Security Token Service Configuration - Token Lifetime
We configured SharePoint to use ADFS and FBA for authentication, users can Log-In and access the site.
But the issue is after 10 mins users are re-authenticating with ADFS (Windows Users) and want to change this configuration to more time (20 mins).
Current Configuration:
ADFS - TokenLifetime is 20 mins
STS - LogonTokenCacheExpirationWindow is 1 min
FormsTokenLifetime / WindowsTokenLifetime is not modified and have default values
Is there any other STS properties need to be modified to increase the duration and to stop re-authenticating.
-RK
Thanks
Hi RK,
Have you double checked the TokenLifetime is 20 mins on your ADFS server?
Have you restarted the IIS after you updated the
LogonTokenCacheExpirationWindow value as 1 min on your SharePoint servers?
Set-ADFSRelyingPartyTrust -TargetName "Relying Party Name" -TokenLifetime 20
$sts = Get-SPSecurityTokenServiceConfig
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1)
$sts.Update()
Iisreset
http://sharepoint.stackexchange.com/questions/79864/sharepoint-2013-adfs-login-local-token-cache-always-expired
http://msdn.microsoft.com/en-us/library/office/hh147183(v=office.14).aspxThanks
Daniel Yang
TechNet Community Support
Similar Messages
-
Secure Store Services Configuration
Hi,
I wanted to ask for some more information on the topic. I have google'd and found informaiton here and there but nothing that I have found as a concise guide to its configuration "an idiots guide if you may"
If you found some information that you found particularly helpful I would like to read it. white papers etc...
Thank you for your time
Regards
ChrisHI Guys,
In Microsoft release management, we are having option to encrpt the password instead of giving plain text for a parameter.
I am very
excited to see this option in release management.But i am not able to hold this
Excitement for longer time.
I tried to use this option for one of our script nothing but "Secure Store Service".But when i am using this property for secure store powershell script,it is falling and encripted password is not accepted by powershell script.
Kindly let me know whether any body had faced this issue and kindly share your inputs.
Regards
Sivakumar K -
I'm getting these errors in the eventlog and ULS, "An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root
Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERTIFICATE THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate."
The errors point to the SharePoint Security Token Service as the issue ("The revocation function was unable to check revocation for the certificate") reported back by the Topology service. This is apparent when executing a search, accessing
the managed metadata service, issuing SPSite commands in Powershell, or anything that needs to run through the "SharePoint Web Services" site. I've looked at the certificate assigned to that site and everything appears to be in order.
It would seem to me to be either an incorrect endpoint configuration (internally cached perhaps?) or related to security access for the configuration database (in order to validate the certificate root).
What I’ve tried so far:
I’ve been all over the certificate settings, both in the server store, and within SharePoint Token Service config. Both appear to be configured correctly such that the root CAs can be validated.
Re-entered the passwords for the application pool domain accounts to eliminate these as a potential cause. I’ve also verified the service accounts reporting the error, do have access to the configuration database.
Re-provisioned the STS service to see if that might clear out any cached issues and validated everything else according to this
MS Tech note.
So far nothing has worked. Is there anything else I could be looking at that I've missed? (Full eventlog detail below)
Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Date: 2/20/2015 11:19:41 AM
Event ID: 8311
Task Category: Topology
Level: Error
Keywords:
User: <SP SERVICE ACCOUNT>
Computer: <SHAREPOINTSERVER>
Description:
An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS
CERT THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
<EventID>8311</EventID>
<Version>14</Version>
<Level>2</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2015-02-20T17:19:41.213852500Z" />
<EventRecordID>1611121</EventRecordID>
<Correlation />
<Execution ProcessID="10212" ThreadID="10328" />
<Channel>Application</Channel>
<Computer><SHAREPOINTSERVER></Computer>
<Security UserID="<SP SERVICE ACCOUNT>" />
</System>
<EventData>
<Data Name="string0">CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string1">CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string2"><STS CERT THUMBPRINT></Data>
<Data Name="string3">RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
</Data>
</EventData>
</Event>Hi Darren,
This problem seems to occur when an administrator deletes the local trust relationship of the farm from the Security section of the Central Administration website
In order to resolve this problem, the local trust relationship has to be created. This can be done by running the following PowerShell commands
$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
After running the above commands, perform an IISReset on all servers in the farm.
