Security token testing with soapUI
Have anyone managed to test the tutorial:
[url http://dev2dev.bea.com/pub/a/2006/04/securing-service-bus.html?page=1]Securing Services Using the ALSB with SoapUI ? We had a hard time calling the WS without BEA specific libraries, and ended up making our own policy without using policy:Sign.xml. Still we had to make our own testcode to make it work. Has anyone been able to use soapUI for this purpose? We see that the generatet soap message is very different from what we managed to find out using BEA libraries.
Hi Jonny
Please generate the WSDL from either sender agreement for classical configuration or from ICO.
Then used the WSDL in SOAP UI, it will work.
Similar Messages
-
SAPPI 7.3 testing with SOAPUI
Hi
I have generated a WSDL from the SAP Integration builder for a service interface that will start a message flow.
I am using SOAPUI to test this but I get the error
com.sap.aii.af.service.cpa.CPAObjectNotFoundException: Couldn't retrieve inbound binding for the given P/S/A values
Am I missing any parts of this URL that was proposed by the SAP Integration builder when it built me the WSDL
" http://ABSDSAPPI01.mycompany.co.uk:50100/XISOAPAdapter/MessageServlet?version=3.0&Sender.Service=BC_AB_TESTHARNESS_B1&In… "Hi Jonny
Please generate the WSDL from either sender agreement for classical configuration or from ICO.
Then used the WSDL in SOAP UI, it will work. -
Please excuse the lousy table...Its late :-)
I have a multi-server SP2010 farm. Patched up to
Configuration database version: 14.0.6106.5002
My goal is to have a claims based web application that authenticated to ADAM for Extranet. I have configured the servers exactly to MSDN and technet specs (following this spec to the
letter (
http://technet.microsoft.com/en-us/library/ee806882.aspx) to allow the forms side of the web app to authenticate to ADAM.
IT WORKS IN DEV!!! , which is a single server farm. However, it does not work in production. I get the following:
Claims Auth log entries:
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
f2ut
Verbose
Authenticated with login provider. Validating request security token.
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Using membership provider 'ADAMProvider'.
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Doing password check on '[email protected]'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Failed password check on '[email protected]'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Unexpected
Password check on '[email protected]' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security
token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
fo1t
Monitorable
SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password
could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
fsq7
High
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
8306
Critical
An exception occurred when trying to issue security token: The security token username and password could not be validated..
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
f2un
Verbose
Form authentication failed.
I have tried EVERYTHING (well, nt everything, I don’t have the fix I suppose).
I found plenty out there and nothing directly correlates with this issue.
I searched on all parts of the errors I got.
This contains an interesting blurb about setting up access for the apppool id correctly.
That’s not the case for me. It works in dev and the same id are used there.
http://sharepoint-2010-world.blogspot.com/2011/03/adam-forms-based-authentication-in.html
This was good but it doesn’t give specs on what the environment looks like:
http://social.msdn.microsoft.com/Forums/en/sharepoint2010general/thread/557143a6-4b36-4939-bb7f-d62a9335fd18
The was interesting…but I am patched up beyond the June 2011 CU so it’s a moot point:
http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/9b8368ef-c5e5-4ead-b348-7b2b5587cfc8
Any and all help would be greatly appreciated!Hi.
You say its a multiserver farm, do you have more than one web server then?
If thats the case, have you tried accessing the site on each server directly?
Found this for you, maybe that can help?
Troubleshooting Exceptions: System.ServiceModel.FaultException`1
http://msdn.microsoft.com/en-us/library/bb907220.aspx
and this:
SharePoint 2010 Claims Authentication - The security token username and password could not be validated reoccurring every morning
http://social.technet.microsoft.com/Forums/pl-PL/sharepoint2010setup/thread/383f1f9b-5c4a-4e19-b770-2a54b7ab1ca1
and
This seems to be a good guide:
http://donalconlon.wordpress.com/2010/02/23/configuring-forms-base-authentication-for-sharepoint-2010-using-iis7/
Good luck
Thomas Balkeståhl - Technical Specialist - SharePoint - http://blksthl.wordpress.com -
Hello
I'm running on a brand new system Windows 7 Home Premium 64-Bit.
