SAML 2.0 Security Token Reference cannot be resolved
Hi,
I am trying to send a SAML 2.0 token to SAP Portal 7.3 EHP 2 using the sender-vouches confirmation method.
My message is signed by my client application. The signature references 3 parts:
1) a security token reference which in turn points to my SAML assertion (using STR transform)
2) the bdoy (using c14n transform)
3) the timestamp (using c14n transform)
Collecting some WS-Security trace, I can see the following:
Exception : Security Token Reference transform could not resolve token: <yq1:SecurityTokenReference yq2:Id='wssecurity_signature_id_23' xmlns:yq2='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:yq1='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'><yq1:KeyIdentifier ValueType='http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID'>Assertion-uuida9c3e36a-0131-11fd-bfea-f4ca184fc662</yq1:KeyIdentifier></yq1:SecurityTokenReference>
java.lang.Exception
at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1230)
at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:147)
at com.sap.exception.io.SAPIOException.<init>(SAPIOException.java:63)
at com.sap.engine.services.wssec.wsse.STRCanonicalizationWriter.doSTRTransform(STRCanonicalizationWriter.java:228)
at com.sap.engine.services.wssec.wsse.STRCanonicalizationWriter.leave(STRCanonicalizationWriter.java:152)
at com.sap.engine.services.wssec.xmlsecurity.signature.verification.ReferenceDispatcherReader.handleCode(ReferenceDispatcherReader.java:315)
at com.sap.engine.services.wssec.xmlsecurity.signature.verification.ReferenceDispatcherReader.next(ReferenceDispatcherReader.java:186)
at com.sap.engine.services.wssec.xmlsecurity.signature.verification.VerifyTokenReaderImpl.next(VerifyTokenReaderImpl.java:501)
at com.sap.engine.services.wssec.wsse.WSSecurityContext.init(WSSecurityContext.java:429)
Assertion-uuida9c3e36a-0131-11fd-bfea-f4ca184fc662 is the ID of my SAML assertion.
Using the same configuration in my client app, but sending a SAML 1.1 token passes this step.
Is there any trace I can enable to further debug this issue?
Has anybody encountered the same issue before?
Thanks
Jens
Hi Jens,
Have you tried collecting traces using SAP Note [Troubleshooting Wizard|https://service.sap.com/sap/support/notes/1332726] with incident "WebServices Security"? You may find more information.
Best regards,
Desislava
Similar Messages
-
Some class that cannot be resolved to a type
Hello, I?m trying to use the[b] itext API for PDF creating from Java.
In order to do this you must include the package .jar in your classpath and import com.logawie.text.* in your java file. All this steps are obviusly, and work correctly, in JAVA, but i?m trying to develope a web application, using JSP.
Usually when I try to import a package from a JAR file that are allocated in the C:\j2sdk1.4.2_12\lib directory it doesn?t work. I solved this problem with some classes including it directly to the src.zip file. But with the itext package it doesn?t work, I don?t know if my solution is too bad, but with another classes it works, but with the itext package it says that all classes references "cannot be resolved to a type".
Anyone can help me? Thanks in advance.when i try to depooy it then error comes
user cannot be resolved to a type
can any body help me
and tell me about classpath
//UserData.java
package user;
public class UserData {
String username;
String email;
int age;
public void setUsername( String value )
username = value;
public void setEmail( String value )
email = value;
public void setAge( int value )
age = value;
public String getUsername() { return username; }
public String getEmail() { return email; }
public int getAge() { return age; }
//GetName.jsp
<HTML>
<BODY>
<FORM METHOD=POST ACTION="SaveName.jsp">
What's your name? <INPUT TYPE=TEXT NAME=username SIZE=20><BR>
What's your e-mail address? <INPUT TYPE=TEXT NAME=email SIZE=20><BR>
What's your age? <INPUT TYPE=TEXT NAME=age SIZE=4>
<P><INPUT TYPE=SUBMIT>
</FORM>
</BODY>
</HTML>
//NextPage.jsp
<jsp:useBean id="user" class="user.UserData" scope="session"/>
<HTML>
<BODY>
You entered<BR>
Name: <%= user.getUsername() %><BR>
Email: <%= user.getEmail() %><BR>
Age: <%= user.getAge() %><BR>
</BODY>
</HTML>
//SaveName.jsp
<jsp:useBean id="user" class="user.UserData" scope="session"/>
<jsp:setProperty name="user" property="*"/>
<HTML>
<BODY>
Continue<font face="Arial"> </font>
</BODY>
</HTML> -
Class cannot be resolved to a type
Hello, I�m trying to use the[b] itext API for PDF creating from Java.
In order to do this you must include the package .jar in your classpath and import com.logawie.text.* in your java file. All this steps are obviusly, and work correctly, in JAVA, but i�m trying to develope a web application, using JSP.
Usually when I try to import a package from a JAR file that are allocated in the C:\j2sdk1.4.2_12\lib directory it doesn�t work. I solved this problem with some classes including it directly to the src.zip file. But with the itext package it doesn�t work, I don�t know if my solution is too bad, but with another classes it works, but with the itext package it says that all classes references "cannot be resolved to a type".
Anyone can help me? Thanks in advance.I found the answer:
You must allocate .jar in tomcat\common\lib directory and restart apache tomcat.
I hope it would be usefull to anybody. -
Hi Everyone,
I really would appreciate some help or pointers on my situation. I have a SharePoint 2013 farm, 1 server is the DC and runs SQL, the other is the WFE Server with SharePoint and ADFS. I've configured Active Directory Certification Services and followed an
excellent ADCS blog here.
I've gone ahead and configured ADFS and believe my Certificates to be sound as I have no warnings or anything for the Service Communication, Token Signing nor Token Decrypting Certificate. Below are my certs.
I also configured the trusted relying party following numerous blogs (I did this a couple of times to make sure I didn't do anything wrong) but followed this blog.
