article on that subject (http://technet.microsoft.com/en-us/library/dd807078(WS.10).aspx).

  • Marked As Answer byKantiran Wednesday, September 02, 2009 9:03 AM
  •  
Mieszko Matkowski
Thanks for your quick replies.
Reconfiguration using the wizard was sucessful.

I guess I'vemissed to configure SPN for the machine.
However, it's OK for me to use a standalone server without AD account at this time.

Regards,
Kantiran
Kantiran

You can use google to search for other answers

Custom Search

More Threads

• Authentication Error - Geneva Server
• Multiple attribute stores (ADs)
• Relying Party (Passive) / SecurityTokenException?
• Simple Claims Transformation for an RP-STS in Geneva Framework
• Custom Passive STS and RP on SAML 2.0 Protocol possible?
• Logs for Geneva?
• Geneva Beta 2 - WSTrust Client - Live ID
• Re-authenticate user to get new token
• Cardspace in combination with smartcard keyset not found error
• IDP-initiated Single Sign-On POST Binding
Home          Copyright 2009-2010 by netframeworkdev.com All rights reserved