I have a problem with Internet Explorer 8. When a javascript tries to open a link into a new window I get the error message: Message: Cannot open an anonymous level security token.
The solution to this is to go to dcomcnfg -> Expand Componenet Services -> Computers
Select My Computer -> right click My Computer and select Properties.
On the Default Properties tab set the Default Authentication level and Default Impersonation level.
Here is the problem: These values can not be set. There are multiple problems with the DCOMCNFG interface.
1. There are no values present in the drop down window.
2. The first time one selects properties from my computer to access the default properties tab, I get only a 2 tab page consisting only of COM Security and MSDTC. I have to select the properties option a second time to get the correct page to
pop up containing the additional 4 tabs that include the default Properties. (strange, but I have actually seen this behavior reported elsewhere on the net by a developer)
3. On the default properties tab, the "enable Distributed COM on this computer" is unchecked, even though registry values indicate DCOM is enabled.
4. The drop down windows for "Default Authetication Level" and "Default Inpersonation Level" do not populate with any options when I check the "Enable Distributed COM" box. Registry values appear to have these settings correctly set.
5. Regardless of whether I modify any entries or not on the Default Properties tab, every time I close the Default Properties tab by selecting "OK", mmc.exe crashes and an error is generated. No crash if I select "cancel." Error info below:
Problem Event Name: APPCRASH
Application Name: mmc.exe
Application Version: 6.1.7600.16385
Application Timestamp: 4a5bc808
Fault Module Name: comuid.dll
Fault Module Version: 2001.12.8530.16385
Fault Module Timestamp: 4a5bdf82
Exception Code: c000041d
Exception Offset: 0000000000027eb4
OS Version: 6.1.7600.2.0.0.768.3
Locale ID: 1033
Additional Information 1: c04d
Additional Information 2: c04dc172367dd59f9f2c3be375fb3e80
Additional Information 3: ab1b
Additional Information 4: ab1bd07e62aa9dd1521e9b185bfe43fc
What have I done to try to remedy the problem?
Ran fsc scannow and chkdsk with no change.
What would I like?
To eliminate the anonymous level security token error in IE8, and I assume the DCOMCNFG problem may be the cause.
Thanks, JimI have the EXACT signature of symptoms as described here, but with Windows XP:
[Quote]
Multiple problems with the DCOMCNFG interface.
1. There are no values present in the drop down window.
2. The first time one selects properties from my computer to access the default properties tab, I get only a 2 tab page consisting only of COM Security and MSDTC. I have to select the properties option a second time to get the correct page to
pop up containing the additional 4 tabs that include the default Properties. (strange, but I have actually seen this behavior reported elsewhere on the net by a developer)
3. On the default properties tab, the "enable Distributed COM on this computer" is unchecked, even though registry values indicate DCOM is enabled.
4. The drop down windows for "Default Authetication Level" and "Default Inpersonation Level" do not populate with any options when I check the "Enable Distributed COM" box. Registry values appear to have these settings correctly set.
5. Regardless of whether I modify any entries or not on the Default Properties tab, every time I close the Default Properties tab by selecting "OK", mmc.exe crashes and an error is generated. No crash if I select "cancel."
[/QUOTE]
I tried the COMFIX tool suggested by Jim Bacon - it does not complete for me however
(there is no "run as admin" option in Windows XP, just double clicked to run it.
Otherwise followed as described (no Norton Ghost)
It errors out:
In the Command Window, it says Open Service Fail 1060
Specific Service does not exist as installed service
And a Windows Script Host Window that reports error "the system cannot find the file specified" - code:80070002
Is this because it is XP?
Is there something similar I can use for XP, or do I have some other limitation?
Appreciate assistance - I was happy to find this issue reported here so pleased that at least I am not unique in that! -
Howdy,
I extended the security model and made it multi-tenant, however when I create a email confirmation token in the admin tool, when I try and validate it, in one of the applications, it fails. In the admin tool, I create a UserManager with all of
the settings as if it were the application, but when the validation occures in the application it still fails. The only way I can get it to work, is if I use the same app pool for both the application and the admin, or if I set the user account of both
app Pools to the same service account. How can I get it to work where I create a token in one app, and validate in another app? Could I use impersonation? Is there something I can do to the two service accounts to allow one to generate
a token and the other to validate?Let's see if I can answer these in order...