My Adfs RP looks like this:
Upon configuring the relying trust for me SharePoint Web Application, I used a powershell script, added 3 claim mappings and specified the exported token signing certificate as the main certificate. Running Get-SPTrustedIdentityTokenIssuer I can confirm
that I've added the Token Issuer, what I believe to be correct:
ProviderUri : https://adfsportal.mvdb.com/adfs/ls/
DefaultProviderRealm : urn:sharepoint:adfs
ProviderRealms : {}
ClaimTypes : {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn,
http://schemas.microsoft.com/ws/2008/06/identity/claims/role,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress}
HasClaimTypeInformation : True
ClaimTypeInformation : {Email Address, Account ID, Role}
ClaimProviderName :
UseWReplyParameter : False
UseWHomeRealmParameter : False
RegisteredIssuerName :
IdentityClaimTypeInformation : Microsoft.SharePoint.Administration.Claims.SPTrustedClaimTypeInformation
Description : ADFS SAML Provider
SigningCertificate : [Subject]
CN=tokensigning.adfs.mvdb.com
[Issuer]
CN=mvdb-MVDBPRIME-CA, DC=mvdb, DC=com
[Serial Number]
24000000036DEE002044F8EC45000000000003
[Not Before]
2014-03-24 10:35:17 AM
[Not After]
2016-03-23 10:35:17 AM
[Thumbprint]
ED85DB5F1FF564FD7F645E365EB52C2DB406B825
AdditionalSigningCertificates : {}
MetadataEndPoint :
IsAutomaticallyUpdated : False
Name : SAML Provider
TypeName : Microsoft.SharePoint.Administration.Claims.SPTrustedLoginProvider
DisplayName : SAML Provider
Id : 2f59bcca-6ee1-43ae-b9fa-f1b415cdd58b
Status : Online
Parent : SPSecurityTokenServiceManager Name=SecurityTokenServiceManager
Version : 22046
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
So then went and extended my Web Application, added a host header (secured with wildcard cert) and chose my trusted provider I've just added with the script. When logging on, sure enough, I get prompted with the login dropdown but as soon as I choose the
adfs option I get:
ID4220: The SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved to a SecurityToken. Ensure that the appropriate issuer tokens are present on the token resolver. To handle advanced token resolution requirements,
extend Saml11TokenSerializer and override ReadToken
So far I have not been able to get further than this. I've double checked that I have given permissions on the token signing cert's private keys (read permissions on the ADFS service account as well as Network Service).
Please help!
-MikeHi,
According to your post, my understanding is that you got the “ID4220 SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved to a SecurityToken” error.
I recommend to run Get-SPTrustedIdentityTokenIssuer PowerShell command on SharePoint server and look at the Trusted Identity Token Issuer to see if certificate associated was correct version of ADFS Token signing certificate.
If you export ADFS Communication Certificate for ADFS Login URL instead of ADFS Token Signing Certificate, please export the correct version of ADFS Token Signing Certificate and rerun the
following command on SharePoint Servers using SharePoint Install account to associate correct version of ADFS Signing certificate with SharePoint TrustedIdentityTokenIssuer and it should resolve the issue.
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\Host\ADFS Signing.cer”)
$sts = Get-SPTrustedIdentityTokenIssuer
$sts | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $cert
More information:
SharePoint and ADFS Configuration Error – ID4220: The SAML
Assertion is either not signed or the signature’s KeyIdentifier cannot be resolved to a SecurityToken
Thanks,
Linda Li
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Linda Li
TechNet Community Support -
Hi All,
Below is my signed SOAP request. I don't have any web.config configuration for this also no idea on how to implement message level security. Could you please suggest on implementation.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:v1="http://www.notification/V1.0"
xmlns:v11="http://www./effectivity/V1.0">
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-9B329C3CD7BD01ABE81422559607628108">MIIKZTCCCE2gAwIBAgIKXdo6EQACAAXqazANBgkqhkiG9w0BAQUFADB3MRMwEQYKCZImiZPyLGQBGRYDbmV0MRowGAYKCZImiZPyLGQBGRYKYm9tYmFyZGllcjEUMBIGCgmSJomT8ixkARkWBGFlcm8xFDASBgoJkiaJk/IsZAEZFgRhZXJvMRgwFgYDVQQDEw9BZXJvLUlzc3VpbmctQ0EwHhcNMTUwMTIzMTkzMzIyWhcNMTcwMTIyMTkzMzIyWjCBvzELMAkGA1UEBhMCQ0ExDzANBgNVBAgTBlF1ZWJlYzERMA8GA1UEBxMITW9udHJlYWwxGDAWBgNVBAoTD0JvbWJhcmRpZXIgSW5jLjESMBAGA1UECxMJQWVyb3NwYWNlMScwJQYDVQQDEx5jb2xsYWItZGV2LmFlcm8uYm9tYmFyZGllci5uZXQxNTAzBgkqhkiG9w0BCQEWJm10bF9pdF9vcHNfd2luZG93c0BhZXJvLmJvbWJhcmRpZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzlzvsKg9LVifnEtxq947BXIcMV14ivIOvBgcoTdH6cw44ZUErp8MCSVBZnzJCmaRl4Qb1zUBrIjJk0h5omQPbFTUcpE84oHfvlJzNLknCVirks94RAvqtQFl0RgCl6EKiT3yNNncSI1OjPlL1wmebtghTyyRH3mqixWn2L43AF114nH/uIm5zozxCCIqW4biwx7PaHbuT6Kj3UzmarTXoGCDE8mbwUfCaQowaNWSCphU9BIqXUE2sW0FzNQnyjg0Z64FvSI07fJXCxb9URw61uQ3M5HCj8OqR5yQsiDuAnmw1AIccaoEBZu5yIhcY0xMVoNOKo3901xVEExBjbFJSwIDAQABo4IFqDCCBaQwCwYDVR0PBAQDAgWgMIIC!
CwYDVR0RBIICAjCCAf6CHmNvbGxhYi1kZXYuYWVyby5ib21iYXJkaWVyLm5ldIIkY3Jhd2wtY29sbGFiLWRldi5hZXJvLmJvbWJhcmRpZXIubmV0giJhZG0tY29sbGFiLWRldi5hZXJvLmJvbWJhcmRpZXIubmV0gh5teXNpdGUtZGV2LmFlcm8uYm9tYmFyZGllci5uZXSCImFkbS1teXNpdGUtZGV2LmFlcm8uYm9tYmFyZGllci5uZXSCJGNyYXdsLW15c2l0ZS1kZXYuYWVyby5ib21iYXJkaWVyLm5ldIIiYWRtLWVudHNydi1kZXYuYWVyby5ib21iYXJkaWVyLm5ldIIiTVRMV1dNU1M2MDEuY2EuYWVyby5ib21iYXJkaWVyLm5ldIIiTVRMV1dNU1M2MDIuY2EuYWVyby5ib21iYXJkaWVyLm5ldIIiTVRMV1dNU1M2MDMuY2EuYWVyby5ib21iYXJkaWVyLm5ldIIlc2VhcmNoZmFzdC1kZXYuY2EuYWVyby5ib21iYXJkaWVyLm5ldIIpc2VhcmNoZmFzdC1hZG0tZGV2LmNhLmFlcm8uYm9tYmFyZGllci5uZXSCI210bHdhc21zcDYwMS5jYS5hZXJvLmJvbWJhcmRpZXIubmV0giFjbWlzc3AtZGV2LmNhLmFlcm8uYm9tYmFyZGllci5uZXQwHQYDVR0OBBYEFDa9eetNyQfJSvGWMqLM6PUY5Pe/MB8GA1UdIwQYMBaAFPcL/75Iad8EnXpbXm/8o/81NQHJMIIBYgYDVR0fBIIBWTCCAVUwggFRoIIBTaCCAUmGgc1sZGFwOi8vL0NOPUFlcm8tSXNzdWluZy1DQSxDTj1NVExXSVBLSTAwMixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZXJvLERDPWFlcm8s!
