.NET Framework Bookmark and Share   
 index > Claims based access platform (CBA), code-named Geneva > Where to add <clientCertificate> condifuration for nested issuer binding?
 

Where to add <clientCertificate> condifuration for nested issuer binding?

I've created a custom TCP binding for my WCF service that requires clients to authenticate to the STS using certificates. The binding information is below:

<customBinding>
<binding name="FederationTcpIssuedTokenForCertificateBinding">
<security authenticationMode="SecureConversation" requireSecurityContextCancellation="true">
<secureConversationBootstrap authenticationMode="IssuedTokenForCertificate" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
<issuedTokenParameters keyType="SymmetricKey" tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<issuer address="http://{my sts path}/Trust/13/Certificate" binding="ws2007HttpBinding" bindingConfiguration="STS"></issuer>
<claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
</claimTypeRequirements>
<issuerMetadata address="https://{my sts path}/Trust/Mex"/>
</issuedTokenParameters>
</secureConversationBootstrap>
</security>
<binaryMessageEncoding/>
<tcpTransport />
</binding>
</customBinding>


When I generate a reference to this service in my web application, I get the resulting configuration:


<bindings>
<customBinding>
<binding name="{my service name}">
<security defaultAlgorithmSuite="Default" authenticationMode="SecureConversation" requireDerivedKeys="true" securityHeaderLayout="Strict" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" requireSecurityContextCancellation="true" requireSignatureConfirmation="false">
<localClientSettings cacheCookies="true" detectReplays="true" replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00" negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
<secureConversationBootstrap defaultAlgorithmSuite="Default" authenticationMode="IssuedTokenForCertificate" requireDerivedKeys="true" securityHeaderLayout="Strict" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" requireSignatureConfirmation="true">
<issuedTokenParameters keyType="SymmetricKey" tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<additionalRequestParameters>
<trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
<trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:wsid=http://schemas.xmlsoap.org/ws/2005/05/identity>
</wsid:ClaimType>
<wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:wsid=http://schemas.xmlsoap.org/ws/2005/05/identity>
</wsid:ClaimType>
</trust:Claims>
</trust:SecondaryParameters>
</additionalRequestParameters>
<issuer address="http://{my sts path}/Trust/13/Certificate" binding="ws2007HttpBinding" bindingConfiguration="STS"/>
<issuerMetadata address=https://{my sts path}/Trust/Mex />
</issuedTokenParameters>
<localClientSettings cacheCookies="true" detectReplays="true" replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite" replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00" negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
</secureConversationBootstrap>

</security>

<binaryMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"

maxSessionSize="2048">

<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"

maxBytesPerRead="4096" maxNameTableCharCount="16384" />

</binaryMessageEncoding>

<tcpTransport manualAddressing="false" maxBufferPoolSize="524288"

maxReceivedMessageSize="65536" connectionBufferSize="8192" hostNameComparisonMode="StrongWildcard"

channelInitializationTimeout="00:00:05" maxBufferSize="65536"

maxPendingConnections="10" maxOutputDelay="00:00:00.2000000"

maxPendingAccepts="1" transferMode="Buffered" listenBacklog="10"

portSharingEnabled="false" teredoEnabled="false">

<connectionPoolSettings groupName="default" leaseTimeout="00:05:00"

idleTimeout="00:02:00" maxOutboundConnectionsPerEndpoint="10" />

</tcpTransport>

</binding>

</customBinding>

<ws2007HttpBinding>

<binding name="STS" closeTimeout="00:01:00"

openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"

bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"

maxBufferPoolSize="524288" maxReceivedMessageSize="65536"

messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"

allowCookies="false">

<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"

maxBytesPerRead="4096" maxNameTableCharCount="16384" />

<reliableSession ordered="true" inactivityTimeout="00:10:00"

enabled="false" />

<security mode="Message">

<message clientCredentialType="Certificate"

negotiateServiceCredential="true"

algorithmSuite="Default"

establishSecurityContext="false"/>

</security>

</binding>

</ws2007HttpBinding>

</bindings>

<client>

<endpoint address="net.tcp://{my service}"

binding="customBinding"

bindingConfiguration="{my service}"

contract="{service contract}"

name="{service name}">

<identity>

<certificate encodedValue="{value}">

</identity>

</endpoint>

</client>


When I run the web app, and hit the WCF service, I get the following error:

"The client certificate is not provided. Specify a client certificate in ClientCredentials. "

I'm trying to determine where should I specify the client certificate details since I don't have a client endpoint defined for the STS's ws2007HttpBinding binding
since it's embeded in my custom binding.

Thanks in advance.

Software Arch
on your proxy/channel factory .ClientCredentials.....
Dominick Baier | thinktecture | http://www.leastprivilege.com
Dominick Baier
Thanks Dominick. I'm not quite clear how to get to the proxy for the STS though. In the web application code, I'm creating a proxy formy WCF service, andit seems thatthe call to the STS is happening via majic sytactic sugarby specifying that my service expects an issued token from my STS.

How do I get acess to the STS proxy? Is there a configuration option?

Thanks again.
Software Arch
You don't - simply use the ClientCredentials property. This is for the STS - the returned SAML token is used to auth against the "real" service.
Dominick Baier | thinktecture | http://www.leastprivilege.com
Dominick Baier

Okay, I'm passed that error. Now, on to the next one:

"ID3242: The security token could not be authenticated or authorized"

I've specified IssuedTokenForCertificate as the authentication mode in my service,but the Geneva STS isn't authenticating my webclient. The web client is passing a certificate credential that has been mapped to a domain user in AD.

Please let me know if anyone has an idea of how to determine why authentication is failing. I have Geneva STS tracing on verbose, but it's not giving me any messages about why the certificate isn't being authenticated. Also, the ADPDC's windows security log doesn't show any auditfailures.

Thanks in advance.

Software Arch

You can use google to search for other answers

Custom Search

More Threads

• moving Managed Information Card issuance web site ?
• F.A.M. / un-authenticated resources?
• Securely signing out (and staying signed out)
• Connecting Geneva to Google Apps
• FederationPassive redirect issue
• Is there any documentation on how to federate Geneva server Beta2 with LiveID?
• Signing out with Geneva and SignInStatus control
• Geneva Beta 2 Step by Step guide downloads
• cant use .pfx file for X.509 certificates
• Convert Token Types
Home          Copyright 2009-2010 by netframeworkdev.com All rights reserved