1. We built several web applications using MVC 5.2, EF 6.0, Idenity 2.0
2. We are using MS Visual Studio 2013, running on VM with Windows Server 2008 R2, .NET 4.5.1
3. The problem is we want to have each application have a different service account to make them more secure. We have an admin tool that allows us to add new applications to the Membership database, and new users to those applications. The
problem occurs when I create an email security token in the admin tool, and send it to the use who is then validated on the specific application. If I make the service account of the application and the admin the same it works, if not it fails.
I don't think the code is the problem, as it works fine if the service account for the application and the admin are the same. It only fails when I use seperate service accounts, but here you go.
Admin snippet:
Manage Controller - RegisterUser
varuser =
newApplicationUser()
{ UserName = model.UserName, Email = model.Email, IsActive = model.SelectedIsActive, IsPswdChgRequired = model.SelectedIsPswdChgRequired, TenantId = model.TenantId };
UserManager<ApplicationUser,
int> um = CreateUserManager(Convert.ToInt32(model.SelectedTenantId));
private UserManager<ApplicationUser, int> CreateUserManager(int TenantId)
var provider = new Microsoft.Owin.Security.DataProtection.DpapiDataProtectionProvider(GetTenantName(TenantId));
UserManager<ApplicationUser, int> um = new UserManager<ApplicationUser, int>(new ApplicatonUserStore(new ApplicationDbContext()) { TenantId = TenantId });
um.UserTokenProvider = new Microsoft.AspNet.Identity.Owin.DataProtectorTokenProvider<ApplicationUser, int>(provider.Create("EmailConfirmation"));
Application snippet:
AccountController - constructor
var
provider =
newMicrosoft.Owin.Security.DataProtection.DpapiDataProtectionProvider(ConfigurationManager.AppSettings["TenantName"]);
userManager.UserTokenProvider =
newMicrosoft.AspNet.Identity.Owin.DataProtectorTokenProvider<ApplicationUser,
int>(provider.Create("EmailConfirmation"));
public async Task<ActionResult> ConfirmEmail(string userId, string ecode, string scode)
if (userId == null || ecode == null || scode == null)
return View("Error");
var result = await UserManager.ConfirmEmailAsync(Convert.ToInt32(userId), ecode);
if (result.Succeeded) -
I'm getting these errors in the eventlog and ULS, "An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root
Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERTIFICATE THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate."
The errors point to the SharePoint Security Token Service as the issue ("The revocation function was unable to check revocation for the certificate") reported back by the Topology service. This is apparent when executing a search, accessing
the managed metadata service, issuing SPSite commands in Powershell, or anything that needs to run through the "SharePoint Web Services" site. I've looked at the certificate assigned to that site and everything appears to be in order.
It would seem to me to be either an incorrect endpoint configuration (internally cached perhaps?) or related to security access for the configuration database (in order to validate the certificate root).
What I’ve tried so far:
I’ve been all over the certificate settings, both in the server store, and within SharePoint Token Service config. Both appear to be configured correctly such that the root CAs can be validated.
Re-entered the passwords for the application pool domain accounts to eliminate these as a potential cause. I’ve also verified the service accounts reporting the error, do have access to the configuration database.
Re-provisioned the STS service to see if that might clear out any cached issues and validated everything else according to this
MS Tech note.
So far nothing has worked. Is there anything else I could be looking at that I've missed? (Full eventlog detail below)
Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Date: 2/20/2015 11:19:41 AM
Event ID: 8311
Task Category: Topology
Level: Error
Keywords:
User: <SP SERVICE ACCOUNT>
Computer: <SHAREPOINTSERVER>
Description:
An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS
CERT THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
<EventID>8311</EventID>
<Version>14</Version>
<Level>2</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2015-02-20T17:19:41.213852500Z" />
<EventRecordID>1611121</EventRecordID>
<Correlation />
<Execution ProcessID="10212" ThreadID="10328" />
<Channel>Application</Channel>
<Computer><SHAREPOINTSERVER></Computer>
<Security UserID="<SP SERVICE ACCOUNT>" />
</System>
<EventData>
<Data Name="string0">CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string1">CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string2"><STS CERT THUMBPRINT></Data>
<Data Name="string3">RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
</Data>
</EventData>
</Event>Hi Darren,
This problem seems to occur when an administrator deletes the local trust relationship of the farm from the Security section of the Central Administration website
In order to resolve this problem, the local trust relationship has to be created. This can be done by running the following PowerShell commands
$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
After running the above commands, perform an IISReset on all servers in the farm.