REM9Ym9tYmFyZGllcixEQz1uZXQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50hkNodHRwOi8vbXRsd2lwa2kwMDMuYWVyby5hZXJvLmJvbWJhcmRpZXIubmV0L3BraS9BZXJvLUlzc3VpbmctQ0EuY3JshjJodHRwOi8vY2RwLmFlcm8uYm9tYmFyZGllci5jb20vQWVyby1Jc3N1aW5nLUNBLmNybDCCAW0GCCsGAQUFBwEBBIIBXzCCAVswgcEGCCsGAQUFBzAChoG0bGRhcDovLy9DTj1BZXJvLUlzc3VpbmctQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWVybyxEQz1hZXJvLERDPWJvbWJhcmRpZXIsREM9bmV0P2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MFIGCCsGAQUFBzAChkZodHRwOi8vbXRsd2lwa2kwMDMuYWVyby5hZXJvLmJvbWJhcmRpZXIubmV0L3BraS9BZXJvLUlzc3VpbmctQ0EoMikuY3J0MEEGCCsGAQUFBzAChjVodHRwOi8vY2RwLmFlcm8uYm9tYmFyZGllci5jb20vQWVyby1Jc3N1aW5nLUNBKDIpLmNydDA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiFoPNlhYL3Xob1lTKCsPMIguTeGxOD/oINhsufMAIBZAIBDTATBgNVHSUEDDAKBggrBgEFBQcDATAbBgkrBgEEAYI3FQoEDjAMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4ICAQCtFw4FKpzNr8gpnpHHJvgjUfe7FbXvzuf8qENJQA
+5KJjD6rqeSGpDJcvSwiFblZobFswFb7OABrxfpvDnmDbBfvozHPhAWBnmISz0t2ydb7R/SY1cl8NihamCPrtVN/azVDVqvj1kHkrVRM18BGSFowqGixMFQr4rDgB75214FN69a85AnxV5O5ip
+U9g/JdW2qRSGcfUd1np2QActllDimc+33rp/nXIaoXjRlXhkm+WxCt3Ca5OgwnVm3a4Ceiljj
+1i5
+8XV2zngv6eq4HlrBg0sFPaHWdjrIGcNyaWW0h0dPQUuv4Gm3zKDkQ3AQSC3cV5qCqmh6fCaCsI3us2kSJjHMZa
+OSDLI7K01pDP85TieHeoONBo8mRKsOQ0e1FGXH2BkbXSN1DgfJ1IzddaBbSsnjR5gNrRMmZJnCXnluT8Gmwyv9EKjMit6yt0sWwrADd5ZIjYUnxnrkgfXpPY2kqK2gOl12IHjFK6d5vUsGTlIv9H3OmtCWVBHpR125C0CZvU987z3u9Gv4Jiuv/LpDuv1bNuqNHsQfSqSYsjEreGIP
+DapzhMOefiv+kN4nLj3Owk4VdQm9
+dxekwaS7HFwAQGOVik877mXxmjRhwxtZPW0ZrWs3fZ2z90Ppki4cGN/rtaLGz
+WwicrPt1B34296kQkkIolWtiGjkpnQ==</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-9B329C3CD7BD01ABE81422559607628111"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenv v1 v11"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id-CF533499567BE717AA1422396248543100">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="v1 v11"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>AYy1/Ni9XTOZy4F3AFagcxkLnws=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>B/psgt7s4dcnlAFK9HWPYSPRQi
+B75tj7zv6KCG2IFd3y3kE0k4DjNyK17ZcqhXkUdxcmDoydbnH
4WUq7XmeG05w/VTbwn8g8RIoY48NaCOCQsXl6RztxhzRxbeocwngebUclJPnEPw3Nr0zguvNFuPa
wBkqcYFAgwG2dlwl/B8QVjvu1xjeXlVP5uHfubdpP
+tG0OnCWztG16108ORqtA2Df3Aj/JnXk2jt
RcIx6fPNna
+mv/MtCGOpSO4vDOf66He/UunkKjo/O5OvO9wuRhZOMJcSEkwVHCBAr9qbRGR72snq
C15GRcCpFyZIP7tElyY1WhBppKNi9j+YA0w9cQ==</ds:SignatureValue>
<ds:KeyInfo Id="KI-9B329C3CD7BD01ABE81422559607628109">
<wsse:SecurityTokenReference
wsu:Id="STR-9B329C3CD7BD01ABE81422559607628110">
<wsse:Reference
URI="#X509-9B329C3CD7BD01ABE81422559607628108"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-CF533499567BE717AA1422396248543100"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<v1:sendNotificationRequest>
<v1:notificationHeader>
<sourceAppID>PORTAL</sourceAppID>
<creationTimestamp>2015-01-27T23:27:16.932Z</creationTimestamp>
</v1:notificationHeader>
<v1:notificationTarget>
<!--Optional:-->
<userID>?</userID>
<!--Optional:-->
<v1:emailChannel>
<!--Optional:-->
<v1:fromAddress>
<v1:emailAddress>?</v1:emailAddress>
<!--Optional:-->
<v1:name>?</v1:name>
</v1:fromAddress>
<!--Zero or more repetitions:-->
<v1:toAddress>
<v1:emailAddress>?</v1:emailAddress>
<!--Optional:-->
<v1:name>?</v1:name>
</v1:toAddress>
<!--Zero or more repetitions:-->
<v1:CCAddress>
<v1:emailAddress>?</v1:emailAddress>
<!--Optional:-->
<v1:name>?</v1:name>
</v1:CCAddress>
<!--Zero or more repetitions:-->
<v1:BCCAddress>
<v1:emailAddress>?</v1:emailAddress>
<!--Optional:-->
<v1:name>?</v1:name>
</v1:BCCAddress>
</v1:emailChannel>
<!--Optional:-->
<v1:SMSChannel>
<message>?</message>
<phoneNumber>?</phoneNumber>
</v1:SMSChannel>
<!--Optional:-->
<v1:portalNotifChannel>
<creationDate>?</creationDate>
<expiryDate>?</expiryDate>
</v1:portalNotifChannel>
</v1:notificationTarget>
<!--Zero or more repetitions:-->
<v1:company>
<companyId>?</companyId>
<!--Optional:-->
<sourceSystemId>?</sourceSystemId>
</v1:company>
<!--Optional:-->
<v11:aircraftEffectivity>
<!--Zero or more repetitions:-->
<v11:aircraftFamily>
<aircraftFamilyName>?</aircraftFamilyName>
<!--Zero or more repetitions:-->
<v11:aircraftModel>
<aircraftModelName>?</aircraftModelName>
<!--Zero or more repetitions:-->
<v11:aircraft>
<aircraftSerialNumber>?</aircraftSerialNumber>
</v11:aircraft>
</v11:aircraftModel>
</v11:aircraftFamily>
</v11:aircraftEffectivity>
<!--Optional:-->
<v11:userEffectivity>
<!--You have a CHOICE of the next 2 items at this level-->
<!--Zero or more repetitions:-->
<role_DN>?</role_DN>
<!--Zero or more repetitions:-->
<role_CN>?</role_CN>
</v11:userEffectivity>
<!--You have a CHOICE of the next 2 items at this level-->
<!--Optional:-->
<v1:forcedNotify>
