I’ve run into a snag when doing web services federation with Geneva Server. Basically I’m looking for guidelines on best practices for bindings and end points for doing web services federation with Geneva Server.
This is the scenario:
- A WCF service (Service1) in an Active Directory (AD1)
- A Geneva Server (GS1) in AD1
- A web services client (Client1) in AD1
- A Geneva Server (GS2) in an Active Directory (AD2)
- A web services client (Client2) in AD2
- GS1 trusts GS2 as an Identity Provider and GS2 trusts GS1 as a Service Provider.
Basically Client1 works by just requesting tokens from GS1 using windows auth �this works fine currently.
Client2 wants to do web services federation by exchanging a token (acquired with Windows auth) from GS2 with a token for Service 1 from GS1. Currently this doesn’t work and I need some guidance on what to do.
My logs on the client are telling me that the negotiation with GS1 fail when my client attempts to send an Issue action to GS1 and it never even seems to connect to GS2. The Geneva STS trace logs are empty on both GS1 and GS2.
My client config file is below, can you see anything wrong with it? I'm thinking something goes wrong when negotiating with GS2.
WS config:
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="microsoft.identityModel"
type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<appSettings>
<!-- Insert thumbprint for token signing certificate here -->
<add key="TrustedIssuerThumbprint" value="5d 39 50 0d d4 6d 38 18 6a 8a 7e f8 68 0a 94 64 59 73 b6 09" />
</appSettings>
<microsoft.identityModel>
<service>
<issuerNameRegistry type="GenevaService.WebServiceIssuerNameRegistry" />
</service>
</microsoft.identityModel>
<system.serviceModel>
<diagnostics>
<messageLogging logMalformedMessages="true" logMessagesAtServiceLevel="false"
logMessagesAtTransportLevel="true" />
</diagnostics>
<behaviors>
<serviceBehaviors>
<behavior name="DefaultServiceBehavior">
<serviceCredentials>
<serviceCertificate storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName"
findValue="GenevaService.com" />
<issuedTokenAuthentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck">
<knownCertificates>
<add storeLocation="LocalMachine"
storeName="TrustedPeople"
x509FindType="FindByThumbprint"
findValue="5d 39 50 0d d4 6d 38 18 6a 8a 7e f8 68 0a 94 64 59 73 b6 09" />
</knownCertificates>
</issuedTokenAuthentication>
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<ws2007FederationHttpBinding>
<binding name="FederationBinding">
<security mode="Message">
<message>
<issuer address="http://jehdb2.genevadom.local/Trust/13/IssuedTokenSymmetricBasic256">
</issuer>
<issuerMetadata address="https://jehdb2.genevadom.local/Trust/Mex" >
<identity>
<dns value="http://jehdb2/Trust"/>
</identity>
</issuerMetadata>
</message>
</security>
</binding>
<binding name="DefaultBinding">
<security mode="Message">
<message>
<issuer address="http://jehdb2.genevadom.local/Trust/13/Windows">
</issuer>
<issuerMetadata address="https://jehdb2.genevadom.local/Trust/Mex" >
<identity>
<dns value="http://jehdb2/Trust"/>
</identity>
</issuerMetadata>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
<services>
<service name="GenevaService.Service"
behaviorConfiguration="DefaultServiceBehavior">
<endpoint address=""
binding="ws2007FederationHttpBinding"
bindingConfiguration="DefaultBinding"
contract="GenevaService.Common.IGenevaServiceContract">
<identity>
<dns value="GenevaService.com"/>
</identity>
</endpoint>
<endpoint address="federation"
binding="ws2007FederationHttpBinding"
bindingConfiguration="FederationBinding"
contract="GenevaService.Common.IGenevaServiceContract">
<identity>
<dns value="GenevaService.com"/>
</identity>
</endpoint>
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
</configuration>
Client config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.diagnostics>
<sources>
<source name="System.ServiceModel.MessageLogging" switchValue="Warning, ActivityTracing">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="ServiceModelMessageLoggingListener">
<filter type="" />
</add>
</listeners>
</source>
<source name="System.ServiceModel" switchValue="Verbose,ActivityTracing"
propagateActivity="true">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="ServiceModelTraceListener">
<filter type="" />
</add>
</listeners>
</source>
</sources>
<sharedListeners>
<add initializeData="c:\genevaserviceclient\app_messages.svclog"
type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ServiceModelMessageLoggingListener" traceOutputOptions="Timestamp">
<filter type="" />
</add>
<add initializeData="c:\genevaserviceclient\app_tracelog.svclog"
type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="ServiceModelTraceListener" traceOutputOptions="Timestamp">
<filter type="" />
</add>
</sharedListeners>
</system.diagnostics>
<system.serviceModel>
<diagnostics>
<messageLogging logMalformedMessages="true" logMessagesAtTransportLevel="true" />