More information:
http://support.microsoft.com/kb/2545744
Best Regards,
Wendy
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Wendy Li
TechNet Community Support -
Hi,
I deployed a web service with the security policy @SecurityPolicy(uri = "oracle/wss_username_token_over_ssl_service_policy"). The WSDL file looks fine
But when I test it with SOAPUI and JDeveloper HTTP Analyzer, It always throws, InvalidSecurityToken : The security token is not valid.
The Web Service code is as below,
import javax.jws.WebMethod;
import javax.jws.WebService;
import weblogic.wsee.jws.jaxws.owsm.SecurityPolicies;
import weblogic.wsee.jws.jaxws.owsm.SecurityPolicy;
@WebService
@SecurityPolicy(uri = "oracle/wss_username_token_over_ssl_service_policy")
public class HelloWorld {
public HelloWorld() {
super();
@WebMethod
public String sayHi( String name ){
return "Hello, " + name ;
What's the valid username and password for the web service deployed on JCS? Any suggestion and help is highly appreciated.The SOAP request payload from SOAP UI is:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://ws/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-3">
<wsse:Username>[email protected]</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXX</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ws:sayHi>
<arg0>Paula</arg0>
</ws:sayHi>
</soapenv:Body>
</soapenv:Envelope>
but the response is,
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<ns2:Fault xmlns:ns2="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns3="http://www.w3.org/2003/05/soap-envelope">
<faultcode xmlns:ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns0:InvalidSecurityToken</faultcode>
<faultstring>InvalidSecurityToken : The security token is not valid.</faultstring>
</ns2:Fault>
</S:Body>
</S:Envelope> -
WS-Security and proxy service: Unable to add security token for identity
What the reason of "Unable to add security token for identity" fault in this situation (10.3.1):
I did simple "hello word" proxy service and tried to apply custom policy binding.
WS-Policy is next:
<wsp:Policy wsu:Id="WS-Policy-Siebel"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wssp:Identity
xmlns:wssp="http://www.bea.com/wls90/security/policy">
<wssp:SupportedTokens>
<wssp:SecurityToken
TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
<wssp:UsePassword
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" />
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
</wsp:Policy>
Process WS-Security is setted to "yes".
While debugging I see that all works fine - I can authenticate with defined credentials and breakpoints in proxy service flow works fine.
But at the end I get the fault:
Soap fault:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body>
<env:Fault>
<faultcode>env:Server</faultcode>
<faultstring>Unable to add security token for identity</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
In console:
<09.06.2010 17:39:18 MSD> <Error> <OSB Security> <BEA-387023> <An error ocurred during web service security inbound response processing [error-code: F
ault, message-id: 1721282272521583996--57dc4ccc.1291cc2282d.-7fab, proxy: OSB Project WS-Security/WSSecurityService, operation: NewOperation]
--- Error message:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault><faultcode>env:Server</faultcode><faultstring>Un
able to add security token for identity</faultstring></env:Fault></env:Body></env:Envelope>
weblogic.xml.crypto.wss.WSSecurityException: Unable to add security token for identity
at weblogic.wsee.security.wss.SecurityPolicyDriver.processIdentity(SecurityPolicyDriver.java:175)
at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(SecurityPolicyDriver.java:73)
at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(SecurityPolicyDriver.java:64)
at weblogic.wsee.security.WssServerHandler.processOutbound(WssServerHandler.java:88)
at weblogic.wsee.security.WssServerHandler.processResponse(WssServerHandler.java:70)
Truncated. see log file for complete stacktrace
Incoming soap message is:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="unt_TNNp0cBwU7HyPKoq" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>testuser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">testuser</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soapenv:Body>
<wss:NewOperation xmlns:wss="http://www.troika.ru/Enterprise/WSSecurityService/">
<in>string</in>
</wss:NewOperation>
</soapenv:Body>
</soapenv:Envelope>
Edited by: Andrey L. on Jun 9, 2010 5:55 PMI thought you were getting that exception when accessing the proxy.
