Security Token Service Configuration - Token Lifetime

Similar Messages

• Secure Store Services Configuration

  Hi, 
  I wanted to ask for some more information on the topic. I have google'd and found informaiton here and there but nothing that I have found as a concise guide to its configuration "an idiots guide if you may"
  If you found some information that you found particularly helpful I would like to read it. white papers etc... 
  Thank you for your time
  Regards
  Chris  

  HI Guys,
  In Microsoft release management, we are having option to encrpt the password instead of giving plain text for a parameter.
  I am very
  excited to see this option in release management.But i am not able to hold this
  Excitement for longer time.
  I tried to use this option for one of our script nothing but "Secure Store Service".But when i am using this property for secure store powershell script,it is falling and encripted password is not accepted by powershell script.
  Kindly let me know whether any body had faced this issue and kindly share your inputs.
  Regards
  Sivakumar K

• Errors with SharePoint Security Token Service: "The revocation function was unable to check revocation for the certificate"

  I'm getting these errors in the eventlog and ULS, "An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root
  Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERTIFICATE THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate."
  The errors point to the SharePoint Security Token Service as the issue ("The revocation function was unable to check revocation for the certificate") reported back by the Topology service.  This is apparent when executing a search, accessing
  the managed metadata service, issuing SPSite commands in Powershell, or anything that needs to run through the "SharePoint Web Services" site.  I've looked at the certificate assigned to that site and everything appears to be in order. 
  It would seem to me to be either an incorrect endpoint configuration (internally cached perhaps?) or related to security access for the configuration database (in order to validate the certificate root).
  What I’ve tried so far:
  I’ve been all over the certificate settings, both in the server store, and within SharePoint Token Service config.  Both appear to be configured correctly such that the root CAs can be validated.
  Re-entered the passwords for the application pool domain accounts to eliminate these as a potential cause.  I’ve also verified the service accounts reporting the error, do have access to the configuration database.
  Re-provisioned the STS service to see if that might clear out any cached issues and validated everything else according to this
  MS Tech note.
  So far nothing has worked.  Is there anything else I could be looking at that I've missed? (Full eventlog detail below)
  Log Name:      Application
  Source:        Microsoft-SharePoint Products-SharePoint Foundation
  Date:          2/20/2015 11:19:41 AM
  Event ID:      8311
  Task Category: Topology
  Level:         Error
  Keywords:      
  User:          <SP SERVICE ACCOUNT>
  Computer:      <SHAREPOINTSERVER>
  Description:
  An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS
  CERT THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
      <EventID>8311</EventID>
      <Version>14</Version>
      <Level>2</Level>
      <Task>13</Task>
      <Opcode>0</Opcode>
      <Keywords>0x4000000000000000</Keywords>
      <TimeCreated SystemTime="2015-02-20T17:19:41.213852500Z" />
      <EventRecordID>1611121</EventRecordID>
      <Correlation />
      <Execution ProcessID="10212" ThreadID="10328" />
      <Channel>Application</Channel>
      <Computer><SHAREPOINTSERVER></Computer>
      <Security UserID="<SP SERVICE ACCOUNT>" />
    </System>
    <EventData>
      <Data Name="string0">CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
      <Data Name="string1">CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
      <Data Name="string2"><STS CERT THUMBPRINT></Data>
      <Data Name="string3">RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
  </Data>
    </EventData>
  </Event>

  Hi Darren,
  This problem seems to occur when an administrator deletes the local trust relationship of the farm from the Security section of the Central Administration website
  In order to resolve this problem, the local trust relationship has to be created. This can be done by running the following PowerShell commands
  $rootCert = (Get-SPCertificateAuthority).RootCertificate
  New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
  After running the above commands, perform an IISReset on all servers in the farm.
  More information:
  http://support.microsoft.com/kb/2545744
  Best Regards,
  Wendy
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Wendy Li
  TechNet Community Support

