At least one security token in the message could not be validated.
Further adventures with STS.
System.ServiceModel.FaultException: At least one security token in the message could not be validated.
[MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. This fault may have been sent in response to an improperly secured request. See the inner FaultException for the fault code and detail.]
I have logging and tracing turned on in the BizService as well as the STS and client app, but I'm not quite sure what I should be looking for.
Edit :: I've found "Throwing Exception" in the trace log with this message about an unknown error : "X509 certificate (CN=localhost) chain building failed. Unknown error. Unknown error. Unknown error. "
By default, we try to chain certificates up to a trusted root CA and throw if they do not chain. If the localhost cert in the TrustedPeople store? If so, you can set the certificate validation to PeerTrust;
serviceHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerTrust;
You can set the same thing on the client-side for the service cert;
proxy.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerTrust;
Gudge
In config that would look something like this:
<behaviors>
<behavior name = "x509Config">
<clientCredentials>
<clientCertificate storeLocation="CurrentUser"
storeName="My" x509FindType="FindBySubjectName"
findValue="MyCert"/>
<serviceCertificate>
<authentication certificateValidationMode="None" />
</serviceCertificate>
</clientCredentials>
</behavior>
</behaviors>
And
<behaviors>
<behavior
name="ScottsBehavior"
returnUnknownExceptionsAsFaults="True" >
<serviceCredentials>
<serviceCertificate findValue="MyServerCert" storeLocation="LocalMachine"
storeName="My" x509FindType="FindBySubjectName" />
<clientCertificate>
<authentication certificateValidationMode="None" />
</clientCertificate>
</serviceCredentials>
</behavior>
</behaviors>
Although I have mine set to no Validation here.
Thanks
Scott
hi
I am a newbie to the world of claims based authentication and working with certificates I downloaded the zip file containing the sample for claims based authentication. I worked with importing the given certifcates and installed the aspnetdb. Also, worked with given permissions for RPKey as it was being referring in claims based sample.
I am stuck with issues that I am unable to address though making changes as you said.
I ran the application "Client" in "ClaimsBasedAuthorizationSimple". It was a command prompt window that says .. "Using Admin credentials...<Enter> to continue" . When I hit enter..
{"An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail."}
{"At least one security token in the message could not be validated."}.
I tried with following changes:
proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None; in program.cs file of "Client" and
<clientCertificate>
<authentication certificateValidationMode="None" />
</clientCertificate> in web.config of service
also tried with System.ServiceModel.Security.X509CertificateValidationMode.PeerTrust
<authentication certificateValidationMode="PeerTrust" />