No. Authentification works fine. Proxy body works fine. But at the end of proxy appears the exception.
Sorry for my english - I tried to show this situation on image: http://imglink.ru/show-image.php?id=9c0e0c1719f00289faf11696c6703bc3
Are you getting this exception when routing to a business service which is configured for WS-Security ??
I don't use business service in this test project - only simple proxy service with all logic inside.
PS transformation in replace action is very simple too:
(:: pragma bea:global-element-parameter parameter="$newOperation1" element="ns0:NewOperation" location="WSSecurityService.wsdl" ::)
(:: pragma bea:global-element-return element="ns0:NewOperationResponse" location="WSSecurityService.wsdl" ::)
declare namespace ns0 = "http://www.troika.ru/Enterprise/WSSecurityService/";
declare namespace xf = "http://tempuri.org/OSB%20Project%20WS-Security/Hello/";
declare function xf:Hello($newOperation1 as element(ns0:NewOperation))
as element(ns0:NewOperationResponse) {
<ns0:NewOperationResponse>
<out>Hello, { data($newOperation1/in) }!</out>
</ns0:NewOperationResponse>
declare variable $newOperation1 as element(ns0:NewOperation) external;
xf:Hello($newOperation1)
Edited by: Andrey L. on Jun 10, 2010 12:21 PM -
Lync 2013 Logon Failing (HTTP status code 500) No valid security token
Hello there,
I'm in the process of deploying Lync 2013. I have the pool deployed and everything is at least running. I can access the control panel and provision users. However when I try to logon to the Lync Client I get a DNS error. The DNS
error appears to be misleading and is a result of the earlier auto-detection methods failing.
However using the Lync Connectivity Analyzer I get a "No valid security token." error. This doesnt matter if I use auto-detection or manual pointing the Connectivity Analyzer to the pool servers.
[3/2/2015 9:34:15 AM] [ERROR] Reason: Internal server error (HTTP status code 500)
[3/2/2015 9:34:15 AM] [ERROR] Ms-Diagnostics-Fault ErrorId: 28020, Reason: No valid security token.
[3/2/2015 9:34:15 AM] [CRITICAL] The credentials were not authorized by the server. Please verify your login credentials and try again.
[3/2/2015 9:34:15 AM] [DEBUG] System.Exception: Exception of type 'System.Exception' was thrown.
at Microsoft.LyncServer.WebServices.WebTicketManager.WTExceptions(String exText)
at Microsoft.LyncServer.WebServices.WebTicketManager.<AcquireTicketAsync>d__19.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.WebTicketManager.<AcquireOpaqueTicketAsync>d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<AuthenticationRequired>d__2a.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<SendRequest>d__d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<TryNextUrl>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<ParseResponse>d__16.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<TryNextUrl>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<StartDiscoveryJourney>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at LyncConnectivityAnalyzerCore.Utilities.<RetrieveUserLocation>d__3e.MoveNext()
Im a bit stumped where to go next.
Thanks.Manually entering the server also fails and does not provide much to help "We're having trouble connecting to the server. If this continues, please contact your support team."
I found that each time I try to logon it generates a Schannel Error on the server. "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 51.
The Windows SChannel error state is 1106."
There seems to be a lot more information on that than the previous "Internal Error" message I was trying to deal with.
https://social.technet.microsoft.com/Forums/office/en-US/41718327-203f-445f-8657-87b0a8545ead/lync-2013-client-signin-issue-with-lync-2013-server?forum=lyncprofile
Actually I just found the Lync Server Front-End is stuck "starting" so that would explain why I cannot login. However I re-issued my certificate to make sure the primary CN matched "lync.domain.tld" and it still wont start.
https://expertslab.wordpress.com/2014/04/23/lync-server-2013-front-end-service-stuck-on-starting/
I think my problem is the certificate. I have been trying to use selfSSL7 to generate the certificate for testing but it does not support creating SAN entries so I have entered all the FQDNs as CN entries.