• WS-Security and proxy service: Unable to add security token for identity

  What the reason of "Unable to add security token for identity" fault in this situation (10.3.1):
  I did simple "hello word" proxy service and tried to apply custom policy binding.
  WS-Policy is next:
  <wsp:Policy wsu:Id="WS-Policy-Siebel"
       xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
       xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
       xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
       <wssp:Identity
            xmlns:wssp="http://www.bea.com/wls90/security/policy">
            <wssp:SupportedTokens>
                 <wssp:SecurityToken
                      TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
                      <wssp:UsePassword
                           Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" />
                 </wssp:SecurityToken>
            </wssp:SupportedTokens>
       </wssp:Identity>
  </wsp:Policy>
  Process WS-Security is setted to "yes".
  While debugging I see that all works fine - I can authenticate with defined credentials and breakpoints in proxy service flow works fine.
  But at the end I get the fault:
  Soap fault:
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Header/>
  <env:Body>
  <env:Fault>
  <faultcode>env:Server</faultcode>
  <faultstring>Unable to add security token for identity</faultstring>
  </env:Fault>
  </env:Body>
  </env:Envelope>
  In console:
  <09.06.2010 17:39:18 MSD> <Error> <OSB Security> <BEA-387023> <An error ocurred during web service security inbound response processing [error-code: F
  ault, message-id: 1721282272521583996--57dc4ccc.1291cc2282d.-7fab, proxy: OSB Project WS-Security/WSSecurityService, operation: NewOperation]
  --- Error message:
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault><faultcode>env:Server</faultcode><faultstring>Un
  able to add security token for identity</faultstring></env:Fault></env:Body></env:Envelope>
  weblogic.xml.crypto.wss.WSSecurityException: Unable to add security token for identity
  at weblogic.wsee.security.wss.SecurityPolicyDriver.processIdentity(SecurityPolicyDriver.java:175)
  at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(SecurityPolicyDriver.java:73)
  at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(SecurityPolicyDriver.java:64)
  at weblogic.wsee.security.WssServerHandler.processOutbound(WssServerHandler.java:88)
  at weblogic.wsee.security.WssServerHandler.processResponse(WssServerHandler.java:70)
  Truncated. see log file for complete stacktrace
  Incoming soap message is:
  <soapenv:Envelope      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header      xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <wsse:Security      soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:UsernameToken      wsu:Id="unt_TNNp0cBwU7HyPKoq" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:Username>testuser</wsse:Username>
  <wsse:Password      Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">testuser</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </soap:Header>
  <soapenv:Body>
  <wss:NewOperation      xmlns:wss="http://www.troika.ru/Enterprise/WSSecurityService/">
  <in>string</in>
  </wss:NewOperation>
  </soapenv:Body>
  </soapenv:Envelope>
  Edited by: Andrey L. on Jun 9, 2010 5:55 PM

  I thought you were getting that exception when accessing the proxy.
  No. Authentification works fine. Proxy body works fine. But at the end of proxy appears the exception.
  Sorry for my english - I tried to show this situation on image: http://imglink.ru/show-image.php?id=9c0e0c1719f00289faf11696c6703bc3
  Are you getting this exception when routing to a business service which is configured for WS-Security ??
  I don't use business service in this test project - only simple proxy service with all logic inside.
  PS transformation in replace action is very simple too:
  (:: pragma bea:global-element-parameter parameter="$newOperation1" element="ns0:NewOperation" location="WSSecurityService.wsdl" ::)
  (:: pragma bea:global-element-return element="ns0:NewOperationResponse" location="WSSecurityService.wsdl" ::)
  declare namespace ns0 = "http://www.troika.ru/Enterprise/WSSecurityService/";
  declare namespace xf = "http://tempuri.org/OSB%20Project%20WS-Security/Hello/";
  declare function xf:Hello($newOperation1 as element(ns0:NewOperation))
  as element(ns0:NewOperationResponse) {
  <ns0:NewOperationResponse>
  <out>Hello, { data($newOperation1/in) }!</out>
  </ns0:NewOperationResponse>
  declare variable $newOperation1 as element(ns0:NewOperation) external;
  xf:Hello($newOperation1)
  Edited by: Andrey L. on Jun 10, 2010 12:21 PM

