Search code examples
wcfsslsts-securitytokenservicethinktecture-ident-server

WCF service and Thinktecture Identity server


im using the thinktecture identityserver Security Token Service im trying to set up a scenario where I have a client using a WCF service. I'm stuck at a point where I get next error:

MessageSecurityException
An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.
InnerException
At least one security token in the message could not be validated.

I've setup the STS on a win2008 server and all working correct its already working with an MVC site. But with a wcf service I cant get it to work. I'm using bearerkey as SecurityKeyType. I do get a token in the client app function RequestToken(). Here is my wcf service config:

<system.serviceModel>
    <services>
      <service name="ClaimWcfService.Service1">
        <endpoint address="ClaimWcfService" binding="ws2007FederationHttpBinding" bindingConfiguration="" contract="ClaimWcfService.IService1" />
        <host>
          <baseAddresses>
            <add baseAddress="https://anno99-pc/"/>
          </baseAddresses>
        </host>
      </service>
    </services>  
    <bindings>
      <ws2007FederationHttpBinding>
        <binding name="">
          <security mode="TransportWithMessageCredential">
            <message establishSecurityContext="false" issuedKeyType="BearerKey">
               <issuerMetadata address="https://serveradress/Idsrv/issue/wstrust/mex" />
            </message>
          </security>
        </binding>
      </ws2007FederationHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceAuthorization principalPermissionMode="Always" />
          <serviceCredentials useIdentityConfiguration="true">
          <serviceCertificate findValue="ANNO99-PC" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <protocolMapping>
      <add scheme="http" binding="ws2007FederationHttpBinding" />
    </protocolMapping>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />

  </system.serviceModel>

  <!-- Config STS -->
  <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="https://anno99-pc/ClaimWcfService/Service1.svc" />
      </audienceUris>
      <!--Commented by Identity and Access VS Package-->
      <certificateValidation certificateValidationMode="None" />
      <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
        <authority name="http://identityserver.v2.wkp.com/trust/wkp">
          <keys>
            <add thumbprint="A540AD5B90B8459E919B39301B89F279A3AAEADB" />
          </keys>
          <validIssuers>
            <add name="http://identityserver.v2.wkp.com/trust/wkp" />
          </validIssuers>
        </authority>
      </issuerNameRegistry>
    </identityConfiguration>
  </system.identityModel>

This is the client: It is just a console app.

static void Main(string[] args)
{
   var token = RequestToken();
   CallService(token);
}

 static string _idsrvEndpoint = "https://serveradress/Idsrv/issue/wstrust/mixed/username";
 static string _realm = "https://anno99-pc/ClaimWcfService/";

 private static void CallService(SecurityToken token)
 {
     var serviceEndpoint = "https://anno99-pc/ClaimWcfService/Service1.svc";

     var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
     binding.Security.Message.EstablishSecurityContext = false;
     binding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey;

     var factory = new ChannelFactory<IService1>(binding,
            new EndpointAddress(serviceEndpoint));
     factory.Credentials.SupportInteractive = false;
     factory.Credentials.UseIdentityConfiguration = true;

     var channel = factory.CreateChannelWithIssuedToken(token);

        var data = channel.GetData(1);
 }

 private static SecurityToken RequestToken()
 {
     var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);

     var credentials = new ClientCredentials();
     credentials.UserName.UserName = "username";
     credentials.UserName.Password = "password";

     return WSTrustClient.Issue(
            new EndpointAddress(_idsrvEndpoint),
            new EndpointAddress(_realm),
            binding,
            credentials);
 }

If anyone could help me, that would be great.


Solution

  • After some googling and trying, I got it to work. I had to change these parts of the configuration.

      <services>
          <service name="ClaimWcfService.Service1">
            <endpoint address="" binding="ws2007FederationHttpBinding" bindingConfiguration="" contract="ClaimWcfService.IService1" />
          </service>
        </services>
    
    
         <behaviors>
          <serviceBehaviors>
            <behavior>
              <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="true" />
              <serviceAuthorization principalPermissionMode="Always" />
              <serviceCredentials useIdentityConfiguration="true">
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>
    
      <system.identityModel>
        <identityConfiguration saveBootstrapContext="true">
          <audienceUris>
            <add value="https://anno99-pc/ClaimWcfService/" />
          </audienceUris>
    
          <certificateValidation certificateValidationMode="None" />
          <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
            <trustedIssuers>
              <add thumbprint="A540AD5B90B8459E919B39301B89F279A3AAEADB"
                   name="idsrv" />
            </trustedIssuers>
          </issuerNameRegistry>
    
        </identityConfiguration>
      </system.identityModel>
    

    I hope this helps someone