Im going to get another method to generate the self-signed certificate for testing. -
Security Token Service application not working
Trying to use secure store service to access userprofileservice.asmx methods within Infopath 2010 form(doesn't contain any managed code). Created tareget application and using udcx file within the data connection library according to Microsoft tech articles.
I see errors related to accessing securitytokenservice application.It keeps on erroring out within the ULS logs, something like below
http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas.
TCP error code 10061: No connection could be made because the target machine actively refused it ::1:32843
Used below links but no luck.
Method 2 of http://support.microsoft.com/kb/981684
http://support.microsoft.com/kb/2493524
http://www.avanadeblog.com/sharepointasg/iis/
My http://localhost works but i don't see
http://localhost:32843 working.
When i run netstat -a within command prompt i see port 32843 is working since the state of it is shown as "listening".
When i browse to
http://localhost:32843/SecurityTokenServiceApplication i see HTTP 404 error.
It is same with other services under SharePoint Web Services Site within IIS.
I see the same HTTP 404 error. The Security Token Service application pool is running.
I'm trying to make this work within my development envirnoment and i don't see the security token service application
working in my Production or test environment either. I have a standalone installation on my personal laptop and i don't see these things working there as well. If i had web.config file of a working Security token service application then i could have compared
that with the web.config on my developement box. This is the only thing i missed out on.
I'm kind of stuck with this since last one week and any help is appreciated.
Thanks, DC SharePointerthanks Henrik.
Farm Servers already have WCF Hotfix (976462) and I also checked the STS authentication settings in IIS. Only windows and Anonymous access is enabled. I did make the change(Authentication mode of spStsActAsBinding to IssuedToken, it was SspiNegotiatedOverTransport) that
is suggested in the link you provided. But no luck. My STS web.config has below membership and role providers
<system.web>
<membership>
<providers>
<add connectionStringName="DevSQLConn"
applicationName="/"
name="DevAspNetSqlMembershipProvider"
requiresQuestionAndAnswer="false"
type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.3600.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add connectionStringName="DevSQLConn"
applicationName="/"
name="DevAspNetSqlRoleManager"
type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.3600.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
</system.web>
Does this have to do anything with my issue. I think at some point they might have configured to use form based authentication.
Thanks, DC SharePointer -
Unable to add security token for identity
Hi all,
I am trying to implement a web service with username token authentication. I have defined the ws -policies in the wsdl, and checked the Process Security Header checkbox in the proxy configuration. But when I invoke the proxy through test console and pass the full soap envelope , I am getting an "Unable to add security token for identity" error
This is how the soap header looks from the request document part of the test console:
<soap:Header>
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>xxxxx</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">yyyyyy</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
I have configured the user at alsb security configuration and added an acces policy stating that the proxy can be accessed only by user "xxxx"
Please help
-AtheekMostafa ,
This points to a misconfiguration of your security. Possible causes are:
* There is not a valid RSA key to sign the SAML token with.
* The SAML CredentialMapper is missing
* There is no Relying Party (rp) configured for SAML Credential Mapper that matches your producer
* The producer is using User Name Token and you have no configured the DefaultCredentialMapper to allow for UserNameToken.
Good Luck,
Nate
Edited by: user650654 on Sep 9, 2008 4:31 AM -
How to Use JDeveloper to Secure and Test a Web Service
When I try this tutorial "http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/10gwssecurity_howto.html", I get this exception:
javax.xml.rpc.soap.SOAPFaultException: The security token could not be authenticated or authorized
at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:578)
at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:400)
at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:113)
at client.proxy.runtime.MyWebService1SoapHttp_Stub.echoMe(MyWebService1SoapHttp_Stub.java:78)
at com.cmaxwell.secure.MyWebService1SoapHttpPortClient.echoMe(MyWebService1SoapHttpPortClient.java:42)
at com.cmaxwell.secure.MyWebService1SoapHttpPortClient.main(MyWebService1SoapHttpPortClient.java:31)
Process exited with exit code 0.