More information:
http://support.microsoft.com/kb/2545744
Best Regards,
Wendy
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Wendy Li
TechNet Community Support -
WS-Security and proxy service: Unable to add security token for identity
What the reason of "Unable to add security token for identity" fault in this situation (10.3.1):
I did simple "hello word" proxy service and tried to apply custom policy binding.
WS-Policy is next:
<wsp:Policy wsu:Id="WS-Policy-Siebel"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wssp:Identity
xmlns:wssp="http://www.bea.com/wls90/security/policy">
<wssp:SupportedTokens>
<wssp:SecurityToken
TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
<wssp:UsePassword
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" />
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
</wsp:Policy>
Process WS-Security is setted to "yes".
While debugging I see that all works fine - I can authenticate with defined credentials and breakpoints in proxy service flow works fine.
But at the end I get the fault:
Soap fault:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body>
<env:Fault>
<faultcode>env:Server</faultcode>
<faultstring>Unable to add security token for identity</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
In console:
<09.06.2010 17:39:18 MSD> <Error> <OSB Security> <BEA-387023> <An error ocurred during web service security inbound response processing [error-code: F
ault, message-id: 1721282272521583996--57dc4ccc.1291cc2282d.-7fab, proxy: OSB Project WS-Security/WSSecurityService, operation: NewOperation]
--- Error message:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault><faultcode>env:Server</faultcode><faultstring>Un
able to add security token for identity</faultstring></env:Fault></env:Body></env:Envelope>
weblogic.xml.crypto.wss.WSSecurityException: Unable to add security token for identity
at weblogic.wsee.security.wss.SecurityPolicyDriver.processIdentity(SecurityPolicyDriver.java:175)
at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(SecurityPolicyDriver.java:73)
at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(SecurityPolicyDriver.java:64)
at weblogic.wsee.security.WssServerHandler.processOutbound(WssServerHandler.java:88)
at weblogic.wsee.security.WssServerHandler.processResponse(WssServerHandler.java:70)
Truncated. see log file for complete stacktrace
Incoming soap message is:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="unt_TNNp0cBwU7HyPKoq" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>testuser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">testuser</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soapenv:Body>
<wss:NewOperation xmlns:wss="http://www.troika.ru/Enterprise/WSSecurityService/">
<in>string</in>
</wss:NewOperation>
</soapenv:Body>
</soapenv:Envelope>
Edited by: Andrey L. on Jun 9, 2010 5:55 PMI thought you were getting that exception when accessing the proxy.
No. Authentification works fine. Proxy body works fine. But at the end of proxy appears the exception.
Sorry for my english - I tried to show this situation on image: http://imglink.ru/show-image.php?id=9c0e0c1719f00289faf11696c6703bc3
Are you getting this exception when routing to a business service which is configured for WS-Security ??
I don't use business service in this test project - only simple proxy service with all logic inside.
PS transformation in replace action is very simple too:
(:: pragma bea:global-element-parameter parameter="$newOperation1" element="ns0:NewOperation" location="WSSecurityService.wsdl" ::)
(:: pragma bea:global-element-return element="ns0:NewOperationResponse" location="WSSecurityService.wsdl" ::)
declare namespace ns0 = "http://www.troika.ru/Enterprise/WSSecurityService/";
declare namespace xf = "http://tempuri.org/OSB%20Project%20WS-Security/Hello/";
declare function xf:Hello($newOperation1 as element(ns0:NewOperation))
as element(ns0:NewOperationResponse) {
<ns0:NewOperationResponse>
<out>Hello, { data($newOperation1/in) }!</out>
</ns0:NewOperationResponse>
declare variable $newOperation1 as element(ns0:NewOperation) external;
xf:Hello($newOperation1)
Edited by: Andrey L. on Jun 10, 2010 12:21 PM -
Security Token Service application not working
Trying to use secure store service to access userprofileservice.asmx methods within Infopath 2010 form(doesn't contain any managed code). Created tareget application and using udcx file within the data connection library according to Microsoft tech articles.
