Security Error

Topics: General Discussion Forum, July and December Releases Forum
Apr 3, 2007 at 8:11 PM
Hi

I used the security recipe on both the service and the client, the same exact way as it was done in the example video (using X.509, and the WSE2QuickStartServer certificate) and when I run my client I get the following error:

System.ServiceModel.Security.SecurityNegotiationException: The token provider cannot get tokens for target 'http://localhost:1187/TestFactory.Host/PriorityCountsService.svc'. ---> System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.

Any ideas what could be causing this?
Apr 4, 2007 at 1:23 AM
Can you post the web.config file (only the serviceModel section) and the rest of the error message?
From the error fragment that you sent, it seems that the service is not finding the X509 certificate on the location/store you specified in your config file.

Thanks,
Charly
Apr 4, 2007 at 4:27 PM
One thing to note: I am able to navigate to the service on my localhost.

Here's the service model section from the web.config file:

<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="BrokeredAuthenticationX509">
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="true" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="TestFactory.ServiceImplementation.PriorityCountsService_Behavior">
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceMetadata httpGetEnabled="true" />
</behavior>
<behavior name="BrokeredAuthenticationX509">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" />
</clientCertificate>
<serviceCertificate findValue="CN=WSE2QuickStartServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="BrokeredAuthenticationX509" name="TestFactory.ServiceImplementation.PriorityCountsService">
<endpoint binding="wsHttpBinding" bindingConfiguration="BrokeredAuthenticationX509" bindingNamespace="http://TestFactory.ServiceContracts/2007/03" contract="TestFactory.ServiceContracts.IPriorityCountsService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>

Here's the service model section from the client app.config file:

<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="WSHttpBinding_IPriorityCountsService">
<clientCredentials>
<clientCertificate findValue="CN=WSE2QuickStartServer" storeLocation="LocalMachine"
storeName="My" x509FindType="FindBySubjectDistinguishedName" />
<serviceCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IPriorityCountsService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://xxxxxxxx/wcfhost/PriorityCountsService.svc"
behaviorConfiguration="WSHttpBinding_IPriorityCountsService"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IPriorityCountsService"
contract="TestFactory.Client.PriorityCountsService.IPriorityCountsService"
name="WSHttpBinding_IPriorityCountsService">
<identity>
<certificate encodedValue="AwAAAAEAAAAUAAAAh9ksyrcUww2w4LrmubC2W11t988gAAAAAQAAAMgBAAAwggHEMIIBbqADAgECAhBimOvgU6TcgU1J3eUmPoi3MA0GCSqGSIb3DQEBBAUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTAzMDcwODE4NDgxMFoXDTM5MTIzMTIzNTk1OVowHzEdMBsGA1UEAxMUV1NFMlF1aWNrU3RhcnRTZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMuSqCUCsie6RGUPBdtyM3fPFyN5ot34i9/IPmjfmlSOlOQ/A9eYClJyvxRVDEHkkNFJWUzPWVRDoIEsUsYgBA6ls8qfai6XdWYoB/2dFB/08tT5uJajNleSF5sjJrjcPvmvn7k1SrVFtCIILioihtGpR2Dpp26MFjfffAnLhiDAgMBAAGjSzBJMEcGA1UdAQRAMD6AEBLkCS0GHR1PAI1hIdwWZGOhGDAWMRQwEgYDVQQDEwtSb290IEFnZW5jeYIQBjdsAKoAZIoRz7jUqlw19DANBgkqhkiG9w0BAQQFAANBAAZIY0rPWBmptc3wliXQ9AzueCQd9bWZDzw1FgAOagfDkDtRkMcA+zkctKfeLmJeVHBP3W/dJTqK5oCJ34zDKo=" />
</identity>
</endpoint>
</client>
</system.serviceModel>

Here's the error message:

                            • Exception Text **************
System.ServiceModel.Security.SecurityNegotiationException: The token provider cannot get tokens for target 'http://dev-csandfort.gwi.com/wcfhost/PriorityCountsService.svc'. ---> System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
--- End of inner exception stack trace ---
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout)
at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
at System.ServiceModel.Security.SecurityProtocol.GetToken(SecurityTokenProvider provider, EndpointAddress target, TimeSpan timeout)
--- End of inner exception stack trace ---

Server stack trace:
at System.ServiceModel.Security.SecurityProtocol.GetToken(SecurityTokenProvider provider, EndpointAddress target, TimeSpan timeout)
at System.ServiceModel.Security.MessageSecurityProtocol.GetTokenAndEnsureOutgoingIdentity(SecurityTokenProvider provider, Boolean isEncryptionOn, TimeSpan timeout, SecurityTokenAuthenticator authenticator)
at System.ServiceModel.Security.SymmetricSecurityProtocol.TryGetTokenSynchronouslyForOutgoingSecurity(Message message, SecurityProtocolCorrelationState correlationState, Boolean isBlockingCall, TimeSpan timeout, SecurityToken& token, SecurityTokenParameters& tokenParameters, SecurityToken& prerequisiteWrappingToken, IList`1& supportingTokens, SecurityProtocolCorrelationState& newCorrelationState)
at System.ServiceModel.Security.SymmetricSecurityProtocol.SecureOutgoingMessageCore(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
at System.ServiceModel.Security.MessageSecurityProtocol.SecureOutgoingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Apr 4, 2007 at 9:10 PM
The problem here is that you are using an X509 Certificate that is for testing purposes and has a chain that does not builds to a certification authority in the trusted root store.
A trusted certificate granted by a CA in the trusted root store will be required when using the certificateValidationMode="ChainTrust" value (X509CertificateValidationMode Enumeration).
If you want to use this certificate then you should change that value to "None" in both config files (service and client).
Of that this scenario should be used only for testing purposes and use the default value "ChainTrust" for production scenarios.

Charly.