• Security Token Service application not working

  Trying to use secure store service to access userprofileservice.asmx methods within Infopath 2010 form(doesn't contain any managed code). Created tareget application and using udcx file within the data connection library according to Microsoft tech articles.
  I see errors related to accessing securitytokenservice application.It keeps on erroring out within the ULS logs, something like below
  http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas.
  TCP error code 10061: No  connection could be made because the target machine actively refused it ::1:32843
  Used below links but no luck.
  Method 2 of http://support.microsoft.com/kb/981684
  http://support.microsoft.com/kb/2493524
  http://www.avanadeblog.com/sharepointasg/iis/
  My http://localhost works but i don't see
  http://localhost:32843 working.
  When i run netstat -a within command prompt i see port 32843 is working since the state of it is shown as "listening".
  When i browse to
  http://localhost:32843/SecurityTokenServiceApplication i see HTTP 404 error.
  It is same with other services  under SharePoint Web Services Site within IIS.
  I see the same HTTP 404 error. The Security Token Service application pool is running.
  I'm trying to make this work within my development envirnoment and  i don't see the security token service application
  working in my Production or test environment either. I have a standalone installation on my personal laptop and i don't see these things working there as well. If i had web.config file of a working Security token service application then i could have compared
  that with the web.config on my developement box. This is the only thing i missed out on.
  I'm kind of stuck with this since last one week and any help is appreciated.
  Thanks, DC SharePointer

  thanks Henrik.
  Farm Servers already have WCF Hotfix (976462) and I also checked the STS authentication settings in IIS. Only windows and Anonymous access is enabled. I did make the change(Authentication mode of spStsActAsBinding to IssuedToken, it was SspiNegotiatedOverTransport) that
  is suggested in the link you provided. But no luck. My STS web.config has below membership and role providers
   <system.web>
      <membership>
        <providers>
          <add connectionStringName="DevSQLConn"
   applicationName="/"
   name="DevAspNetSqlMembershipProvider"
   requiresQuestionAndAnswer="false"
   type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.3600.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
        </providers>
      </membership>
      <roleManager enabled="true">
        <providers>
          <add connectionStringName="DevSQLConn"
   applicationName="/"
   name="DevAspNetSqlRoleManager"
   type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.3600.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
        </providers>
      </roleManager>
    </system.web>
  Does this have to do anything with my issue. I think at some point they might have configured to use form based authentication.
  Thanks, DC SharePointer

• The Security Token Service is not available -- SP Server on Windows 7

  I just installed SharePoint Server 2010 on a Windows 7 workstation with the aim of setting up a development environment.
  Installed all the prerequisites, then SP, everything seemed to go smoothly.
  However, the Health Analyzer is warning my that "the Security Token Service is not available". It says that the "Administrator should try to restart the Security Token Service"
  I looked under Services for my computer and also looked in IIS, did not see any thing that referenced security tokens. Where would I find the security token service?
  Thanks.

  No.
  In Central Admin>Application Management>Manage Service Applications I see the
  Security Token Service Application is running. But the health analyzer is still saying that
  The Security Token Service is not available.
  Any advice on resolving this would be greatly appreciated.

• The Security Token Service is not available error on dedicated Distributed Cache server

  I have an error on a dedicated Distributed Cache server stating that the Security Token Service is not available.  I was under the impression that when Distributed Cache was running on a dedicated server that the only service that should be enabled
  is Distributed Cache. 
  The token service is working as expected on all other servers but this one.  Does this service need to be started or should I just ignore this error message?
  Jennifer Knight (MCITP, MCPD)

  as per my little experience with 2013, if STS is working fine on Web server then I am sure that sharepoint will be fine...Distributed cache stores the ST issued by STS. NO need to worry about this error.
  Login
  Token Cache
  DistributedLogonTokenCache
  This
  cache stores the security token issued by a Secure Token Service for use by any web server in the server farm. Any web server that receives a request for resources can access the security token from the cache, authenticate the user, and provide access to the
  resources requested.
  I would say check the ULS logs and get more details about the error why its not working on that server.
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

• The Security Token Service is not available.