<!--You have a CHOICE of the next 2 items at this level-->
<!--Zero or more repetitions:-->
<v1:notificationTarget>
<!--Optional:-->
<userID>?</userID>
<!--Optional:-->
<v1:emailChannel>
<!--Optional:-->
<v1:fromAddress>
<v1:emailAddress>?</v1:emailAddress>
<!--Optional:-->
<v1:name>?</v1:name>
</v1:fromAddress>
<!--Zero or more repetitions:-->
<v1:toAddress>
<v1:emailAddress>?</v1:emailAddress>
<!--Optional:-->
<v1:name>?</v1:name>
</v1:toAddress>
<!--Zero or more repetitions:-->
<v1:CCAddress>
<v1:emailAddress>?</v1:emailAddress>
<!--Optional:-->
<v1:name>?</v1:name>
</v1:CCAddress>
<!--Zero or more repetitions:-->
<v1:BCCAddress>
<v1:emailAddress>?</v1:emailAddress>
<!--Optional:-->
<v1:name>?</v1:name>
</v1:BCCAddress>
</v1:emailChannel>
<!--Optional:-->
<v1:SMSChannel>
<message>?</message>
<phoneNumber>?</phoneNumber>
</v1:SMSChannel>
<!--Optional:-->
<v1:portalNotifChannel>
<creationDate>?</creationDate>
<expiryDate>?</expiryDate>
</v1:portalNotifChannel>
</v1:notificationTarget>
<!--Optional:-->
<notificationChannel>
<!--Zero or more repetitions:-->
<userID>?</userID>
<forcedNotifyChannel>?</forcedNotifyChannel>
<!--Optional:-->
<v1:fromAddress>
<v1:emailAddress>?</v1:emailAddress>
<!--Optional:-->
<v1:name>?</v1:name>
</v1:fromAddress>
</notificationChannel>
<!--Optional:-->
<v11:userEffectivity>
<role_DN>cn=owner_purchasing,cn=owner,cn=eservices_basic_access,ou=eservices,ou=groups,dc=bombardier,dc=com</role_DN>
<role_DN>cn=owner_broker,cn=owner,cn=eservices_basic_access,ou=eservices,ou=groups,dc=bombardier,dc=com</role_DN>
</v11:userEffectivity>
</v1:forcedNotify>
<subject>AHMS Notification</subject>
<payload>You are receiving an AHMS notification</payload>
<v1:isGroupingAllowed>false</v1:isGroupingAllowed>
<v1:emailAttachment>
<v1:fileName>?</v1:fileName>
<!--Optional:-->
<v1:fileSize>?</v1:fileSize>
<!--Zero or more repetitions:-->
<Content>cid:354298590057</Content>
<!--Zero or more repetitions:-->
<ContentEncoding>?</ContentEncoding>
<!--Zero or more repetitions:-->
<ContentEncodingType>?</ContentEncodingType>
</v1:emailAttachment>
<!--Optional:-->
<priority>?</priority>
</v1:sendNotificationRequest>
</soapenv:Body>
</soapenv:Envelope>
Any help would be great.
I need to programmatically send the token to the webservice and initiate request and response accordingly
Thanks in advance.Hi Shawn,
Thanks for your help. I am still struggling. There is a Binary security token element which will contain the public version of the certificate,
with the certificate itself sent along as base64 encoded data.
Below is my code, if you can suggest:
ClientSection clientSection = ClientSection)WebConfigurationManager.GetSection("system.serviceModel/client");
ChannelEndpointElement endpoint = clientSection.Endpoints[0];
string endpointStr = string.Format("Address: {0}; BindingConfiguration: {1}; Contract: {2}", endpoint.Address.ToString(), endpoint.BindingConfiguration, endpoint.Contract);
EndpointAddress remoteAddress = new EndpointAddress(endpoint.Address.ToString());
NotificationServiceClient client = new NotificationServiceClient(endpoint.BindingConfiguration, remoteAddress);
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2 cert = new X509Certificate2();
for (int i = 0; i < store.Certificates.Count; i++)
if (store.Certificates[i].Subject == "E=[email protected], CN=collab-dev.aero.bombardier.net, OU=Aerospace, O=Bombardier Inc., L=Montreal, S=Quebec, C=CA")
cert = store.Certificates[i];
//byte[] rawdata = cert.GetRawCertData();
//BinarySecretSecurityToken token = new BinarySecretSecurityToken(rawdata);
X509SecurityToken token = new X509SecurityToken(cert);
client.ClientCredentials.ClientCertificate.Certificate = cert;
// instead of certificate the enoced token needs to be sent.
Any help would be great. I am totally new to wcf.
Thanks. -
Lync 2013 Logon Failing (HTTP status code 500) No valid security token
Hello there,
I'm in the process of deploying Lync 2013. I have the pool deployed and everything is at least running. I can access the control panel and provision users. However when I try to logon to the Lync Client I get a DNS error. The DNS
error appears to be misleading and is a result of the earlier auto-detection methods failing.
However using the Lync Connectivity Analyzer I get a "No valid security token." error. This doesnt matter if I use auto-detection or manual pointing the Connectivity Analyzer to the pool servers.
[3/2/2015 9:34:15 AM] [ERROR] Reason: Internal server error (HTTP status code 500)
[3/2/2015 9:34:15 AM] [ERROR] Ms-Diagnostics-Fault ErrorId: 28020, Reason: No valid security token.
[3/2/2015 9:34:15 AM] [CRITICAL] The credentials were not authorized by the server. Please verify your login credentials and try again.