I see errors related to accessing securitytokenservice application.It keeps on erroring out within the ULS logs, something like below
http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas.
TCP error code 10061: No connection could be made because the target machine actively refused it ::1:32843
Used below links but no luck.
Method 2 of http://support.microsoft.com/kb/981684
http://support.microsoft.com/kb/2493524
http://www.avanadeblog.com/sharepointasg/iis/
My http://localhost works but i don't see
http://localhost:32843 working.
When i run netstat -a within command prompt i see port 32843 is working since the state of it is shown as "listening".
When i browse to
http://localhost:32843/SecurityTokenServiceApplication i see HTTP 404 error.
It is same with other services under SharePoint Web Services Site within IIS.
I see the same HTTP 404 error. The Security Token Service application pool is running.
I'm trying to make this work within my development envirnoment and i don't see the security token service application
working in my Production or test environment either. I have a standalone installation on my personal laptop and i don't see these things working there as well. If i had web.config file of a working Security token service application then i could have compared
that with the web.config on my developement box. This is the only thing i missed out on.
I'm kind of stuck with this since last one week and any help is appreciated.
Thanks, DC SharePointerthanks Henrik.
Farm Servers already have WCF Hotfix (976462) and I also checked the STS authentication settings in IIS. Only windows and Anonymous access is enabled. I did make the change(Authentication mode of spStsActAsBinding to IssuedToken, it was SspiNegotiatedOverTransport) that
is suggested in the link you provided. But no luck. My STS web.config has below membership and role providers
<system.web>
<membership>
<providers>
<add connectionStringName="DevSQLConn"
applicationName="/"
name="DevAspNetSqlMembershipProvider"
requiresQuestionAndAnswer="false"
type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.3600.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add connectionStringName="DevSQLConn"
applicationName="/"
name="DevAspNetSqlRoleManager"
type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.3600.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
</system.web>
Does this have to do anything with my issue. I think at some point they might have configured to use form based authentication.
Thanks, DC SharePointer -
The Security Token Service is not available -- SP Server on Windows 7
I just installed SharePoint Server 2010 on a Windows 7 workstation with the aim of setting up a development environment.
Installed all the prerequisites, then SP, everything seemed to go smoothly.
However, the Health Analyzer is warning my that "the Security Token Service is not available". It says that the "Administrator should try to restart the Security Token Service"
I looked under Services for my computer and also looked in IIS, did not see any thing that referenced security tokens. Where would I find the security token service?
Thanks.No.
In Central Admin>Application Management>Manage Service Applications I see the
Security Token Service Application is running. But the health analyzer is still saying that
The Security Token Service is not available.
Any advice on resolving this would be greatly appreciated. -
The Security Token Service is not available error on dedicated Distributed Cache server
I have an error on a dedicated Distributed Cache server stating that the Security Token Service is not available. I was under the impression that when Distributed Cache was running on a dedicated server that the only service that should be enabled
is Distributed Cache.
The token service is working as expected on all other servers but this one. Does this service need to be started or should I just ignore this error message?
Jennifer Knight (MCITP, MCPD)as per my little experience with 2013, if STS is working fine on Web server then I am sure that sharepoint will be fine...Distributed cache stores the ST issued by STS. NO need to worry about this error.
Login
Token Cache
DistributedLogonTokenCache
This
cache stores the security token issued by a Secure Token Service for use by any web server in the server farm. Any web server that receives a request for resources can access the security token from the cache, authenticate the user, and provide access to the
resources requested.
I would say check the ULS logs and get more details about the error why its not working on that server.
Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog -
The Security Token Service is not available.
hi,
1. service check failed--
http://localhost:port/SecurityTokenServiceApplication/securitytoken.svc
Gettng Error message
2. while provision it again..
Get-SPServiceApplication | ?{$_ -match "Security"}
$sts.Status (result got -online)
$sts.Provision()
----Successful...