  hi,
  1. service check failed--
   http://localhost:port/SecurityTokenServiceApplication/securitytoken.svc 
  Gettng Error message
  2. while provision it again..
   Get-SPServiceApplication | ?{$_ -match "Security"}
   $sts.Status (result got -online)
   $sts.Provision()
  ----Successful...
  3.Event at Event viewer,..
  WebHost failed to process a request.
   Sender Information: System.ServiceModel.Activation.HostedHttpRequestAsyncResult/31626309
   Exception: System.Web.HttpException: The service '/SecurityTokenServiceApplication/securitytoken.svc' does not exist. ---> System.ServiceModel.EndpointNotFoundException: The service '/SecurityTokenServiceApplication/securitytoken.svc' does not exist.
     at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
     at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath)
     at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.HandleRequest()
     at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.BeginRequest()
     --- End of inner exception stack trace ---
     at System.ServiceModel.AsyncResult.End[TAsyncResult](IAsyncResult result)
     at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result)
   Process Name: w3wp
   Process ID: 5752
  ---------------------And-----------------------------
  Event 8306
  An exception occurred when trying to issue security token: The requested service, 'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc' 
  could not be activated. See the server's diagnostic trace logs for more information..
  Please help----------------
  Prasad kambar

  Check this article
  http://blogs.technet.com/b/sykhad-msft/archive/2012/02/25/sharepoint-2010-nailing-the-error-quot-the-security-token-service-is-unavailable-quot.aspx
  and similar thread
  https://social.technet.microsoft.com/Forums/office/en-US/78cd4366-b11b-4300-93a4-4135d55f561f/error-8306-an-exception-occurred-when-trying-to-issue-security-token-please-help?forum=sharepointgeneralprevious
  though it is SharePoint 2010 but will work similar in sps 2013 also

• Could Not Connect to Security Token Service Application

  Receiving the following:
  Get-SPSite : Could not connect to http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc. TCP error code 10061: No connection could be made
  I have validated the site and app pool exist and are running... however, browsing to the url returns a 404 page. This is happening on 2/4 servers in my farm. 
  I have removed SharePoint and Web Server/Application Server Role from each server and re-installed SP to no avail... next step is re-image but thought I would check the blog-o-sphere first...
  - Rick

  any anti virus on the servers?
  is there any details about the error after connection could be made?
  also have a look: http://blogs.technet.com/b/sykhad-msft/archive/2012/02/25/sharepoint-2010-nailing-the-error-quot-the-security-token-service-is-unavailable-quot.aspx
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

• Wsit: Modify the URL of the security token service at runtime

  I've managed to modify the url of my webservice endpoint at runtime used by a client application with the BindingProvider.ENDPOINT_ADDRESS_PROPERTY. Is it also possible to modify the url of the security token service?

  Check this article
  http://blogs.technet.com/b/sykhad-msft/archive/2012/02/25/sharepoint-2010-nailing-the-error-quot-the-security-token-service-is-unavailable-quot.aspx
  and similar thread
  https://social.technet.microsoft.com/Forums/office/en-US/78cd4366-b11b-4300-93a4-4135d55f561f/error-8306-an-exception-occurred-when-trying-to-issue-security-token-please-help?forum=sharepointgeneralprevious
  though it is SharePoint 2010 but will work similar in sps 2013 also

• Download location of Oracle OpenSSO Security Token Service

  I am not finding the war file for Oracle OpenSSO Security Token Service, where can I download it from? The docs say that it is part of OpenSSO server but I dont find that in oracle_opensso_80U2.zip also. Please let me know where can I get it from?

  http://download.oracle.com/otn/nt/middleware/11g/oracle_openssosts_11gr1.zip
  Just so you know, Oracle has released its Oracle STS server as part of the 11.1.1.5 distribution of Identity and Access Management as well.