[3/2/2015 9:34:15 AM] [DEBUG] System.Exception: Exception of type 'System.Exception' was thrown.
at Microsoft.LyncServer.WebServices.WebTicketManager.WTExceptions(String exText)
at Microsoft.LyncServer.WebServices.WebTicketManager.<AcquireTicketAsync>d__19.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.WebTicketManager.<AcquireOpaqueTicketAsync>d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<AuthenticationRequired>d__2a.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<SendRequest>d__d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<TryNextUrl>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<ParseResponse>d__16.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<TryNextUrl>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<StartDiscoveryJourney>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at LyncConnectivityAnalyzerCore.Utilities.<RetrieveUserLocation>d__3e.MoveNext()
Im a bit stumped where to go next.
Thanks.Manually entering the server also fails and does not provide much to help "We're having trouble connecting to the server. If this continues, please contact your support team."
I found that each time I try to logon it generates a Schannel Error on the server. "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 51.
The Windows SChannel error state is 1106."
There seems to be a lot more information on that than the previous "Internal Error" message I was trying to deal with.
https://social.technet.microsoft.com/Forums/office/en-US/41718327-203f-445f-8657-87b0a8545ead/lync-2013-client-signin-issue-with-lync-2013-server?forum=lyncprofile
Actually I just found the Lync Server Front-End is stuck "starting" so that would explain why I cannot login. However I re-issued my certificate to make sure the primary CN matched "lync.domain.tld" and it still wont start.
https://expertslab.wordpress.com/2014/04/23/lync-server-2013-front-end-service-stuck-on-starting/
I think my problem is the certificate. I have been trying to use selfSSL7 to generate the certificate for testing but it does not support creating SAN entries so I have entered all the FQDNs as CN entries.
Im going to get another method to generate the self-signed certificate for testing. -
Unable to add security token for identity
Hi all,
I am trying to implement a web service with username token authentication. I have defined the ws -policies in the wsdl, and checked the Process Security Header checkbox in the proxy configuration. But when I invoke the proxy through test console and pass the full soap envelope , I am getting an "Unable to add security token for identity" error
This is how the soap header looks from the request document part of the test console:
<soap:Header>
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>xxxxx</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">yyyyyy</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
I have configured the user at alsb security configuration and added an acces policy stating that the proxy can be accessed only by user "xxxx"
Please help
-AtheekMostafa ,
This points to a misconfiguration of your security. Possible causes are:
* There is not a valid RSA key to sign the SAML token with.
* The SAML CredentialMapper is missing
* There is no Relying Party (rp) configured for SAML Credential Mapper that matches your producer
* The producer is using User Name Token and you have no configured the DefaultCredentialMapper to allow for UserNameToken.
Good Luck,
Nate
Edited by: user650654 on Sep 9, 2008 4:31 AM -
Exception: Unable to add security token for identity
Hi Friends,
I was trying to add SAML tokens(Sender-Voucher Profile) to my web services. I configured WLS and ALSB with all Authentication settings but I get a SOAPFaultException when i run the client.
javax.xml.rpc.soap.SOAPFaultException: Unable to add security token for identity
I tried the following samples:
https://codesamples.projects.dev2dev.bea.com/servlets/Scarab/remcurreport/true/template/ViewIssue.vm/id/S10/eventsubmit_dosetissueview/foo/resultpos/-1/nbrresults/0/action/ViewIssue/tab/2/readonly/false
https://codesamples.projects.dev2dev.bea.com/servlets/Scarab/remcurreport/true/template/ViewIssue.vm/id/S203/nbrresults/39
Is there any configuration on WLS that needs to be verified when we get this Exception "Unable to add security token for identity"??
Any help is appreciated in this regard.
Thanks,
KiranHello Kiran,
Is this problem resolved?. I am facing the same problem when i was trying to call a service .
The exception i got is as follows:
(D-113003875) server (IBwlpAdminServer) Method (com.zurich.ep.global.produc
metadata.impl.ProductMetaDataServiceImpl.getAllProducts:234) ==> Host (D-113003
75) server (IBwlpAdminServer) Method (com.zurich.ep.service.delegate.AbstractEx
eptionHandler.logException:67)
om.zurich.ep.exception.ServiceFailureException: SOAPFaultException - FaultCode
{http://schemas.xmlsoap.org/soap/envelope/}Server] FaultString [Unable to add s
curity token for identity] FaultActor [null]No Detail; nested exception is:
javax.xml.rpc.soap.SOAPFaultException: Unable to add security token for
dentity
at com.zurich.ep.global.productmetadata.impl.ProductMetaDataServiceImpl.
etAllProducts(ProductMetaDataServiceImpl.java:234)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
ava:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
orImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.zurich.ep.service.delegate.ServiceDelegateProxy.invoke(ServiceDel
gateProxy.java:135)
at $Proxy62.getAllProducts(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
ava:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
orImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.zurich.ep.service.delegate.ServiceAdapter.invoke(ServiceAdapter.j
va:97)
at $Proxy63.getAllProducts(Unknown Source)
at com.zurich.ep.global.productmetadata.v20090601.ProductMetaDataService
ortTypeImpl.getAllProducts(ProductMetaDataServicePortTypeImpl.java:119)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
ava:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
orImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at weblogic.wsee.component.pojo.JavaClassComponent.invoke(JavaClassCompo
ent.java:99)
at weblogic.wsee.ws.dispatch.server.ComponentHandler.handleRequest(Compo
entHandler.java:64)
at weblogic.wsee.handler.HandlerIterator.handleRequest(HandlerIterator.j
va:127)
at weblogic.wsee.ws.dispatch.server.ServerDispatcher.dispatch(ServerDisp
tcher.java:85)
at weblogic.wsee.ws.WsSkel.invoke(WsSkel.java:80)
at weblogic.wsee.server.servlet.SoapProcessor.handlePost(SoapProcessor.j
va:66)
at weblogic.wsee.server.servlet.SoapProcessor.process(SoapProcessor.java
44)
at weblogic.wsee.server.servlet.BaseWSServlet$AuthorizedInvoke.run(BaseW
Servlet.java:173)
at weblogic.wsee.server.servlet.BaseWSServlet.service(BaseWSServlet.java
92)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run
StubSecurityHelper.java:223)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecuri
yHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.jav
:283)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.jav
:175)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationActio
.run(WebAppServletContext.java:3245)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
Subject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
21)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppS
rvletContext.java:2003)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletC
ntext.java:1909)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.j
va:1359)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
aused by: java.rmi.RemoteException: SOAPFaultException - FaultCode [{http://sch
mas.xmlsoap.org/soap/envelope/}Server] FaultString [Unable to add security toke
for identity] FaultActor [null]No Detail; nested exception is:
javax.xml.rpc.soap.SOAPFaultException: Unable to add security token for
dentity
at com.zurich.ep.service.delegate.AbstractExceptionHandler.logException(
bstractExceptionHandler.java:67)
at com.zurich.ep.service.delegate.client.WebServiceBusinessDelegate.invo
e(WebServiceBusinessDelegate.java:260)
at $Proxy61.getProductFunctionality(Unknown Source)
at com.zurich.ep.global.productmetadata.impl.ProductMetaDataServiceImpl.