3.Event at Event viewer,..
WebHost failed to process a request.
Sender Information: System.ServiceModel.Activation.HostedHttpRequestAsyncResult/31626309
Exception: System.Web.HttpException: The service '/SecurityTokenServiceApplication/securitytoken.svc' does not exist. ---> System.ServiceModel.EndpointNotFoundException: The service '/SecurityTokenServiceApplication/securitytoken.svc' does not exist.
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath)
at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.HandleRequest()
at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.BeginRequest()
--- End of inner exception stack trace ---
at System.ServiceModel.AsyncResult.End[TAsyncResult](IAsyncResult result)
at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result)
Process Name: w3wp
Process ID: 5752
---------------------And-----------------------------
Event 8306
An exception occurred when trying to issue security token: The requested service, 'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc'
could not be activated. See the server's diagnostic trace logs for more information..
Please help----------------
Prasad kambarCheck this article
http://blogs.technet.com/b/sykhad-msft/archive/2012/02/25/sharepoint-2010-nailing-the-error-quot-the-security-token-service-is-unavailable-quot.aspx
and similar thread
https://social.technet.microsoft.com/Forums/office/en-US/78cd4366-b11b-4300-93a4-4135d55f561f/error-8306-an-exception-occurred-when-trying-to-issue-security-token-please-help?forum=sharepointgeneralprevious
though it is SharePoint 2010 but will work similar in sps 2013 also -
Could Not Connect to Security Token Service Application
Receiving the following:
Get-SPSite : Could not connect to http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc. TCP error code 10061: No connection could be made
I have validated the site and app pool exist and are running... however, browsing to the url returns a 404 page. This is happening on 2/4 servers in my farm.
I have removed SharePoint and Web Server/Application Server Role from each server and re-installed SP to no avail... next step is re-image but thought I would check the blog-o-sphere first...
- Rickany anti virus on the servers?
is there any details about the error after connection could be made?
also have a look: http://blogs.technet.com/b/sykhad-msft/archive/2012/02/25/sharepoint-2010-nailing-the-error-quot-the-security-token-service-is-unavailable-quot.aspx
Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog -
Wsit: Modify the URL of the security token service at runtime
I've managed to modify the url of my webservice endpoint at runtime used by a client application with the BindingProvider.ENDPOINT_ADDRESS_PROPERTY. Is it also possible to modify the url of the security token service?
Check this article
http://blogs.technet.com/b/sykhad-msft/archive/2012/02/25/sharepoint-2010-nailing-the-error-quot-the-security-token-service-is-unavailable-quot.aspx
and similar thread
https://social.technet.microsoft.com/Forums/office/en-US/78cd4366-b11b-4300-93a4-4135d55f561f/error-8306-an-exception-occurred-when-trying-to-issue-security-token-please-help?forum=sharepointgeneralprevious
though it is SharePoint 2010 but will work similar in sps 2013 also -
Download location of Oracle OpenSSO Security Token Service
I am not finding the war file for Oracle OpenSSO Security Token Service, where can I download it from? The docs say that it is part of OpenSSO server but I dont find that in oracle_opensso_80U2.zip also. Please let me know where can I get it from?
http://download.oracle.com/otn/nt/middleware/11g/oracle_openssosts_11gr1.zip
Just so you know, Oracle has released its Oracle STS server as part of the 11.1.1.5 distribution of Identity and Access Management as well. -
Security Token Service Application Pool high CPU
The SecurityTokenServiceApplicationPool seems to be using really high CPU at times and it seems to slow down the servercausing spike to almost 100% CPU, recycling takes care of it temporarily, it will also go down on its own but to a lesser extent.
I cant seem to see any cause of this in the logs.
The Security Token Service Application Pool isnt on a recycle schedule by default.
Does anyone recommend putting it on a recycle schedule?
What are some common causes of it
thanks
themushHi,
As I understand, the SecurityTokenServiceApplicationPool caused high CPU usage in your envrionment.
Would recycling the application pool be help?