What am I doing wrong?Username and password are "albert" as it is written in the part "Run the Client". The version of JDeveloper is "10.1.3.4.0.4270". The exception scenarios do not help me in this case. I get the exception on this line:
myPort.echoMe("testing secure service"); -
Help Needed for Internet Security Driving Test!
Hi I came up with a few basic rules for family and friends
that I put together in order to try to prevent them from
continually installing spyware, toolbars, keyloggers and viruses on
their computers (and as a result, to try to prevent them from
continually calling me and asking for my help and advice when they
did this and things went wrong).
To all intents and purposes the rules worked well - for a
while. I set it up as a simple RTF document and I added this to the
start up folder of Windows XP, so that it started every time the PC
started. However, over time some of them simply learned to ignore
the rules and to close the RTF document as soon as it opened
without paying any attention to it at all - and then they went
about their merry business of installing spyware, keyloggers and
viruses etc. just as they had in the past.
So OK, I have to admit I found this deeply frustrating - but
I also realise that this is the same position that many of us geeks
are in in that on the whole, most average everyday computer users
don't have a clue about Internet security.
Now however things have become a lot more serious for me, as
I have been asked by a local charity to administer a total of 60
machines over 2 different sites - and I have also been asked if I
could provide some form of training with regard to basic personal
Internet security.
With this in mind I came up with the idea of an interactive
CDROM, or Flash based Internet security driving test/tutorial that
basically covers all of the scenarios I touch on in my rules.
This tutorial would cover basic things like, if you got an
email from a representative ex President of an African country
offering you a share in millions of dollars of stolen money, or if
you got an email from your bank asking you to verify your security
details and so on, what would you do? Additionally it would cover
such things as the abundance of viruses that infest many of the
porn sites on the net, the way that many games on the Internet that
are listed as being 'free' (particularly those which are in
executable file format) are often just vehicles for more spyware
and viruses also - and about the dangers of chat lines, of spoof
security warnings on web sites and so on.
I have included my list of rules below which should hopefully
give you an idea of what I'm trying to do. Be warned though, the
wording is deliberately harsh and perhaps a little extreme (and as
a result maybe not entirely 100% accurate) but you must realize
that I am, or was trying to give myself the easiest time possible
and the least possible problems. So you may well find things you
disagree with in it - but overall if someone followed these rules,
they probably would be less likely to run into problems than
someone who did not follow them might.
The thing is however that (as I said) I would like to
formalise these rules somewhat in the format of some kind of
interactive tutorial/web security driving test. Unfortunately I
have no experience with flash - and little knowledge of HTML or
anything like that. I also know that the language for these rules
isn't quite right, in that it probably isn't suitable for a formal
office type environment.
I had in mind that the tutorial would show some realtime
examples of some of the things I have been talking about (which I
assume would only be possible in Flash?) or perhaps rather like a
readers digest multiple choice type thing, with screenshots
depicting the various scenarios in question. (Like a screenshot of
a flash animation on a web page saying 'You have won a prize!!!'
What would you do? a) click on the ad, b, ignore it, or c) phone
all of your family and friends informing them of your good fortune
before doing anything.' etc.
So I was wondering, are there any good hearted charitable
souls out there who might be willing to help out to put a tutorial
like this together?
Again I remind you that it really is for a charity
(specifically the Depaul Trust in the UK, which helps young
vulnerable people find secure accommodation, provides educational
opportunities and helps them to find employment). The requirement
would be that all staff and students pass the Internet security
test before being granted Internet access.
I know this might be time consuming - but again all I can do
is appeal to the sense of kindness and helpfulness of this
community and hope that someone who does have some experience in
these maters might be willing to help.
Alternatively could anyone suggest a simple easy to use
software package that would allow a relative n00b like me to put
together a tutorial like this on my own? Or perhaps it is possible
that some free online tutorial like this already exists?
In any case, any help at all would be appreciated.