etAllProducts(ProductMetaDataServiceImpl.java:201)
... 39 more
aused by: javax.xml.rpc.soap.SOAPFaultException: Unable to add security token f
r identity
at weblogic.wsee.codec.soap11.SoapCodec.decodeFault(SoapCodec.java:265)
at weblogic.wsee.ws.dispatch.client.CodecHandler.decodeFault(CodecHandle
.java:106)
at weblogic.wsee.ws.dispatch.client.CodecHandler.decode(CodecHandler.jav
:91)
at weblogic.wsee.ws.dispatch.client.CodecHandler.handleFault(CodecHandle
.java:79)
at weblogic.wsee.handler.HandlerIterator.handleFault(HandlerIterator.jav
:254)
at weblogic.wsee.handler.HandlerIterator.handleResponse(HandlerIterator.
ava:224)
at weblogic.wsee.ws.dispatch.client.ClientDispatcher.handleResponse(Clie
tDispatcher.java:161)
at weblogic.wsee.ws.dispatch.client.ClientDispatcher.dispatch(ClientDisp
tcher.java:116)
at weblogic.wsee.ws.WsStub.invoke(WsStub.java:89)
at weblogic.wsee.jaxrpc.StubImpl._invoke(StubImpl.java:335)
at com.zurich.ep.global.chassisauthorisation.v20090601.ChassisAuthorisat
onServicePortType_Stub.getProductFunctionality(ChassisAuthorisationServicePortT
pe_Stub.java:145)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
ava:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
orImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.zurich.ep.service.delegate.client.WebServiceBusinessDelegate.invo
e(WebServiceBusinessDelegate.java:225)
... 41 more
aused by: weblogic.xml.crypto.wss.WSSecurityException: Unable to add security t
ken for identity
at weblogic.wsee.security.wss.SecurityPolicyDriver.processIdentity(Secur
tyPolicyDriver.java:175)
at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(Secur
tyPolicyDriver.java:73)
at weblogic.wsee.security.WssClientHandler.processOutbound(WssClientHand
er.java:69)
at weblogic.wsee.security.WssClientHandler.processRequest(WssClientHandl
r.java:53)
at weblogic.wsee.security.WssHandler.handleRequest(WssHandler.java:72)
at weblogic.wsee.handler.HandlerIterator.handleRequest(HandlerIterator.j
va:127)
at weblogic.wsee.handler.HandlerIterator.handleRequest(HandlerIterator.j
va:100)
at weblogic.wsee.ws.dispatch.client.ClientDispatcher.dispatch(ClientDisp
tcher.java:101)
... 49 more
Thanks,
JK -
The security token could not be authenticated or authorized
Hi All,
I have an issue with Oracle Migration Tool On Demand.
I run the following command to backup the AccessProfile:
Oracle Migration Tool On Demand:
migrationtool -u <user> -s https://secure-ausomxefa.crmondemand.com ReadAll AccessProfile
Unfortunately i get the following error:
On the dos window:
Please enter your CRM On Demand password: Your request has been sent to Oracle
CRM On Demand Server.
A response to the SOAP request sent to the CRM On Demand server has been receiv
ed An error occurred. Please review the logs for details
And in the log file:
13-apr-2011 16.09.40 com.siebel.occam.odesa.cte.ODESAResponseHandler writeToLog
GRAVE: <Fault xmlns="http://schemas.xmlsoap.org/soap/envelope/"><faultcode>wsse:FailedAuthentication</faultcode><faultstring>The security token could not be authenticated or authorized</faultstring><faultactor></faultactor></Fault>
Please could you help me?
Regards
Alessandro
Edited by: user3889450 on 13-apr-2011 7.16
Edited by: user3889450 on 13-apr-2011 7.17
Edited by: user3889450 on 13-apr-2011 7.18Alessandro, I would recommend that you submit a SR to CRM On Demand customer care in reference to this issue.
-
Security Token Service Application Pool high CPU
The SecurityTokenServiceApplicationPool seems to be using really high CPU at times and it seems to slow down the servercausing spike to almost 100% CPU, recycling takes care of it temporarily, it will also go down on its own but to a lesser extent.
I cant seem to see any cause of this in the logs.
The Security Token Service Application Pool isnt on a recycle schedule by default.
Does anyone recommend putting it on a recycle schedule?
What are some common causes of it
thanks
themushHi,
As I understand, the SecurityTokenServiceApplicationPool caused high CPU usage in your envrionment.
Would recycling the application pool be help?
To check if there is performance issue, please provide more information about your application server which host this service application.
http://technet.microsoft.com/en-us/library/cc262485(v=office.15).aspx#hwforwebserver
Here are some references for application pool high usage in SharePoint:
http://weblogs.asp.net/erobillard/thoughts-on-sharepoint-application-pools-recycling-and-quot-jit-lag-quot
http://blogs.technet.com/b/stefan_gossner/archive/2007/11/26/dealing-with-memory-pressure-problems-in-moss-wss.aspx
Regards,
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected] .
Rebecca Tu
TechNet Community Support -
Hello
I'm running on a brand new system Windows 7 Home Premium 64-Bit.
I have a problem with Internet Explorer 8. When a javascript tries to open a link into a new window I get the error message: Message: Cannot open an anonymous level security token.
The solution to this is to go to dcomcnfg -> Expand Componenet Services -> Computers
Select My Computer -> right click My Computer and select Properties.
On the Default Properties tab set the Default Authentication level and Default Impersonation level.
Here is the problem: These values can not be set. There are multiple problems with the DCOMCNFG interface.
1. There are no values present in the drop down window.
2. The first time one selects properties from my computer to access the default properties tab, I get only a 2 tab page consisting only of COM Security and MSDTC. I have to select the properties option a second time to get the correct page to
pop up containing the additional 4 tabs that include the default Properties. (strange, but I have actually seen this behavior reported elsewhere on the net by a developer)
3. On the default properties tab, the "enable Distributed COM on this computer" is unchecked, even though registry values indicate DCOM is enabled.