• Security Token Service Application Pool high CPU

  The SecurityTokenServiceApplicationPool seems to be using really high CPU at times and it seems to slow down the servercausing spike to almost 100% CPU, recycling takes care of it temporarily, it will also go down on its own but to a lesser extent.
  I cant seem to see any cause of this in the logs.
  The Security Token Service Application Pool isnt on a recycle schedule by default.
  Does anyone recommend putting it on a recycle schedule?
  What are some common causes of it
  thanks
  themush

  Hi,
  As I understand, the SecurityTokenServiceApplicationPool caused high CPU usage in your envrionment.
  Would recycling the application pool be help?
  To check if there is performance issue, please provide more information about your application server which host this service application.
  http://technet.microsoft.com/en-us/library/cc262485(v=office.15).aspx#hwforwebserver
  Here are some references for application pool high usage in SharePoint:
  http://weblogs.asp.net/erobillard/thoughts-on-sharepoint-application-pools-recycling-and-quot-jit-lag-quot
  http://blogs.technet.com/b/stefan_gossner/archive/2007/11/26/dealing-with-memory-pressure-problems-in-moss-wss.aspx
  Regards,
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected] .
  Rebecca Tu
  TechNet Community Support

• Web Service on JCS13.2: InvalidSecurityToken : The security token is not valid.

  Hi,
  I deployed a web service with the security policy @SecurityPolicy(uri = "oracle/wss_username_token_over_ssl_service_policy").  The WSDL file looks fine
  But when I test it with SOAPUI and JDeveloper HTTP Analyzer,  It always throws, InvalidSecurityToken : The security token is not valid.
  The Web Service code is as below,
  import javax.jws.WebMethod;
  import javax.jws.WebService;
  import weblogic.wsee.jws.jaxws.owsm.SecurityPolicies;
  import weblogic.wsee.jws.jaxws.owsm.SecurityPolicy;
  @WebService
  @SecurityPolicy(uri = "oracle/wss_username_token_over_ssl_service_policy")
  public class HelloWorld {
      public HelloWorld() {
          super();
      @WebMethod
      public String sayHi( String name ){
          return "Hello, " + name ;
  What's the valid username and password for the web service deployed on JCS?  Any suggestion and help is highly appreciated.

  The SOAP request payload from SOAP UI is:
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://ws/">
     <soapenv:Header>
        <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
           <wsse:UsernameToken wsu:Id="UsernameToken-3">
              <wsse:Username>[email protected]</wsse:Username>
              <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXX</wsse:Password>
           </wsse:UsernameToken>
        </wsse:Security>
     </soapenv:Header>
     <soapenv:Body>
        <ws:sayHi>
           <arg0>Paula</arg0>
        </ws:sayHi>
     </soapenv:Body>
  </soapenv:Envelope>
  but the response is,
  <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
     <S:Body>
        <ns2:Fault xmlns:ns2="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns3="http://www.w3.org/2003/05/soap-envelope">
           <faultcode xmlns:ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns0:InvalidSecurityToken</faultcode>
           <faultstring>InvalidSecurityToken : The security token is not valid.</faultstring>
        </ns2:Fault>
     </S:Body>
  </S:Envelope>

• Export/Import Error: The security token could not be authenticated

  We currently are working in PLM 6.1.1 and users are experiencing Export/Import Issues, the error appears frequently with several users.
  Steps:
  1. A new token is generated from our QA environment
  2. The user logs into Dev and transfers the token
  3. In the export ADMIN area the user selects a section
  4. In the QA environment the user schedules the import
  5. The import is scheduled however the error is received after a few mins
  Error Message:
  The security token could not be authenticated or authorized ---> The directory service is unavailable.
  at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
  at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
  at Xeno.Prodika.XenoDoc.Handlers.DRL.DrlService.GetAttachment(tIdentifier Identifier)
  at Xeno.Prodika.XenoDoc.Handlers.DRL.DrlWebServiceLifecycleHandler.Load(IXDocument xdoc, String pkid)
  at Xeno.Prodika.XenoDoc.BaseLibraryManager.LoadDocumentPhaseII(IXLibraryConfiguration libConfig, IXDocument xdoc, String pkid)
  at Xeno.Prodika.XenoDoc.BaseLibraryManager.LoadDocument(String pkid)
  at Xeno.Prodika.ExportImport.DataExchange.ImportRequestProcessor.ProcessRequest(IApplicationManager applicationManager, IImportRequestQueue request)
  This error can be difficult to reproduce but occurs periodically.