PS,
Here are the rules I have that I referred to above.
http://download305.mediafire.com/b6ndmljht1bg/29bbnnbz2uz/internet+rules.rtfDennis, when I look at the subject three clips (EI 1250, EI 640, and EI 320, respectively, and in that order) as presented in the camera, I see exactly what I have expected all along -- three different-brightness images that are progressively brighter from the EI 1250 exposure to the EI 320 exposure. So, am mystified why when I open these images (clips), say, in RAW Viewer, wherein I have thought that I would see the same progressive brightness differences allowing me to experiment with reducing brightness to deal with noise reduction, all three of the images present completely alike in brightness.
-
How to get security token from a URL in BPM
Hi,
I need to get a security token from a url in a business process.
The URL is like:
https://services.sapo.pt/STS/GetToken?ESBUsername=test&ESBPassword=test1
If I paste it on the browser i get the token in the form:
<ESBToken>
a7d1cd4e20c9c1b437513d434abbfee83b1f8f32839b54e6632f2865631303b815547cf898...
</ESBToken>
What is the best way to get and map the token in an Integration Process in SAP XI? Is it possible by user defined function in mapping? How?
Thanks in advance.I am not sure what you want to do!? Do you want to display the image file, save the image file? When you say you don't want it to exit, do you want it to be a persistant application?
-
SAS Token failed with 403 error while generating for each request using ARR module
Hi,
We are doing an e-Learning application, which plays a course on the browser (inside a div control). The course contains list of static contents such as html, js, css etc., and media files .mp4. We are hosting the static contents (.html, .js, .css etc) into
Azure blob storage and media files into Media Service and CDN.
When user triggers to take a course, the browser first request the Web Role with landing page (Ex: FirstPage.html) and with Course Unique Id - Ex:
https://cloudservice1.cloudapp.net/course/courseid/firstpage.html. We have written a custom ARR Module (http://www.iis.net/learn/extensions/url-rewrite-module/developing-a-custom-rewrite-provider-for-url-rewrite-module),
which receives the request, parse it and generate blob storage url with SAS token using C# code for each file. Then route to blob storage. (we have already passing storage account details to ARR Module using Web.config)
For single user, the course plays fine. But we do the load testing with > 400 user load (with 5 instances), we are getting many 403 errors (and not all files). If the load is less than 200, we don’t get such issue.
Also, we are using REST code to generate the SAS token. When the SAS token expiration time extending more than 60 min, getting error “Access without signed identifier cannot have time window more than 1 hour”. As the code is exist in ARR Module, unable to
refer the Storage Client assembly. This 60 min time interval is for each file request – so there could not be an issue on expiration, but feeling this might be an issue?
Can you please point me what could be the issue and how to solve this. Is the ARR Module caching the SAS token and providing the same even after the expiration time?
Many Thanks, Thirumalai Mhi,
There is a similar thread (http://stackoverflow.com/a/17572316 ), I recommend you could refer to it.
And I'd like to know how to set the expiry time in your code, and you could see this page (http://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/
Regards,
Will
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.
Maybe you are looking for
-
Bookmark bar is auto hidden in fullscreen mode, how to keep same functionality in normal mode out of full-screen? In full-screen I just have the main toolbar showing, which is how I want it all the time. This or either make "full-screen" a lot better
-
How to use BAPI_INB_DELIVERY_CONFIRM_DEC do batch split
Hi, everyone: I want to do batch split in inbound or outbound delivery by function. I found BAPI_INB_DELIVERY_CONFIRM_DEC, but our system is not a Decentralized System and I wandered in so many parameters. How to use this fuction? Thanks.
-
I am trying to install Arch as a virtualbox guest inside a Windows host. I have created a dynamically expanding 300G vdi. I booted Arch and attempted to make the partitions with fdisk. "fdisk -l" lists /dev/sda as being 1M in size. When I attempt to
-
I have a DeploymentPlanModifer subclass that is responsible for removing certain tables from a deployment plan under specific conditions. It is relatively trivial to find the CreateElementSteps I need and subsequently remove them via DeploymentPlanMo
-
ITunes restricts NOT OWNED songs
iTunes has taken over a number of songs I have recorded or burned from owned CDs, which WERE NOT PURCHASED FROM iTUNES STORE... some, in fact, that were burned from owned CDs prior to the invention of iTunes. Seems, if it can "find" the song title, i