4. The drop down windows for "Default Authetication Level" and "Default Inpersonation Level" do not populate with any options when I check the "Enable Distributed COM" box. Registry values appear to have these settings correctly set.
5. Regardless of whether I modify any entries or not on the Default Properties tab, every time I close the Default Properties tab by selecting "OK", mmc.exe crashes and an error is generated. No crash if I select "cancel." Error info below:
Problem Event Name: APPCRASH
Application Name: mmc.exe
Application Version: 6.1.7600.16385
Application Timestamp: 4a5bc808
Fault Module Name: comuid.dll
Fault Module Version: 2001.12.8530.16385
Fault Module Timestamp: 4a5bdf82
Exception Code: c000041d
Exception Offset: 0000000000027eb4
OS Version: 6.1.7600.2.0.0.768.3
Locale ID: 1033
Additional Information 1: c04d
Additional Information 2: c04dc172367dd59f9f2c3be375fb3e80
Additional Information 3: ab1b
Additional Information 4: ab1bd07e62aa9dd1521e9b185bfe43fc
What have I done to try to remedy the problem?
Ran fsc scannow and chkdsk with no change.
What would I like?
To eliminate the anonymous level security token error in IE8, and I assume the DCOMCNFG problem may be the cause.
Thanks, JimI have the EXACT signature of symptoms as described here, but with Windows XP:
[Quote]
Multiple problems with the DCOMCNFG interface.
1. There are no values present in the drop down window.
2. The first time one selects properties from my computer to access the default properties tab, I get only a 2 tab page consisting only of COM Security and MSDTC. I have to select the properties option a second time to get the correct page to
pop up containing the additional 4 tabs that include the default Properties. (strange, but I have actually seen this behavior reported elsewhere on the net by a developer)
3. On the default properties tab, the "enable Distributed COM on this computer" is unchecked, even though registry values indicate DCOM is enabled.
4. The drop down windows for "Default Authetication Level" and "Default Inpersonation Level" do not populate with any options when I check the "Enable Distributed COM" box. Registry values appear to have these settings correctly set.
5. Regardless of whether I modify any entries or not on the Default Properties tab, every time I close the Default Properties tab by selecting "OK", mmc.exe crashes and an error is generated. No crash if I select "cancel."
[/QUOTE]
I tried the COMFIX tool suggested by Jim Bacon - it does not complete for me however
(there is no "run as admin" option in Windows XP, just double clicked to run it.
Otherwise followed as described (no Norton Ghost)
It errors out:
In the Command Window, it says Open Service Fail 1060
Specific Service does not exist as installed service
And a Windows Script Host Window that reports error "the system cannot find the file specified" - code:80070002
Is this because it is XP?
Is there something similar I can use for XP, or do I have some other limitation?
Appreciate assistance - I was happy to find this issue reported here so pleased that at least I am not unique in that! -
Please excuse the lousy table...Its late :-)
I have a multi-server SP2010 farm. Patched up to
Configuration database version: 14.0.6106.5002
My goal is to have a claims based web application that authenticated to ADAM for Extranet. I have configured the servers exactly to MSDN and technet specs (following this spec to the
letter (
http://technet.microsoft.com/en-us/library/ee806882.aspx) to allow the forms side of the web app to authenticate to ADAM.
IT WORKS IN DEV!!! , which is a single server farm. However, it does not work in production. I get the following:
Claims Auth log entries:
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
f2ut
Verbose
Authenticated with login provider. Validating request security token.
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Using membership provider 'ADAMProvider'.
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Doing password check on '[email protected]'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Failed password check on '[email protected]'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Unexpected
Password check on '[email protected]' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security
token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
fo1t
Monitorable
SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password
could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
fsq7
High
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
8306
Critical
An exception occurred when trying to issue security token: The security token username and password could not be validated..
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
f2un
Verbose
Form authentication failed.
I have tried EVERYTHING (well, nt everything, I don’t have the fix I suppose).
I found plenty out there and nothing directly correlates with this issue.
I searched on all parts of the errors I got.
This contains an interesting blurb about setting up access for the apppool id correctly.
That’s not the case for me. It works in dev and the same id are used there.
http://sharepoint-2010-world.blogspot.com/2011/03/adam-forms-based-authentication-in.html
This was good but it doesn’t give specs on what the environment looks like:
http://social.msdn.microsoft.com/Forums/en/sharepoint2010general/thread/557143a6-4b36-4939-bb7f-d62a9335fd18
The was interesting…but I am patched up beyond the June 2011 CU so it’s a moot point:
http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/9b8368ef-c5e5-4ead-b348-7b2b5587cfc8
Any and all help would be greatly appreciated!Hi.
You say its a multiserver farm, do you have more than one web server then?
If thats the case, have you tried accessing the site on each server directly?
Found this for you, maybe that can help?
Troubleshooting Exceptions: System.ServiceModel.FaultException`1
http://msdn.microsoft.com/en-us/library/bb907220.aspx
and this:
SharePoint 2010 Claims Authentication - The security token username and password could not be validated reoccurring every morning
http://social.technet.microsoft.com/Forums/pl-PL/sharepoint2010setup/thread/383f1f9b-5c4a-4e19-b770-2a54b7ab1ca1
and
This seems to be a good guide:
http://donalconlon.wordpress.com/2010/02/23/configuring-forms-base-authentication-for-sharepoint-2010-using-iis7/
Good luck
Thomas Balkeståhl - Technical Specialist - SharePoint - http://blksthl.wordpress.com -
I'm getting these errors in the eventlog and ULS, "An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root
Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERTIFICATE THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate."
The errors point to the SharePoint Security Token Service as the issue ("The revocation function was unable to check revocation for the certificate") reported back by the Topology service. This is apparent when executing a search, accessing
the managed metadata service, issuing SPSite commands in Powershell, or anything that needs to run through the "SharePoint Web Services" site. I've looked at the certificate assigned to that site and everything appears to be in order.
It would seem to me to be either an incorrect endpoint configuration (internally cached perhaps?) or related to security access for the configuration database (in order to validate the certificate root).
What I’ve tried so far:
I’ve been all over the certificate settings, both in the server store, and within SharePoint Token Service config. Both appear to be configured correctly such that the root CAs can be validated.
Re-entered the passwords for the application pool domain accounts to eliminate these as a potential cause. I’ve also verified the service accounts reporting the error, do have access to the configuration database.
Re-provisioned the STS service to see if that might clear out any cached issues and validated everything else according to this
MS Tech note.