  This is likely a DRL issue. verify DRL is configured correctly and a valid PLM4P user is setup in the setup assistant. in addition, make sure you added the new app in IIS for DRLService (this is a doc bug we are correcting that we failed to include in the 611 guide). verify you can attach and then open an attachment on a material spec.

• SAML 2.0 Security Token Reference cannot be resolved

  Hi,
  I am trying to send a SAML 2.0 token to SAP Portal 7.3 EHP 2 using the sender-vouches confirmation method.
  My message is signed by my client application. The signature references 3 parts:
  1) a security token reference which in turn points to my SAML assertion (using STR transform)
  2) the bdoy (using c14n transform)
  3) the timestamp (using c14n transform)
  Collecting some WS-Security trace, I can see the following:
  Exception : Security Token Reference transform could not resolve token: <yq1:SecurityTokenReference yq2:Id='wssecurity_signature_id_23' xmlns:yq2='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:yq1='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'><yq1:KeyIdentifier ValueType='http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID'>Assertion-uuida9c3e36a-0131-11fd-bfea-f4ca184fc662</yq1:KeyIdentifier></yq1:SecurityTokenReference>
  java.lang.Exception
  at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1230)
  at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:147)
  at com.sap.exception.io.SAPIOException.<init>(SAPIOException.java:63)
  at com.sap.engine.services.wssec.wsse.STRCanonicalizationWriter.doSTRTransform(STRCanonicalizationWriter.java:228)
  at com.sap.engine.services.wssec.wsse.STRCanonicalizationWriter.leave(STRCanonicalizationWriter.java:152)
  at com.sap.engine.services.wssec.xmlsecurity.signature.verification.ReferenceDispatcherReader.handleCode(ReferenceDispatcherReader.java:315)
  at com.sap.engine.services.wssec.xmlsecurity.signature.verification.ReferenceDispatcherReader.next(ReferenceDispatcherReader.java:186)
  at com.sap.engine.services.wssec.xmlsecurity.signature.verification.VerifyTokenReaderImpl.next(VerifyTokenReaderImpl.java:501)
  at com.sap.engine.services.wssec.wsse.WSSecurityContext.init(WSSecurityContext.java:429)
  Assertion-uuida9c3e36a-0131-11fd-bfea-f4ca184fc662 is the ID of my SAML assertion.
  Using the same configuration in my client app, but sending a SAML 1.1 token passes this step.
  Is there any trace I can enable to further debug this issue?
  Has anybody encountered the same issue before?
  Thanks
  Jens

  Hi Jens,
  Have you tried collecting traces using SAP Note [Troubleshooting Wizard|https://service.sap.com/sap/support/notes/1332726] with incident "WebServices Security"? You may find more information.
  Best regards,
  Desislava

• Unable to add security token for identity

  Hi all,
  I am trying to implement a web service with username token authentication. I have defined the ws -policies in the wsdl, and checked the Process Security Header checkbox in the proxy configuration. But when I invoke the proxy through test console and pass the full soap envelope , I am getting an "Unable to add security token for identity" error
  This is how the soap header looks from the request document part of the test console:
       <soap:Header>
       <wsse:Security>
       <wsse:UsernameToken>
       <wsse:Username>xxxxx</wsse:Username>
       <wsse:Password      Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">yyyyyy</wsse:Password>
       </wsse:UsernameToken>
       </wsse:Security>
       </soap:Header>
       <soap:Body>
  I have configured the user at alsb security configuration and added an acces policy stating that the proxy can be accessed only by user "xxxx"
  Please help
  -Atheek

  Mostafa ,
  This points to a misconfiguration of your security. Possible causes are:
  * There is not a valid RSA key to sign the SAML token with.
  * The SAML CredentialMapper is missing
  * There is no Relying Party (rp) configured for SAML Credential Mapper that matches your producer
  * The producer is using User Name Token and you have no configured the DefaultCredentialMapper to allow for UserNameToken.
  Good Luck,
  Nate
  Edited by: user650654 on Sep 9, 2008 4:31 AM