To check if there is performance issue, please provide more information about your application server which host this service application.
http://technet.microsoft.com/en-us/library/cc262485(v=office.15).aspx#hwforwebserver
Here are some references for application pool high usage in SharePoint:
http://weblogs.asp.net/erobillard/thoughts-on-sharepoint-application-pools-recycling-and-quot-jit-lag-quot
http://blogs.technet.com/b/stefan_gossner/archive/2007/11/26/dealing-with-memory-pressure-problems-in-moss-wss.aspx
Regards,
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected] .
Rebecca Tu
TechNet Community Support -
Hi,
I deployed a web service with the security policy @SecurityPolicy(uri = "oracle/wss_username_token_over_ssl_service_policy"). The WSDL file looks fine
But when I test it with SOAPUI and JDeveloper HTTP Analyzer, It always throws, InvalidSecurityToken : The security token is not valid.
The Web Service code is as below,
import javax.jws.WebMethod;
import javax.jws.WebService;
import weblogic.wsee.jws.jaxws.owsm.SecurityPolicies;
import weblogic.wsee.jws.jaxws.owsm.SecurityPolicy;
@WebService
@SecurityPolicy(uri = "oracle/wss_username_token_over_ssl_service_policy")
public class HelloWorld {
public HelloWorld() {
super();
@WebMethod
public String sayHi( String name ){
return "Hello, " + name ;
What's the valid username and password for the web service deployed on JCS? Any suggestion and help is highly appreciated.The SOAP request payload from SOAP UI is:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://ws/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-3">
<wsse:Username>[email protected]</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXX</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ws:sayHi>
<arg0>Paula</arg0>
</ws:sayHi>
</soapenv:Body>
</soapenv:Envelope>
but the response is,
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<ns2:Fault xmlns:ns2="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns3="http://www.w3.org/2003/05/soap-envelope">
<faultcode xmlns:ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns0:InvalidSecurityToken</faultcode>
<faultstring>InvalidSecurityToken : The security token is not valid.</faultstring>
</ns2:Fault>
</S:Body>
</S:Envelope> -
Export/Import Error: The security token could not be authenticated
We currently are working in PLM 6.1.1 and users are experiencing Export/Import Issues, the error appears frequently with several users.
Steps:
1. A new token is generated from our QA environment
2. The user logs into Dev and transfers the token
3. In the export ADMIN area the user selects a section
4. In the QA environment the user schedules the import
5. The import is scheduled however the error is received after a few mins
Error Message:
The security token could not be authenticated or authorized ---> The directory service is unavailable.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Xeno.Prodika.XenoDoc.Handlers.DRL.DrlService.GetAttachment(tIdentifier Identifier)
at Xeno.Prodika.XenoDoc.Handlers.DRL.DrlWebServiceLifecycleHandler.Load(IXDocument xdoc, String pkid)
at Xeno.Prodika.XenoDoc.BaseLibraryManager.LoadDocumentPhaseII(IXLibraryConfiguration libConfig, IXDocument xdoc, String pkid)
at Xeno.Prodika.XenoDoc.BaseLibraryManager.LoadDocument(String pkid)
at Xeno.Prodika.ExportImport.DataExchange.ImportRequestProcessor.ProcessRequest(IApplicationManager applicationManager, IImportRequestQueue request)
This error can be difficult to reproduce but occurs periodically.This is likely a DRL issue. verify DRL is configured correctly and a valid PLM4P user is setup in the setup assistant. in addition, make sure you added the new app in IIS for DRLService (this is a doc bug we are correcting that we failed to include in the 611 guide). verify you can attach and then open an attachment on a material spec.
-
SAML 2.0 Security Token Reference cannot be resolved
Hi,
I am trying to send a SAML 2.0 token to SAP Portal 7.3 EHP 2 using the sender-vouches confirmation method.