</diagnostics>
<bindings>
<ws2007HttpBinding>
<binding name="HomeSTS">
<security mode="Message">
<message establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
<ws2007FederationHttpBinding>
<binding name="HomeBinding" receiveTimeout="02:00:00" sendTimeout="02:00:00">
<security mode="Message">
<message>
<issuer
address="http://jehsst2008.t-seb.sst.dk/Trust/13/Windows"
binding="ws2007HttpBinding" bindingConfiguration="HomeSTS" />
<issuerMetadata
address="https://jehsst2008.t-seb.sst.dk/Trust/Mex" />
</message>
</security>
</binding>
<binding name="RemoteBinding" receiveTimeout="02:00:00" sendTimeout="02:00:00">
<security mode="Message">
<message >
<issuer
address="http://jehdb2.genevadom.local/Trust/13/IssuedTokenSymmetricBasic256"
binding="ws2007FederationHttpBinding" bindingConfiguration="HomeBinding">
<identity>
<certificateReference storeLocation ="CurrentUser"
storeName="TrustedPeople"
x509FindType="FindByThumbprint"
findValue="4e bb 35 cf 35 69 f7 62 a6 12 56 62 f5 37 53 d0 a7 ed c4 b2" />
</identity>
</issuer>
<issuerMetadata
address="https://jehdb2.genevadom.local/Trust/Mex" />
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="ClientBehavior">
<clientCredentials>
<serviceCertificate>
<defaultCertificate storeLocation="CurrentUser" storeName ="TrustedPeople" x509FindType ="FindBySubjectName" findValue="GenevaService.com"/>
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="http://jehdb2.genevadom.local/GenevaService/Service.svc/federation"
behaviorConfiguration="ClientBehavior" binding="ws2007FederationHttpBinding"
bindingConfiguration="RemoteBinding" contract="GenevaService.Common.IGenevaServiceContract"
name="DefaultBinding">
<identity>
<dns value="GenevaService.com" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
Error trace from client:
<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
<System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
<EventID>131075</EventID>
<Type>3</Type>
<SubType Name="Error">0</SubType>
<Level>2</Level>
<TimeCreated SystemTime="2009-08-14T20:06:55.5630000Z" />
<Source Name="System.ServiceModel" />
<Correlation ActivityID="{c38caf88-38db-4d10-80a0-512d50cb5511}" />
<Execution ProcessName="GenevaServiceClient" ProcessID="3752" ThreadID="1" />
<Channel />
<Computer>JEHSST2008</Computer>
</System>
<ApplicationData>
<TraceData>
<DataItem>
<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error">
<TraceIdentifier>http://msdn.microsoft.com/da-DK/library/System.ServiceModel.Diagnostics.ThrowingException.aspx</TraceIdentifier>
<Description>Throwing an exception.</Description>
<AppDomain>GenevaServiceClient.exe</AppDomain>
<Exception>
<ExceptionType>System.ServiceModel.Security.SecurityNegotiationException, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint. </Message>
<StackTrace>
Server stack trace:
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
at System.ServiceModel.Security.TlsnegoTokenProvider.OnOpen(TimeSpan timeout)
at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)
at System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(SecurityTokenProvider tokenProvider, TimeSpan timeout)
at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at System.ServiceModel.ICommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
</StackTrace>
<ExceptionString>System.ServiceModel.Security.SecurityNegotiationException: Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.
at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
at System.ServiceModel.Security.TlsnegoTokenProvider.OnOpen(TimeSpan timeout)
at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)
at System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(SecurityTokenProvider tokenProvider, TimeSpan timeout)
at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at System.ServiceModel.ICommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)</ExceptionString>
<DataItems>
<Data>
<Key>System.ServiceModel.Diagnostics.ExceptionUtility.ExceptionStackAsString</Key>
<Value>throw
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetNextOutgoingMessage(Message incomingMessage, T negotiationState)
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
catch
</Value>
</Data>
</DataItems>
<InnerException>
<ExceptionType>System.ServiceModel.FaultException, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>An error occurred when verifying security for the message.</Message>
<StackTrace>
at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
</StackTrace>
<ExceptionString>System.ServiceModel.FaultException: An error occurred when verifying security for the message.
at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)</ExceptionString>
</InnerException>
</Exception>
</TraceRecord>
</DataItem>
</TraceData>
</ApplicationData>
</E2ETraceEvent>
S
index > Claims based access platform (CBA), code-named Geneva > SOLVED: Web services federation with Geneva Server Beta 2