So far nothing has worked. Is there anything else I could be looking at that I've missed? (Full eventlog detail below)
Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Date: 2/20/2015 11:19:41 AM
Event ID: 8311
Task Category: Topology
Level: Error
Keywords:
User: <SP SERVICE ACCOUNT>
Computer: <SHAREPOINTSERVER>
Description:
An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS
CERT THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
<EventID>8311</EventID>
<Version>14</Version>
<Level>2</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2015-02-20T17:19:41.213852500Z" />
<EventRecordID>1611121</EventRecordID>
<Correlation />
<Execution ProcessID="10212" ThreadID="10328" />
<Channel>Application</Channel>
<Computer><SHAREPOINTSERVER></Computer>
<Security UserID="<SP SERVICE ACCOUNT>" />
</System>
<EventData>
<Data Name="string0">CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string1">CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string2"><STS CERT THUMBPRINT></Data>
<Data Name="string3">RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
</Data>
</EventData>
</Event>Hi Darren,
This problem seems to occur when an administrator deletes the local trust relationship of the farm from the Security section of the Central Administration website
In order to resolve this problem, the local trust relationship has to be created. This can be done by running the following PowerShell commands
$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
After running the above commands, perform an IISReset on all servers in the farm.
More information:
http://support.microsoft.com/kb/2545744
Best Regards,
Wendy
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Wendy Li
TechNet Community Support -
How to get security token from a URL in BPM
Hi,
I need to get a security token from a url in a business process.
The URL is like:
https://services.sapo.pt/STS/GetToken?ESBUsername=test&ESBPassword=test1
If I paste it on the browser i get the token in the form:
<ESBToken>
a7d1cd4e20c9c1b437513d434abbfee83b1f8f32839b54e6632f2865631303b815547cf898...
</ESBToken>
What is the best way to get and map the token in an Integration Process in SAP XI? Is it possible by user defined function in mapping? How?
Thanks in advance.I am not sure what you want to do!? Do you want to display the image file, save the image file? When you say you don't want it to exit, do you want it to be a persistant application?
-
WS-Security and proxy service: Unable to add security token for identity
What the reason of "Unable to add security token for identity" fault in this situation (10.3.1):
I did simple "hello word" proxy service and tried to apply custom policy binding.
WS-Policy is next:
<wsp:Policy wsu:Id="WS-Policy-Siebel"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wssp:Identity
xmlns:wssp="http://www.bea.com/wls90/security/policy">
<wssp:SupportedTokens>
<wssp:SecurityToken
TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
<wssp:UsePassword
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" />
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
</wsp:Policy>
Process WS-Security is setted to "yes".
While debugging I see that all works fine - I can authenticate with defined credentials and breakpoints in proxy service flow works fine.
But at the end I get the fault:
Soap fault:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body>
<env:Fault>
<faultcode>env:Server</faultcode>
<faultstring>Unable to add security token for identity</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
In console:
<09.06.2010 17:39:18 MSD> <Error> <OSB Security> <BEA-387023> <An error ocurred during web service security inbound response processing [error-code: F
ault, message-id: 1721282272521583996--57dc4ccc.1291cc2282d.-7fab, proxy: OSB Project WS-Security/WSSecurityService, operation: NewOperation]
--- Error message:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault><faultcode>env:Server</faultcode><faultstring>Un
able to add security token for identity</faultstring></env:Fault></env:Body></env:Envelope>
weblogic.xml.crypto.wss.WSSecurityException: Unable to add security token for identity
at weblogic.wsee.security.wss.SecurityPolicyDriver.processIdentity(SecurityPolicyDriver.java:175)
at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(SecurityPolicyDriver.java:73)
at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(SecurityPolicyDriver.java:64)
at weblogic.wsee.security.WssServerHandler.processOutbound(WssServerHandler.java:88)
at weblogic.wsee.security.WssServerHandler.processResponse(WssServerHandler.java:70)
Truncated. see log file for complete stacktrace
Incoming soap message is:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="unt_TNNp0cBwU7HyPKoq" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>testuser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">testuser</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soapenv:Body>
<wss:NewOperation xmlns:wss="http://www.troika.ru/Enterprise/WSSecurityService/">
<in>string</in>
</wss:NewOperation>
</soapenv:Body>
</soapenv:Envelope>
Edited by: Andrey L. on Jun 9, 2010 5:55 PMI thought you were getting that exception when accessing the proxy.
No. Authentification works fine. Proxy body works fine. But at the end of proxy appears the exception.
Sorry for my english - I tried to show this situation on image: http://imglink.ru/show-image.php?id=9c0e0c1719f00289faf11696c6703bc3
Are you getting this exception when routing to a business service which is configured for WS-Security ??
I don't use business service in this test project - only simple proxy service with all logic inside.
PS transformation in replace action is very simple too:
(:: pragma bea:global-element-parameter parameter="$newOperation1" element="ns0:NewOperation" location="WSSecurityService.wsdl" ::)
(:: pragma bea:global-element-return element="ns0:NewOperationResponse" location="WSSecurityService.wsdl" ::)
declare namespace ns0 = "http://www.troika.ru/Enterprise/WSSecurityService/";
declare namespace xf = "http://tempuri.org/OSB%20Project%20WS-Security/Hello/";
declare function xf:Hello($newOperation1 as element(ns0:NewOperation))
as element(ns0:NewOperationResponse) {
<ns0:NewOperationResponse>
<out>Hello, { data($newOperation1/in) }!</out>
</ns0:NewOperationResponse>
declare variable $newOperation1 as element(ns0:NewOperation) external;
xf:Hello($newOperation1)
Edited by: Andrey L. on Jun 10, 2010 12:21 PM
Maybe you are looking for
-
Deleting data in iPhone with deliberate wrong passcode attempts?
Hi, I would like to know if one can deliberately delete the data in the iphone by 10 wrong passcode attempts, but, without having to restore the phone to factory defaults? I have an unlocked iphone 3G running OS 3.1.2, which i am going to give away.
-
I try to make a dvd from final cut express, but idvd always tell me the same error (error during rendering menu), even if I change themes. I tried with roxio toast and it works well, but I can't have chapters. I don't know if the same film would have
-
Cant get JTextArea setText working correctly
I am developing an app where a user selects rows from a table, and the selections are listed in a textarea. if a user selects a row twice, he deselects that item -- because of this I use setText instead of append (easiest way to display selected rows
-
somebody asked me to extract the alternate alphabets from the string. Now the thing is I have extracted the alternate alphabets but I am getting a space between them , Could somebody provide me a better solution or trim the spaces in my outermost que
-
Query to find 1:N relation from a table
Hi, I have a table where Material# & Item# are stored. Now Material# & Item# are related in 1:N. e.g. (data) MM# ITM# ..... <other attributes> M1 I1 ..... <data for other attributes> M1 I1 ..... <data for other attributes> M1 I2 ..... <data for other