My message is signed by my client application. The signature references 3 parts:
1) a security token reference which in turn points to my SAML assertion (using STR transform)
2) the bdoy (using c14n transform)
3) the timestamp (using c14n transform)
Collecting some WS-Security trace, I can see the following:
Exception : Security Token Reference transform could not resolve token: <yq1:SecurityTokenReference yq2:Id='wssecurity_signature_id_23' xmlns:yq2='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:yq1='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'><yq1:KeyIdentifier ValueType='http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID'>Assertion-uuida9c3e36a-0131-11fd-bfea-f4ca184fc662</yq1:KeyIdentifier></yq1:SecurityTokenReference>
java.lang.Exception
at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1230)
at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:147)
at com.sap.exception.io.SAPIOException.<init>(SAPIOException.java:63)
at com.sap.engine.services.wssec.wsse.STRCanonicalizationWriter.doSTRTransform(STRCanonicalizationWriter.java:228)
at com.sap.engine.services.wssec.wsse.STRCanonicalizationWriter.leave(STRCanonicalizationWriter.java:152)
at com.sap.engine.services.wssec.xmlsecurity.signature.verification.ReferenceDispatcherReader.handleCode(ReferenceDispatcherReader.java:315)
at com.sap.engine.services.wssec.xmlsecurity.signature.verification.ReferenceDispatcherReader.next(ReferenceDispatcherReader.java:186)
at com.sap.engine.services.wssec.xmlsecurity.signature.verification.VerifyTokenReaderImpl.next(VerifyTokenReaderImpl.java:501)
at com.sap.engine.services.wssec.wsse.WSSecurityContext.init(WSSecurityContext.java:429)
Assertion-uuida9c3e36a-0131-11fd-bfea-f4ca184fc662 is the ID of my SAML assertion.
Using the same configuration in my client app, but sending a SAML 1.1 token passes this step.
Is there any trace I can enable to further debug this issue?
Has anybody encountered the same issue before?
Thanks
JensHi Jens,
Have you tried collecting traces using SAP Note [Troubleshooting Wizard|https://service.sap.com/sap/support/notes/1332726] with incident "WebServices Security"? You may find more information.
Best regards,
Desislava -
Unable to add security token for identity
Hi all,
I am trying to implement a web service with username token authentication. I have defined the ws -policies in the wsdl, and checked the Process Security Header checkbox in the proxy configuration. But when I invoke the proxy through test console and pass the full soap envelope , I am getting an "Unable to add security token for identity" error
This is how the soap header looks from the request document part of the test console:
<soap:Header>
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>xxxxx</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">yyyyyy</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
I have configured the user at alsb security configuration and added an acces policy stating that the proxy can be accessed only by user "xxxx"
Please help
-AtheekMostafa ,
This points to a misconfiguration of your security. Possible causes are:
* There is not a valid RSA key to sign the SAML token with.
* The SAML CredentialMapper is missing
* There is no Relying Party (rp) configured for SAML Credential Mapper that matches your producer
* The producer is using User Name Token and you have no configured the DefaultCredentialMapper to allow for UserNameToken.
Good Luck,
Nate
Edited by: user650654 on Sep 9, 2008 4:31 AM
Maybe you are looking for
-
Error in XML Gateway Processing - java.lang.OutOfMemoryError
Hi All, We have B2B Customizations for Processing Orders in our Applications . While an Inbound Document(ORDERSTATUS Document) got processed in our Application, we could find the Document being errored out in XML gateway with the following errors: (N
-
GUI 7.2 - Office 2010 not distinguished
Hi, I installed MS Office 2010 60 day trail version and updated SAP GUI to 7.2 Patch 2 (gui720_2-10007878.exe, bw350gui720_2-20006857.exe and bi720sp02p_201-20006596.exe). When starting an ALV grid (e. g. via SE16 for a small table) and pressing Spre
-
Lawson wants Internet Explorer. What am I to do? dull
-
Unable to move photos between albums in search mode
I am unable to move picture between albums when I have done a search for a title etc. eg. search for 'Leeds' brings up 20 pics one album and 15 in another, but the two albums are several years apart (possibly 100's of rolls!). Why am I unable to then
-
Hi Gurus, Our client does not the condition values in decimal points in pricing. They want it to be scaled up always to next round figure. Eg. 12.25 should be converted to 13.00 Please suggest. Thanks, Raheel